This is the third blog post in our GDPR series. To catch up, start with our first post: GDPR: Is Your Organization Ready?
Being a good steward of data includes respecting people’s privacy, protecting the data from getting into the wrong hands, and being transparent about how you and your partners are using a person’s data. If you borrowed a lawn mower from your neighbor wouldn’t you let them know when and where you’re going to be using it and keep it locked in your garage until you gave it back? If your sister-in-law wanted to borrow it, wouldn’t you check with the lawn mower’s owner before you did? These are silly analogies, but demonstrate an important point: the data we have about our constituents (and employees and partners) is not “our” data at all.
The principles around data ownership, when it includes personal details, has shifted. Organizations don’t “own” personal data – they are borrowing it and need to treat that data with the respect, security and transparency that comes along with the concept of “borrowing”. The new General Data Protection Regulations (GDPR) going into effect in May are one step along this path. While these regulations apply only to organizations with EU constituents (including US-based organizations!), all signs are that the US will be moving in this direction too.
The challenge for many organizations will be how far and wide constituent data is spread throughout the organization. Just getting a handle on what we have and where it all is will be only the first step. Deciding who should have access to it, why we need it, who we should share it with, as well as how to inform our constituents of our practices and policies are also part of the path forward.
In fact, this is a great opportunity to leverage your data stewardship for brand building. Your constituents would love hearing how you’re protecting their data – especially when they are hearing from so many places that are not (Equifax anyone?). This is a huge brand building opportunity.
In other words, data stewardship is
- good risk management – protecting the organization from liability arising from unauthorized access or lack of compliance with federal or international regulations like GDPR
- good brand building – demonstrating to your donors and advocates that you are being responsible stewards of their personal data
So whether or not you’re affected by GDPR, the principles of these new regulations are simply good business (and may eventually be required in the US too):
- Document where all your constituent's data is, who has access to it (and why), who it's shared with (and why), how it's protected
- Securely protect their data from unathorized access
- Be transparent with your constituents when you are collecting their information about what you're doing with it and who you're sharing it with
- Promote your good data stewardship practices