GDPR (General Data Protection Regulation) was the hottest keyword this May. That is because the deadline to comply with GDPR was on May 25th.
A lot of you may already be aware of GDPR and what it means to your organization. But if you have been wondering whats going on. Here is a quick run through of the absolute essentials.
So here we go:
What is GDPR?
The General Data Protection Regulation was introduced to unify all EU member states’ approaches to data regulation, ensuring all data protection laws are applied identically in every country within the EU. It will protect EU citizens from organizations using their data irresponsibly and puts citizens in charge of what information is shared, where and how it’s shared.
Complying with GDPR is vital. Any business found not sticking to the rules could be charged fines of up to €20 million or 4% of the company’s global annual turnover, though the toughest fines will be reserved for the worst data breaches or data abuse.
That sounds bad. What kind of data are we talking about?
A keyword you need to know is ‘Personal Data’. The line that demarcates the scope of personal data is a little blurred, so you need to use your best judgment and err on the side of caution.
Personal data means any information relating to an identifiable natural person.
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Here is an inconclusive list of what could constitute Personal Data:
- Biographical information or current living situation, including dates of birth, Social Security numbers, phone numbers and email addresses.
- Looks, appearance, and behavior, including eye color, weight and character traits.
- Workplace data and information about education, including salary, tax information, and student numbers.
- Private and subjective data, including religion, political opinions, and geo-tracking data.
- Health, sickness, and genetics, including medical history, genetic data and information about sick leave.
The scope of GDPR covers a lot, if not all things under the sun from how you store social security numbers, to how the user should opt-in for emails. But not all of it might be relevant to your school.
As of today, GDPR applies to all companies processing and holding the personal data of People residing in the European Union, regardless of the company’s location. So technically, if you are collecting data from someone in the USA, within the USA, you may not need to comply with the GDPR. But we wouldn’t recommend anybody to take that gamble. Plus, we are all in for respecting a persons privacy.
Hmmm. What else should I be aware of?
So now we know what kind of data we are talking about. Let’s dig a little deeper
Data subject, Data Processors, and Data Controllers
There may be multiple people and organizations that have access and use the data. There are 3 terms you need to be aware of:
Data Subject – Whose data are we talking about?
In an alumni relations context, this is the constituent.
Data Controller – Who is the one using the data?
This is you. Since the data is being used to send emails to, run reports on etc. You are the controller of the data.
Data Processor – Who else is involved in helping you process the data?
This is Us. Almabase, Blackbaud, MailChimp, Eventbrite, and mostly all the services you use are referred to as the Data Processor.
The rights of your constituents
Now that we have that cleared out. Here are the privileges and responsibilities for each of them.
Essentially, The data controller(Your organization) and the data processor(Almabase) have to ensure that none of the rights of the Data subject are denied.
Here are the rights your constituents have with respect to their personal data:
- Right to portability: If your alumni want to move their data from your network to another network, they should be able to do it. This is uncommon in the alumni relations context because since they graduated from your school, they may not have an option to move to another competing alumni network. But even so, this is possible with Almabase.
- In addition to that, Users can view all the information they have submitted from their profile. So you are covered here too.
- Right to correction: The constituent should be able to correct any data on file. Since all users on Almabase are able to edit their profile, you are GDPR compliant here as well.
- Consent: The constituent should give their explicit affirmative consent to allow your organization to process their data. No trickery or deception should be employed to gather their consent. We’ve made changes to the sign-up flow and the profile edit page to comply with this regulation. So we got you covered here as well.
So what is Almabase doing as a Data processor to be GDPR compliant?
- We’ve made changes to the users’ communication preferences to make sure that your organization is GDPR compliant
- We have made sure that you as the organization has the right to permanently delete all or some of the data you have on Almabase if you choose to do so.
- We have a new Data Protection Officer to lead our data security program.
- For our partners in the USA, all your data is stored within the EU-US shield, which allows for data of alumni residing in the EU or of those who are EU citizens to be stored in the US.
- We have verified that all our vendors are GDPR compliant. So at no point in the chain is the data shared with anyone that is not GDPR compliant.
- We are obliged to use the data to fulfill our contracted services, and following your written instructions. If we’re legally obliged to process data in any other way, we’ll let you know.
- Keep the data we have secret. That applies even after you end your contract with us.
- We take particular care when it comes to the risks surrounding data processing. We look at the potential consequences of destruction, loss, accidental or unlawful changing of personal data, and unauthorized access to personal data.
- Like its always been, we never share data with people unrelated to the service we provide. But you (as the data controller) can give us permission to use another data processor. They’d be a subcontractor. We must tell you who they are at least one month before we start using them.
So Wait, is that all? Are we GDPR compliant too?
Well, its not that simple. GDPR does set the standard, but if you choose to download personal data from Almabase, and share with someone else for a purpose that the constituent did not agree to, you could be in violation, and the fines could still apply.
For instance, if you purchased a list to send emails to your constituents, that could mean that the person did not explicitly consent to receiving emails from you, and therefore you could be in violation.
If you have any questions about how your alumni network can be compliant, feel free to reach us at firstname.lastname@example.org
random description that you won’t read