Working with data hasn’t gotten any easier since the General Data Protection Regulation (GDPR) went into effect in May. While the European Union’s new regulation has put powerful enforcement mechanisms into place for the people who live there, there’s no simple answer for those outside the EU. Complicating things even more, the California legislature just passed a state privacy law with many GDPR-like requirements.
Regulatory compliance aside, the values that drive GDPR are relevant to all nonprofits, whether they realize it or not. GDPR is a prompt for organizations everywhere to reexamine the ethics and effectiveness of their own data practices. It’s why we launched a curated hub of nonprofit-focused GDPR resources, to learn how the sector is navigating these new privacy regulations.
Despite the strength of their capacity-building infrastructure, US nonprofits aren’t any less susceptible to data breaches, cyber attacks, or otherwise well-intentioned misuse of data. Whether or not you have a handle on data in your workplace, these four podcasts on data privacy and security (each with its own takeaway) will help to demystify what’s become one of the most important topics of our time.
Whole Whale Podcast 093: All about GDPR with Stanford PACS
Takeaway: Be deliberate about how you use digitized data and digital infrastructure. “Think about how your life has changed since you got a cell phone,” says Lucy Bernholz, director of the Digital Civil Society Lab at Stanford PACS. In this conversation with Whole Whale’s George Weiner (44:38), Bernholz suggests that technology and convenience have brought about a kind of naiveté in the sector that puts nonprofits and those they serve at risk. “We’ve all become truly dependent on these devices and the things they allow us to do, and those devices and the software that run them are designed to make it as easy as possible for us to use them, which means we really don’t have to understand what’s going on,” she says. “Long before we were dealing with digitized data, we were well aware of the power of information, and now we’ve got that information in a digitized form.” For nonprofits, “it’s not just about managing the data on your own cell phone (your own data), you are now in charge of managing data about other people, from other people.”
Privacy Advisor Podcast: The Privacy Profession Needs a Code of Ethics
Takeaway: Yes, ethics do matter. In this IAPP privacy podcast (48:59), Tracy Ann Kosa, Senior Program Manager at Google and Non-Resident Fellow at the Digital Civil Society Lab at Stanford PACS, shares an early experience with data loss, when a broken hard drive with a wealth of personal information mysteriously made its way more than 1,000 miles away. The sobering event jump-started a journey that led her to a groundbreaking government health privacy initiative in Canada, and her career as a privacy advocate took off. Years later, Kosa sees the profession growing further away from its roots in advocacy toward a future clouded in compliance. “I think we’re losing the face of the data subject,” she says. Her solution? Develop a code of ethics based on the ideals of privacy professionals. “That’s exactly what we need. That is the next logical step in the evolution of a profession.”
Field Notes in Philanthropy Episode 4: That’s a Lot of Letters
Takeaway: It helps to understand what’s happening in the EU, even if you’re not based there. Jason Bryce of the UK-based Charities Aid Foundation says GDPR has been a challenge, calling it “the most heavily lobbied piece of legislation the European parliament has ever seen,” despite a relative marginalization of nonprofits. In this podcast from the Johnson Center and WGVU Public Media (35:06), Bryce joins an expert panel to demystify “structured” vs. “unstructured” data, explain why nonprofits everywhere should consider how and with whom they exchange and collect data, and to consider the eventuality of a similar policy in the United States. Bryce, who oversees efforts to understand the regulation, thinks GDPR will prove advantageous for UK organizations. In the end, it boils down to empathy. “Often, our fallback has been [to ask], ‘how would we want to be treated as individuals?’”
Data Privacy and Security: From Mandate to Mission
Takeaway: Now is the time to get responsible with your data. Nonprofits are more powerful than they know. In a podcast from SSIR’s Data on Purpose conference (58:46), Alix Dunn (The Engine Room) and Amy O’Donnell (Oxfam) introduce an emerging philosophy that’s changing the face of nonprofit data. Similar to how they take care with their finances and human resources, nonprofits should also exercise responsibility with their data. So, what exactly is responsible data? Dunn defines it as “a rights-based approach to thinking about data in our work. Generally speaking, it’s making sure that our methods aren’t undermining our mission.”
O’Donnell, one of the movement’s “most avid and effective ambassadors,” has helped to transform how her organization, Oxfam, is working with data. Affiliates from all over the world have come together with program managers and humanitarians on the ground to drive a process she describes as “pragmatic, operational, and multifaceted.” Strength in numbers. But in the world of responsible data, convening is only the first step. O’Donnell says the process comes down to asking, “what data are you collecting, why are you collecting it, who needs to see it, do you really need to collect it, does it already exist somewhere, and can we do something to refine it?”
With great power comes great responsibility. Another powerful facet of “responsible data” is that from an organizational perspective, it can take on different meanings for different people. Dunn describes it as an exercise in prioritization. “We were building all of these new ways of collecting a lot of information but not building new ways of considering how to use that information in ways that aligned with our mission… and we thought that was strange and completely insufficient for civil society,” she says. “We realized that [we] had an opportunity…to positively model how we thought data should be used in civil society.”