So how should one go about drafting a website privacy policy?  The Federal Trade Commission advises that when drafting your privacy policy “say what you mean and mean what you say.”  The first part is easy – you need to have a global understanding of what your organization does with the information it collects.  For example, do you share information with third parties, use cookies and other web tracking technologies, or send promotional emails?  Whatever the practices, they need to be clearly described in your privacy policy.

The second part, “do what you say”, is more of a challenge.  Simply stating the policy is not enough – you must adhere to the policies and procedures as described.  Your organization will be held accountable for any failure to meet its own written standards, thus it’s imperative that everyone in the organization understand what they should be doing – and equally important, what they should not be doing.  There are useful tools and approaches for assessing and monitoring such adherence that you may consider adopting, such as a data privacy audit.

Finally, your privacy policy must keep pace with your practices and with changing law.  Web technologies, marketing strategies and other internal practices change regularly.  If the marketing department concludes that a monthly e-newsletter to donors is essential, that’s fine, but make sure that this is addressed in the privacy policy.  Unfortunately, many organizations do not routinely update their privacy policies to keep pace with such changes.

Additionally, the laws applying to privacy practices are in constant flux.  As an example, The General Data Protection Regulation (GDPR) issued by the European Union (EU) became effective May 25, 2018.  Although some organizations have adopted privacy processes and procedures in response to the regulations, many are still unclear as to the impact upon their organizations, and the steps necessary to comply.  In regard to your privacy policy, GDPR does require that you include specific provisions and “right” in your online privacy policy.  Failure to comply could result in significant fines and penalties.

As someone who routinely reviews and drafts privacy policies, I am keenly aware at how quickly these privacy policies can become “outdated.”  If you have a professionally drafted privacy policy, make sure that it is reviewed, followed and updated on an annual basis.  If you are like many organizations and have an outdated and/or inadequate privacy policy, then revising should be a top priority.  The investment today will go a long way in honoring the commitment to the privacy your supporters expect and deserve.

The post Privacy Matters: A Website Privacy Policy is Good Governance first appeared on Perlman Sandbox.

Does GDPR apply to your organization?  For virtually every organization, the answer is “yes.”  In basic terms, any US entity that has a web presence and markets to or gathers information on EU residents is subject to GDPR.  More specifically, Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your organization is subject to the requirements of the law.  It’s important to note that a financial transaction doesn’t have to take place to be subject to the regulation. The bottom line is that the GDPR applies to any organization that collects and holds “personal data” of individuals residing in the EU, regardless of the organization’s location.

Failure to comply could result in significant fines and penalties. On top of that, complying with GDPR will require organizations handling EU residents’ data to undertake significant operational reform.  Below I summarize the main mandates imposed by GDPR that organizations should focus on. I will be writing a further series of posts to provide additional guidance on insuring full compliance.

It’s My Data – GDPR is a game changer

From a US perspective, GDPR imposes a new paradigm.  Perhaps most significantly, it redefines what has traditionally been considered to be protected information by broadening the concept of personal data to anything that can be used to identify a person, including an email address, twitter handle or even an IP address associated with a mobile device. It’s crucial to recognize that personal data that is collected is never owned by the organization, for it is the individual who perpetually retains control over personal data.  This key public policy maintains that data belongs to the person it identifies, and that the person has a right to control how it is processed. Therefore, while organizations may use, within well-defined limits, the data they collect, they will need to obtain explicit consent from those individuals who “own” it.

Explicit Consent is the New “Opt In” – What is It?

While organizations may continue to rely on “consent” as a lawful basis to collect, use and transfer personal data under the GDPR, what constitutes acceptable “consent” is now at a higher bar.  No longer will “implicit” or “opt-out” consent be acceptable.  Rather, GDPR requires that the individual signals his or her agreement by “a statement or a clear affirmative action.”   It’s also important to note that GDPR introduces restrictions on the ability of children to consent to data processing without parental authorization.

No “Passing the Buck” – Responsibility for Third-Party Vendors

GDPR squarely puts the onus on the organizations which collect data to ensure that their third-party vendors (data-processors) are acting appropriately, and that any “processing activities” are performed in compliance with the regulations. Organizations must “implement appropriate technical and organizational measures” not only not only to ensure compliance, but to be able to demonstrate the measures that they have in place.  Under certain circumstances, organizations will have specific responsibility for carrying out data-protection “impact assessments.” Most importantly, the organization will be liable for the actions of its third-party vendors and any failure on their part to comply with GDPR’s personal data processing principles.

“Use It – Then Lose It” – Limits on Data Retention

Many organizations keep personal data information for much longer than is reasonably necessary.  GDPR imposes restrictions on this practice, effectively mandating that organizations create, implement, and then follow a data-retention policy.

“It Don’t Come Easy” – New Obligations for Cross-Border Data Transfers

The GDPR permits personal data transfers to a third country or international organization subject to compliance with a number of conditions, including conditions for onward transfer. For those countries that are not considered to provide an “adequate” level of data protection, transfers are only permitted under certain circumstances, such as by use of standard contractual clauses or binding corporate rules.   Note that the United States is not considered to have an “adequate” level of protection, so organizations wishing to transfer data to the US must take additional actions.

A “Target” on Targeting? – Restrictions on Profiling

Today, nonprofits often engage in donor-data analysis for a variety of purposes, including drawing conclusions about a donor’s wealth and capacity to give to develop target marketing campaigns. In its sweeping efforts to define and enhance the subject’s rights to control personal data, the GDPR contains many restrictions on such automated data processing – and decisions based upon such processing – to the extent they can be characterized as profiling.

A Higher Bar – New Data Security and Breach Notification Obligations

GDPR imposes strict obligations on organizations with regard to data security as well as expected security standards. The GDPR also adopts specific breach notification guidelines for the first time.

It’s All About Them – Additional Rights to Control Personal Data

As part of its effort to expand individual control over the use of personal data, the GDPR introduces two new rights. The first is the literal right to be “forgotten.”  This empowers individuals to request that your organization delete their personal data.  It also mandates that if requested, you provide an individual’s personal data to them. The GDPR also augments the existing rights of individuals to receive notice about your processing activities, gain access to the information that is being processed, and to request that any inaccuracies be remedied.

Keep “em” Separated – “Pseudonymization” of Personal Data

The concept of “personally identifying” is one of the essential elements driving and informing GDPR.  Any “personal data,” defined as “information relating to an identified or identifiable natural person ‘data subject’,” falls within the domain of GDPR.  The regulation introduces the concept of “pseudonymization” into European data-protection law. Pseudonymization is the separation of data from direct identifiers so that linkage to a person is not possible without additional information that is not digitally connected. The intent is to minimize the risks associated with sharing and processing of data.

Closing Thoughts

I can certainly appreciate that the regulatory obligations summarized above may seem overwhelming – they are – and that organizations may be tempted to take a “wait and see approach.”  It is essential, however, to keep in mind that by any measure the fines for violations of GDPR are severe (regulators are authorized to levy fines in amounts exceeding the greater of 20 million euros or four percent of annual global revenue). So in this case, an ounce of prevention will truly be worth the pound of cure.

The post GDPR is coming. Will your organization be ready? first appeared on Perlman Sandbox.