The European Union’s General Data Protection Regulation (GDPR) goes into effect on May 25. The new regulations, which center around data privacy and transparency, can be intimidating for organization leaders to read and interpret, especially given what’s at stake — penalties of 4 percent of worldwide turnover or €20 million, whichever is higher, in some scenarios.
During their presentation at Venable LLP’s “The Top Privacy and Data Security Trends and Issues for Nonprofits in 2018” in Washington, D.C., Robert L. Waldman, partner and co-chair of Venable’s nonprofit organization practice, Kelly DeMarchis Bastide, partner in Venable’s eCommerce, privacy, and cybersecurity practice, and Joel Urbanowicz, director of information security and ICT process governance at Catholic Relief Services, provided some GDPR basics for attendees, including these seven key data protection principles:
- Lawfulness. Seek lawfulness, fairness, and transparency with respect to the data subject;
- Purpose limitation. Collect personal data only for specified, explicit, and legitimate purposes. Any additional data processing should also follow these purposes;
- Data minimization. Personal data processing must be adequate, relevant, and limited to what is necessary for the purposes for which it is being processed;
- Accuracy. Personal data must be accurate and up-to-date. Reasonable steps should be taken to erase or correct inaccurate data without delay;
- Limits on storage. Personal, identifiable data should not be stored for longer than necessary;
- Data integrity. Personal data should be met with appropriate security including protection against unauthorized or unlawful processing or accidental loss, destruction, or damage; and,
- Accountability. Data controllers should demonstrate compliance with these principles.