GDPR best practice for NGOs
Posted by Henk Onstwedder
Last week I had the privilege of attending the first regional Middle East chapter meeting of NetHope. Founded in 2001, NetHope is an American consortium of more than 50 American non-governmental organizations (NGOs) that specializes in improving IT connectivity among humanitarian organizations in developing countries and areas affected by disaster. Through collaboration, they aim to bring together the expertise of the technology sector with the on-the-ground experience of nonprofits, providing the resources, tools, guidance, and grant making needed to support digital transformation. Their goals very much reflect those of Unit4 in the Not-for-Profit sector.
A group of 30 representatives from 15 leading international NGOs gathered at the meeting to discuss common themes and share experiences on IT related topics. One of the most interesting discussions was about how to apply General Data Protection Regulation (GDPR) in the complex setting of an international NGO. Organizations must comply with the requirements under GDPR, before it comes into effect on May 25, 2018. It applies to all companies selling to and storing personal information about citizens in Europe. It provides citizens of the EU and EEA with greater control over their personal data and assurances that their information is being securely protected across Europe. Although many NGOs have already adopted privacy processes and procedures consistent with the Directive, many don’t, and significant fines and penalties will be given for non-compliance. For NGOs, whose work depends on the support of individuals, this is significant.
The NGOs we talk to pride themselves on their ability to analyze data and their social impact and results. This is their biggest focus, which means they collect massive amounts of personal data on their donors and beneficiaries from information on health and finances to dates of birth and ID numbers of individuals they are trying to help. Still, many of those organizations still do not have strict data protection policies or the systems and structures to manage the data properly. This has to be addressed and fast.
Our discussions with NetHope focused on the fact that while GDPR is an EU regulation, and is certainly applicable for situations that require data management and processing within the EU, do the same rules apply when the European operation of the INGO collects data on beneficiaries outside the EU? And, what happens if this is done by a non-EU subsidiary of the INGO?
General consensus amongst the participants was that in an INGO with a presence in the EU, all data should be subject to GDPR. First, it pre-empts any legal risks of non-compliance. Since these risks can be significant and could lead to hefty fines, this is a strong argument. Second, many believe that it works best if the INGO has a single policy regarding data privacy and security. In other words, if some part of the organization has to be GDPR compliant, then the entire organization should adopt it as a policy. Third, there is the understanding that GDPR – or data privacy in general – is a moral obligation for INGOs. As an INGO you want to take maximum care of the personal data of the beneficiaries you are trying to protect, the personal data of your own employees, and those of the donors. That’s a highly motivating argument that should see this principle adopted by the entire sector as a business best practice.