- GDPR (General Data Protection Regulation) was the hottest keyword this May. That is because the deadline to comply with GDPR was on May 25th.
A lot of you may already be aware of GDPR and what it means to your organization. But if you have been wondering whats going on. Here is a quick run through of the absolute essentials.
So here we go.
The General Data Protection Regulation was introduced to unify all EU member states’ approaches to data regulation, ensuring all data protection laws are applied identically in every country within the EU. It will protect EU citizens from organizations using their data irresponsibly and puts citizens in charge of what information is shared, where and how it’s shared.
Complying with GDPR is vital. Any business found not sticking to the rules could be charged fines of up to €20 million or 4% of the company’s global annual turnover, though the toughest fines will be reserved for the worst data breaches or data abuse.
A keyword you need to know is ‘Personal Data’. The line that demarcates the scope of personal data is a little blurred, so you need to use your best judgment and err on the side of caution.
Personal data means any information relating to an identifiable natural person.
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Biographical information or current living situation, including dates of birth, Social Security numbers, phone numbers and email addresses.
- Looks, appearance, and behavior, including eye color, weight, and character traits.
- Workplace data and information about education, including salary, tax information, and student numbers.
- Private and subjective data, including religion, political opinions, and geo-tracking data.
- Health, sickness, and genetics, including medical history, genetic data and information about sick leave.
The scope of GDPR covers a lot, if not all things under the sun from how you store social security numbers, to how the user should opt-in for emails. But not all of it might be relevant to your school.
As of today, GDPR applies to all companies processing and holding the personal data of people residing in the European Union, regardless of the company’s location. So technically, if you are collecting data from someone in the USA, in the USA, you may not need to comply with the GDPR. But we wouldn’t recommend anybody to take that gamble. Plus, we are all in for respecting a person’s privacy.
Now that we know what kind of data we are talking about, let’s dig a little deeper.
Data subject, Data Processors, and Data Controllers
There may be multiple people and organizations that have access and use the data. There are 3 terms you need to be aware of:
- Data Subject – Whose data are we talking about?
In an alumni relations context, this is the constituent.
- Data Controller – Who is the one using the data? This is you. Since the data is being used to send emails to, run reports on etc. You are the controller of the data.
- Data Processor – Who else is involved in helping you process the data?This is Us. Almabase, Blackbaud, MailChimp, Eventbrite, and mostly all the services you use are referred to as the Data Processor.
Now that we have that cleared out. Here are the privileges and responsibilities for each of them.
Essentially, The data controller(Your organization) and the data processor(Almabase) have to ensure that none of the rights of the Data subject are denied.
- Right to portability: If your alumni want to move their data from your network to another network, they should be able to do it. This is uncommon in the alumni relations context because since they graduated from your school, they may not have an option to move to another competing alumni network. But even so, this is possible with Almabase.
Right to correction: The constituent should be able to correct any data on file. Since all users on Almabase are able to edit their profile, you are GDPR compliant here as well.
- Consent: The constituent should give their explicit affirmative consent to allow your organization to process their data. No trickery or deception should be employed to gather their consent. We’ve made changes to the sign-up flow and the profile edit page to comply with this regulation. So we got you covered here as well.
- We’ve made changes to the users’ communication preferences to make sure that your organization is GDPR compliant.
- We have made sure that you as the organization has the right to permanently delete all or some of the data you have on Almabase if you choose to do so.
- We have a new Data Protection Officer to lead our data security program.
- For our partners in the USA, all your data is stored within the EU-US shield, which allows for data of alumni residing in the EU or of those who are EU citizens to be stored in the US.
- We have verified that all our vendors are GDPR compliant. So at no point in the chain is the data shared with anyone that is not GDPR compliant.
- We are obliged to use the data to fulfil our contracted services, and following your written instructions. If we’re legally obliged to process data in any other way, we’ll let you know.
- Keep the data we have secret. That applies even after you end your contract with us.
- We take particular care when it comes to the risks surrounding data processing. We look at the potential consequences of destruction, loss, accidental or unlawful changing of personal data, and un-authorized access to personal data.
- Like its always been, we never share data with people unrelated to the service we provide. But you (as the data controller) can give us permission to use another data processor. They’d be a subcontractor.
- We must tell you who they are at least one month before we start using them.
Well, it’s not that simple. GDPR does set the standard, but if you choose to download personal data from Almabase, and share with someone else for a purpose that the constituent did not agree to, you could be in violation, and the fines could still apply.
For instance, if you purchased a list to send emails to your constituents, that could mean that the person did not explicitly consent to receive emails from you, and therefore you could be in violation.
If you have any questions about how your alumni network can be compliant, feel free to reach us at firstname.lastname@example.org