ALERT: Time to make sure your organisation complies with the new EU data laws
Implications of the EU General Data Protection Regulation
DOES your permaculture, fair food or other organisation have members or subscribers living in the EU?
If so, your organisation will be affected by the EU’s General Data Protection Regulation (GDPR) that comes into effect on 25 May this year.
The Regulation is designed to protect the personal information of EU citizens.
Personal information is defined as any information related to a person that can be used to directly or indirectly identify that person.
Although this is an EU regulation its jurisdiction is global. That means your organisation is within EU legal jurisdiction of you have members or subsctibers or do business with people living in the EU and keep pesonal data that identifies them directly or indirectly.
The GDPR website FAQs put it this way:
“The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
I understand the Regulation applies not only to companies but to other types of organisations collecting and holding the personal data of EU citizens.
Any business or organisation offering goods or services on the internet is a de facto global organisation because the internet is a global system.
What GDPR means for Organisations
The GDPR stipulates:
Organisations are to supply details on data the organisation holds about EU citizens on request from those citizens.
Citizens can ask that their data be deleted. This is considered along with a public right to know that information.
According to Geekwire —
“…anyone collecting personal data of European Union members over the internet must spell out exactly what they are doing with that data and why “using clear and plain language”
That is, no legalese and no:
EU citizens must be informed of any data breach within 72 hours. This includes hacks and data theft.
Organisations must ask for explicit permission from an individual to collect and maintain their personal information.
“before processing any personal data, a business must ask for explicit permission from the subject“.
The legal consequences of failing to comply with the Regulation are substantial and can be found on the GDPR website.
The GDPR updates the EU 1995 Data Protection Directive that applied only to organisations based in the EU.
More on the Directive: https://en.wikipedia.org/wiki/Data_Protection_Directive
Who will be affected?
Only organisations with EU-based members or subscribers, or having business relationships with EU citizens come under the GDPR.
Taking Australia-based permaculture organisations as an example, we can speculate that those that may have to change their data management to comply with GDPR might include International Permaculture Day; the Permaculture Research Institute; PIP magazine if it has subscribers in the EU; Holmgren Design Services if it exports books directly to EU purchasers (rather than distribute from a EU-based agency that will have to comply with GDPR); permaculture educators with EU-based students holding personal information on them (including those offering online permaculture courses).
These organisations and businesses will have to rewrite their privacy policies in plain language, spelling out why they ask for personal details and ask for specific permission to hold that data on EU citizens. For membership oirganisations this could mean rewriting member application forms so they spell out that information and ask for only the minimum personal information.
Introduction of the GDPR comes at a time when the security of personal information held by global corporations is in the news thanks to revelations about the Cambridge Analytica/Facebook misappropriation of personal data.
Concerns over privacy of personal data in the EU and elsewhere predate the misappropriation.
The requirements of the GDPR can be adopted by organisations without links to EU citizens as a structure for safeguarding personal information and access to it by individuals. Organisations changing their privacy practices to comply with GDPR could use it to demonstrate their commitment to personal privacy.
Information about the European Union’s General Data Protection Regulation
GDPR website: https://www.eugdpr.org/eugdpr.org.html
GDPR WEBSITE FAQS: https://www.eugdpr.org/gdpr-faqs.html