Skip to content

GDPR One Year Later, Part 2

4Q4 Podcast, Field Notes

In the second of a three-part series, data experts connect current practices to challenges and opportunities brought about by the GDPR.

Digital Impact 4Q4 Podcast: GDPR One Year Later, Part 2


00:00 CHRIS DELATORRE: This is Digital impact. I’m Chris Delatorre.

HEATHER NOELLE ROBINSON: And I’m Heather Noelle Robinson.

CHRIS DELATORRE: This is the second part of a special miniseries on the European General Data Protection Regulation – commonly known as the GDPR. If this is your first time joining us for this series, we recommend starting with part one.

HEATHER NOELLE ROBINSON: In this episode, we’re going to focus on where we are now. What kind of challenges – and opportunities – is the social sector still finding with the GDPR? But before we get into the episode, quick reminder that we have resources available at

00:39 CHRIS DELATORRE: But first, let’s hear about the challenges social sector organizations are facing. You may remember from last time how small organizations are also expected to comply with this regulation, and the anxiety around building both capacity and expertise.

HEATHER NOELLE ROBINSON: And it hasn’t just been one time changes – like updating a privacy policy or adding another check box on a consent form. There’s a continued awareness many NGOs have to maintain. Here’s how Jeff Warren from Public Lab describes that need at his organization.

JEFF WARREN: And we have to read our own privacy policy regularly to understand it and make sure we’re following it. That’s good, that’s a good living document, you know? Or like a – not living because we’re changing it but living because we’re reading it all the time.


GDPR One Year Later, Part 1: Philanthropy data experts recall what happened when the GDPR went into effect.

CHRIS DELATORRE: I think this falls into both the challenge and opportunity categories – it’s a challenge to protect user privacy and stay aware of compliance. And, as Jeff mentions, it’s a living document that affects their operations and relates to their mission. Plenty of opportunities there.

01:42 HEATHER NOELLE ROBINSON: And back to the challenges: there’s the threat of fines for violating the GDPR. Let’s hear from Samantha Brown at Doteveryone on what this might look like for nonprofits.

SAMANTHA BROWN: What I think was so interesting is, in GDPR coming in the way that it did with its incredible massive fines – which to in particular for a not-for-profit would be entirely unmanageable or crippling – the need to get it right was very high. And so quite a lot of nonprofits and other companies really had to sit down and kind of reckon and ask themselves, why are we collecting this data in the first place?

CHRIS DELATORRE: Samantha’s honesty is helpful here because I think this idea of ‘more is better’ could actually be hurting organizations that are missing a clear plan of action. Even a one-page inventory could be enough to set the tone for responsible data, where software choices, internal policies and workflows reflect what the organization is getting right and what it could be doing better. And if the idea of managing digital data is new to your organization, the Digital Impact toolkit can help.

HEATHER NOELLE ROBINSON: That’s at Let’s go back to Jeff Warren. He also told us about the challenge of becoming dependent on technology created by other companies.

03:09 JEFF WARREN: We don’t get raw access to Google Analytics data, right? So, in a sense, for us to comply with the GDPR means that we are working around a big black box of whether Google is complying with the GDPR. And the recommendations around that are really obscure. And this is actually part of our research. People say, well, probably to comply with the GDPR you should change this obscure setting in Google Analytics so that it discards the last three digits of your IP address. So you’re just not collecting that.

Google itself and these other entities like Facebook were not forthcoming about how they are enabling everyone using their platforms to respect people’s privacy and comply with the GDPR. And so as a small player in this field that was I think quite challenging. And I’m curious to see if Google’s going to be held accountable for that, you know. Maybe they’ve done a good job, maybe they have good lawyers but like we’re sort of playing out the effects of this in the world because we use their platforms. And we try to do so in a way that’s respectful of privacy but we literally can’t see what they’re storing.

HEATHER NOELLE ROBINSON: So even if you’re doing the best you can to stay aware of how you’re handling data, and you get it right (so you don’t get fined), there’s still some risk, since we have to trust that these other technology products are GDPR compliant, too.

04:24 CHRIS DELATORRE: And now for the opportunities. I spoke with Samantha Brown at Doteveryone for a recent 4Q4 podcast. Her organization introduced consequence scanning, a way for tech teams to consider the potential consequences of their products or services on people and society. As an organization operating in Europe, Doteveryone had a lot to gain by following the GDPR’s principles even before the new law went into effect.

SAMANTHA BROWN: GDPR really caused you to have to stop and reflect on what that data was actually adding value to, whether it was adding value to the users that you were working with or adding value to your own operations, and allowing you to deliver better services for those people, or if it was adding value to the communities that you were doing and how it matched up with the vision of your organization and the strategies that you had in place for the various digital products that you were offering.

HEATHER NOELLE ROBINSON: And again, this opportunity is the flip side of one of the challenges of the GDPR – staying aware of how and why you’re collecting data in the first place.

05:36 CHRIS DELATORRE: But not everyone agrees this kind of thoughtful approach is happening. Tris Lumley at New Philanthropy Capital sees it as a missed opportunity.

TRIS LUMLEY: The problem with it being seen by charities as a compliance thing rather than an interesting opportunity or a positive piece of legislation, I don’t think there’s been much focus on data about service users [as] primary constituents, it’s all been on the donor side. That’s like, that’s the secondary business of nonprofits. So, that’s a big opportunity missed so far. There’s an interesting space now where everyone’s done kind of a data audit of some, to some extent. I think that’s a really interesting opportunity to then bring them into all of these conversations and say, what do we want to do with our data? What’s our data strategy over the next three years alongside our strategy? And actually to build something from that but that’s not happening. So a bit of an opportunity for, maybe for us as a consultancy and others to come in and say, look we can help you think about this stuff.

06:37 CHRIS DELATORRE: It’s interesting how we have these differing perspectives on how the social sector is using this opportunity to slow down, and make data management more responsible. From the challenges we talked about – staying aware of data privacy, and the pressure to get it right – it’s no surprise Tris has seen so many compliance-driven conversations.

HEATHER NOELLE ROBINSON: But on the other hand, this opportunity is really intertwined with those compliance issues, so that’s where Samantha’s perspective on thoughtful data comes in.

CHRIS DELATORRE: Here’s another way to think about that opportunity of “thoughtful data.” I talked to Laura Guzman at The Engine Room about the “push and pull” of efficiency vs privacy, no doubt a source of anxiety for many organizations.

07:19 LAURA GUZMAN: And I think part of it for me – this is a bit my own, wearing my own hat as I say this – thinks that that additional friction is good because we’ve so often assumed that efficiency is the way to go. That by reinserting questions of responsibility and privacy and like all of that requires a lot of thoughtfulness, especially because we’re dependent on these tools. And that will require time. And that might mean you don’t respond to as many emails. And I don’t think that should be a reason for stopping.

CHRIS DELATORRE: So, the opportunity here, is the ability to step back and be mindful about how and why you manage your data.

HEATHER NOELLE ROBINSON: But the challenge is not responding to email as quickly. In a broader sense, it really is a challenge to let go of the idea of efficiency. Sometimes it’s a better way to meet your organization’s mission. But we understand how it’s still a struggle.


Digital Impact’s Lucy Bernholz sees the GDPR as a framework that may align with your mission.

CHRIS DELATORRE: The Digital Impact toolkit has a variety of tools to help address both the opportunity and challenge of slowing down and being responsible about data. Our privacy template is a great start to ensuring website compliance, and our intellectual property templates are a helpful reminder that we’re all part of an ecosystem with ownership rules and tradeoffs. And again, you can find these and other resources at

08:41 HEATHER NOELLE ROBINSON: But sorry, we can’t help you answer that backlog of email.

CHRIS DELATORRE: Which reminds me, I really should be getting back to that.

HEATHER NOELLE ROBINSON: Alright thanks, Chris.

CHRIS DELATORRE: Thank you, Heather. And a special thanks to Jeff Warren at Public Lab, Samantha Brown at Doteveryone, Laura Guzman at The Engine Room, and Tris Lumley at New Philanthropy Capital. Thanks for joining us, and we’ll see you next time on the Digital Impact podcast.

Digital Impact is a program of the Digital Civil Society Lab at the Stanford Center on Philanthropy and Civil Society. Follow this and other episodes at and on Twitter @dgtlimpact with #4Q4Data.