If you work in data protection or privacy, you already know this: the clock is ticking.
On 25 May 2018, the most significant data protection law in this young century will go into effect in the European Union: The General Data Protection Regulation (GDPR), Regulation 2016/679. Europe has long regarded privacy as a fundamental human right, and the EU Data Protection Directive (95/46/EC) has been long held up as the gold standard in privacy protection for more than 25 years. For all of its benefits, the Directive was put forward in 1995, when the Internet was still nascent and had not yet assumed such a critical role in the lives of billions of people. Many people connected to the Internet using SLIP or PPP on dial-up, and the dominant browser was Mosaic (soon to be replaced by Netscape Navigator). Facebook, WhatsApp, Instagram, Netflix and Google were all many years away. Mobile devices were limited to something like the Newton or a laptop that could be charitably considered a “luggable.” Cloud computing and machine learning at the scale we see today were still largely thought exercises.
With the radical changes in global society catalyzed by the Internet, the humanitarian community has not been immune to the changes that are happening in every corner of the planet. In order to scale up to the increasing need and complexity of humanitarian crises, many aid organizations have gotten on the “innovation” bandwagon. Innovation, in this case, often meant the use of greater computing and data collection resources.
With humanitarian data security and privacy under greater scrutiny than ever before, the imminent arrival of the GDPR presents a not insignificant challenge to NGOs and intra-governental organizations who process data on European data subjects. But it also presents a unique opportunity to do right by the most vulnerable people on the planet, people who are at risk from conflict, disaster or other humanitarian crisis.
The European Migration Crisis Was a Wake Up Call
Since the end of the Second World War and the rise of the modern humanitarian system, it’s been generally true that aid agencies would recruit and fundraise from the West, and then do service delivery in the Global South or other parts of the developing world. But the migration crisis affecting Europe in the last few years, primarily driven from the Syrian conflict and several other conflicts in North Africa, changed that dynamic. For the first time in the age of modern computing, aid agencies were delivering services to a large population in Europe.
When I worked on the Syrian refugee crisis in 2015, we made the determination that the moment a refugee’s boat set foot in the Greek Islands or in Italy, their data had to be governed in accordance with the EU Data Protection Directive. The people arriving in Europe were suddenly “EU data subjects,” and were entitled to certain rights and protections accordingly. So we had, for the first time, a significant humanitarian crisis that was in scope of a strong set of data privacy requirements. Our refugee networks at the time were designed with these findings in mind, and the fact that we created the largest known dedicated humanitarian network (with over 600,000+ users) with this protection demonstrated that you could have scale, innovation, and privacy for an extremely vulnerable population.
The GDPR protects Europeans – but global organizations will extend its protections.
At first glance, it may not be readily apparent why the GDPR is relevant to humanitarian operations, the vast majority of which occur outside of the scope of EU data protection law and the 28 EU member states. Firstly, many global NGOs have a GDPR exposure. Even if their service delivery occurs in many other parts of the world, far away from any relevant privacy laws, these organizations are often based in and fundraise in Europe. Further, many of them also recruit staff from within Europe. So they will have to come into compliance with GDPR requirements.
But with aid operations that worth $17.9 Billion USD (2012) and reached 73 million people around the world, these same organizations will have strong incentives to extend “privacy by default and by design” across geographies. It is often cheaper and more efficient to design one regime for security and privacy within an organization than to have a fractured landscape (and the resultant risk very significant fines – up to 4% of an organization’s global turnover in the most egregious cases).
Unlike a Fortune 100 global enterprise where there may be a single CIO and a single IT organization with global standards, NGOs often have very fractured ICT infrastructure, where there may be some standards and unity in the “home office,” but where field offices and field operations may have a hodgepodge of management and technical solutions, some of which are ad-hoc, and many of which exist outside of overall security and privacy governance.
Carrots and Sticks
There have been multiple calls for increased data governance and protection within the humanitarian community of late, especially as the risks of “irresponsible data” become more clear. But most of these calls to action are based around the moral and ethical reasons that humanitarian organizations should adopt strong security and data protection postures. The price to vulnerable people is just too high, they argue, and that there is a clear humanitarian rationale for protecting those vulnerable people which equally exists in the electronic space as much as it does in the physical space. And all of that is true… there is a clear humanitarian reason for taking data protection a lot more seriously than is often done. That’s the carrot: it’s the right thing to do, and it’s completely in line with the humanitarian principles established over the last hundred years or so.
The GDPR on the other hand, compels data protection by granting significantly enhanced rights to data subjects and those previously-mentioned fines for violations. (As an aside, it is almost a cliche to write an article about the GDPR that doesn’t also mention those fines – they’re big and the coercive power of them should not be underestimated.) Humanitarian organizations will soon ignore data protection at their own peril.
A Culture of Data Protection
Humanitarian organizations have often overlooked security and data protection issues in pursuit of executing their core missions. As I stated previously, the current grant-based funding model has created incentives to de-emphasise risk reduction. Security and privacy issues are often considered “administrative overhead.” NGOs have an incentive to minimize overhead and maximize the amount of the donated dollar that goes to programs and operations. Donors in turn want to see their money going to hungry people, or shelter, or other humanitarian needs. Both sides of the equation have previously had rational (if ultimately mistaken) reasons to de-emphasize data protection.
No more. The GDPR, by its territorial scope and expansive scale will require humanitarian organizations who may have been able to avoid tackling thorny issues of data protection to finally confront them. Is the GDPR the perfect solution to data protection? Absolutely not. But the key thing it does is require organizations to start building comprehensive security and privacy programs across all of their data processing activities.
And that’s a start…