[00:00] Chris Delatorre: This is Digital impact. I’m Chris Delatorre.
Heather Noelle Robinson: And I’m Heather Noelle Robinson.
Chris Delatorre: And we’re bringing you a special miniseries on the GDPR. One year after the EU General Data Protection Regulation – or GDPR – went into effect, we wanted to know – how has the regulatory landscape of data privacy and protection changed? How are organizations responding?
Heather Noelle Robinson: And what might be in store for the future of data collection and privacy.
Chris Delatorre: So, look for a few short episodes in your feed over the next few days.
Heather Noelle Robinson: Let’s start with the basics. Chris, can you introduce us to the GDPR and what it does?
[00:39] Chris Delatorre: The GDPR went into effect on May 25th 2018. The regulation mandates a baseline set of standards for organizations that handle the data of persons residing in the European Union. It requires organizations to protect the personal data and privacy of EU residents. And this goes for organizations that operate inside and outside the EU.
Heather Noelle Robinson: And why did the EU put this law into place? What’s the big picture goal?
Chris Delatorre: Well, the main aim of the regulation is to better safeguard the processing and movement of personal data. If you think back about a year ago, you may have noticed a lot of pop-ups and banners on websites asking you to opt in to their privacy policies. That’s theGDPR at work.
Heather Noelle Robinson: So opting in to data collection (as opposed to opting out) is a feature of the GDPR. But it’s a lot more than that.
Chris Delatorre: Absolutely. One of our partner organizations, The Engine Room, describes the GDPR as “a promising step in the direction of taking a rights-based approach to working with data.”
Heather Noelle Robinson: And this is in line with your values if you’re a people-driven organization, and your mission relies on collecting, sharing, and protecting data.
Chris Delatorre: As our very own Lucy Bernholz outlined before the new law went into effect, the GDPR provides a framework and a set of user-centered guidelines about data that may just align with that mission.
[02:01] Heather Noelle Robinson: But Chris, we’re in America (specifically at Stanford in northern California- Go cardinal) – so why should we care?
Chris Delatorre: Well, again, the regulation applies to organizations operating inside and outside the EU. And it protects everyone residing in the European Union – even non-citizens. Since most data collection nowadays happens online, the GDPR applies to nonprofits here in the United States and to NGOs working abroad.
Heather Noelle Robinson: Right, so if I got a job in Paris, and I was living there – but I visited the website of a nonprofit in the United States, like to give a donation to a food bank in the town where I grew up, then the GDPR would apply to me.
Chris Delatorre: And more importantly, it would apply to that nonprofit’s collection of your data – like your name, credit card information, address, and any cookies their website uses to track you around the internet.
Heather Noelle Robinson: Alright, now that we’ve got the basics, let’s hear from the experts.
Chris Delatorre: There was a lot of fear and uncertainty about the GDPR, especially in the social sector, as it was going into effect a year ago. Here we have Bryan Breckenridge of Box.org talking about the response from their audience.
[03:15] Bryan Breckenridge: GDPR readiness is something we’ve prioritized at Box, so when we were putting out content about that, we literally got more traffic to our blog and to our websites than when we covered when Beyonce released her secret album on her website using Box. So GDPR was literally more popular as a topic for our community than when we helped Beyone get her secret album off her website and out into the public, years in advance of that.
Heather Noelle Robinson: I love that! The GDPR is more popular than Beyonce.
Chris Delatorre: But it’s different than Beyonce, obviously – the response Bryan describes gives us an idea of the anxiety throughout the social sector. A lot of organizations were worried about compliance, understanding the law, and how to build the expertise on their teams to respond to it.
Heather Noelle Robinson: What about an example of a specific nonprofit and what they did to prepare for the GDPR?
Chris Delatorre: I talked to Jeff Warren at Public Lab about how his small team is dealing with this massive shift. Here he describes how they evaluated their current data collection, and how consent plays into that.
Chris Delatorre: At Public Lab, they’re collecting a lot more than someone’s name and email address – they work on citizen science projects.
Heather Noelle Robinson: And science can’t exist without data!
Chris Delatorre: So they have contributors from around the world, constantly uploading new data, and that data could be anything from geographical data, to personally identifying data, to the story of a particular environmental concern within a specific community. So the GDPR would affect the most important aspects of that data collection.
Heather Noelle Robinson: Jeff also makes some important points in that clip – especially that GDPR was intended to create consequences (like fines) for big companies, but it’s written in such a way that everyone has to comply.
Chris Delatorre: A lot of small organizations are feeling the impact of that. And there are a few other things about it that make it less than perfect.
Heather Noelle Robinson: Let’s listen to what Tris Lumly at New Philanthropy Capital says about GDPR, and whether it’s effective.
[06:20] Tris Lumley: So I think GDPR is a good thing, in theory. As we’re interested in strengthening people’s rights and it’s a set legislation focused on individuals’ rights. But I think I’m not sure it’s achieved any of its kind of deeper purpose, certainly yet. I think the main changes that you’ve seen in the nonprofit sector are: A. everyone freaking out for a while and all boards having a session about data – “ah, data!” – purely about compliance. So, I’ll come back to that because it’s been about compliance, it’s not been about the opportunity of data. So, freaking out about that, and then the result being that everyone’s got a much smaller reach.
[07:11] Heather Noelle Robinson: What Tris means by social sector organizations having less reach is that many people have dropped off of email marketing lists (for example), or donor lists, or simply unsubscribed from everything when a nonprofit suddenly asked them for consent to collect their data.
Chris Delatorre: Which is what all those pop ups were about. Like we said, the regulation isn’t perfect. But it’s a start.
Heather Noelle Robinson: So quick recap.
Chris Delatorre: The GDPR intended to give individual people more control over their data, while holding big companies accountable with consequences like fines.
Heather Noelle Robinson: But social sector organizations have had to change their operations to comply with the law. And many small groups have struggled with the capacity and expertise to comply.
Chris Delatorre: Next time, we’ll go deeper into that very issue. On the one hand, compliance has been a challenge for social sector organizations.
Heather Noelle Robinson: On the other hand, doing a full audit of your data practices and consent policies can be a really good thing – an opportunity to make sure you’re handling data responsibly.
Chris Delatorre: Thank you, Heather.
Heather Noelle Robinson: Thank you, Chris.
Chris Delatorre: And a special thanks to Bryan Breckenridge at Box.org, Jeff Warren at Public Lab, and Tris Lumley at New Philanthropy Capital. Thanks for joining us, we’ll see you next time on the Digital Impact podcast.
Digital Impact is a program of the Digital Civil Society Lab at the Stanford Center on Philanthropy and Civil Society (Stanford PACS). Follow this and other episodes at digitalimpact.io and on Twitter @dgtlimpact with #4Q4Data.