On May 23, DevResults hosted a discussion on the EU’s General Data Protection Regulation (GDPR). In partnership with Sonjara and SurveyCTO, we wanted to bring together our clients, partners, and the international development community to discuss GDPR and its implications for the community as a whole.
With just two days to go before the law came into effect, the room was a mixture of stress, excitement, and uncertainty. Our speakers-- Britanie Hall, Senior Associate at Hogan Lovells; Ritika Bhasker, Data Scientist and Data Protection Officer at DevResults; Siobhan Green, CEO at Sonjara; Audra Blanchfield, Relationship Manager at SurveyCTO-- and guests carried on a conversation that was engaging for all who were present.
The conversation covered what compliance will entail and, as promised, offered answers, tips, and tools to burning questions. It also got to the core of why GDPR matters and, most importantly, why the international development community and we, as individuals, should care about it.
Below are a some of the key takeaways, but you’ll want to watch the entire discussion for yourself.
1 GDPR is about accountability and protection
“The goal of the law is to put individuals in control of their data.”
The stiff fines that GDPR will impose on non-compliant organizations have everyone worried, which is fair. However, talk and fear of hefty fines should not cloud what the GDPR is about: ensuring that organizations protect the personal data entrusted to them, and giving individuals greater say over what the organizations do with this data.
With the increasing digitization of our lives, so much of our information -- banking records, hospital records, photos on social media, etc. -- exists in a shareable format. We’ve seen millions of people have their data compromised. As a result, there are increasing concerns about data privacy and data security.
Article 8 of the EU Charter of Fundamental Rights has declared data protection to be a fundamental right for EU residents. This recognition of protection of data as a human right necessitates the GDPR, which forces organizations to be accountable for the data they handle and also entrenches individuals’ right over their data.
GDPR is not about inconveniencing organizations, it’s about holding them accountable for protecting people’s information.
2 Similar protections are coming
“GDPR is a wake-up call for the international development community.”
There is no avoiding it. The GDPR is ushering in the new way that data protections are going to be handled. Avoiding the responsibility to enforce better data protection protocols because your organization or team has no EU affiliations is a terrible strategy.
GDPR should be the wake up call to act because more countries will follow suit. So, whether your organization works in Asia, Sub-Saharan Africa, or Latin America, it’s only a matter of time before you have to be accountable for protecting the data that you use.
3 Data protection should be a priority
“You should be encrypting your data, you should be doing all these things.”
Beyond the law, data protection should be a priority for numerous reasons.
Protecting citizens’ data is the responsible thing to do, whether or not the laws of the countries where development projects are implemented mandate these protections. Development organizations often work with vulnerable populations that could be put in harm’s way if their data were leaked. As a result, teams should be mindful of what could happen if this information got into the wrong hands.
Beyond life or death situations, the data that organizations collect creates knowledge about what works and what doesn’t when it comes to humanitarian work. To lose this information is to lose very valuable knowledge and violate the trust that beneficiaries place on development organizations and their work.
4 Your organization can make immediate and manageable changes
Complying to the GDPR isn’t all consulting with lawyers and investing in data encryption and other technology. Those options are recommended, but there are other cheaper and simpler changes that organizations and individuals can make in the name of data responsibility.
Plan ahead and build data management audits and assessments into every activity.
Think about granularity. Does your data really need to be disaggregated at such minute levels?
If you do work on your mobile phone, set-up a password.
Don’t send sensitive information via emails.
GDPR is a good step forward for ensuring that organizations take concrete measures to guard the data they have been entrusted with. We hope that our event inspired those present to think about the steps that they and their teams will be taking to enforce data security.
For our part, DevResults is taking GDPR seriously and has already made changes that reflect this. We will continue updating our blog to share our progress and look forward to keeping this conversation going.