Civil Society Organizations and General Data Protection Regulation Compliance

Challenges, Opportunities, and Best Practices

ABOUT THE ORGANIZATIONS The Open Society Foundations, founded by George Soros, are the world’s largest private funder of independent groups working for justice, democratic governance, and human rights. Open Society funded this report hoping to make a contribution towards stronger data governance in civil society.

Data Protection Support & Management is a niche data protection consultancy specializing in assisting humanitarian organizations, nonprofits, research institutes, and organizations dealing with vulnerable data subjects and complex processing environments These efforts aim to help these groups and organizations innovate responsibly and comply with their data protection obligations. © 2020 Open Society Foundations

This publication is available as a PDF on the Open Society Foundations website under a Creative Commons license that allows copying and distributing the publication, only in its entirety, as long as it is attributed to the Open Society Foundations and used for noncommercial educational or public policy purposes. Photographs may not be used separately from the publication.

ABOUT THE AUTHORS Vera Franz is deputy director of the Open Society Lucy Hannah is a data protection consultant with Information Program where she oversees the global Digital Protection Support & Management, a certified portfolios responding to threats to open society data protection officer, and an Australian-qualified created by information technology. For the past lawyer, working across Europe and the United decade, Franz has worked to develop and implement Kingdom. Hannah has extensive experience in field strategies to confront corporate data exploitation privacy, data protection, and regulatory compliance. and government surveillance. This work has included She previously worked on GDPR compliance for an supporting the adoption of a robust EU General Data international publishing organization in London Protection Regulation (GDPR), and initiating the and for a UK-based online retailer, overseeing the Digital Freedom Fund, Europe’s first digital rights technical and operational changes needed to meet the litigation fund. She is a certified data protection officer businesses’ data protection compliance requirements. and a member of Open Society’s GDPR compliance group. Before joining Open Society, Franz was a researcher at the Techno-Z Centre for Innovation & Technology and taught at the Department of Communication Studies at Salzburg University.

Ben Hayes is a director of Digital Protection Support & Management. Hayes previously worked for NGOs and research institutes on issues related to national security, border control, counter-terrorism, policing, criminal law, and human rights. Before co-founding Digital Protection Support & Management, Hayes worked as data protection legal advisor to the International Committee of the Red Cross and as a data protection expert for the United Nations Refugee Agency. He has also consulted extensively on applied “data ethics” issues for the European Commission’s Directorate General for Research and Innovation and the European Research Council.

3 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

1. Introduction We wanted to understand NGOs’ attitudes toward the GDPR, the guidance on compliance As civil society organizations are becoming available to them, the particular compliance increasingly data-heavy operations, basic challenges they encountered, and the impact fluency in data protection is essential. Adapting the GDPR has on their core activities such as to the changes brought by the EU General Data advocacy and human rights investigations. Protection Regulation (GDPR) will make civil For example, is the approach to mailing lists, society organizations more resilient and enable where many NGOs unnecessarily culled the them to appropriately protect the personal data addresses of recipients, characteristic of the of their staff, donors, beneficiaries, research non-profit compliance experience as a whole? subjects, and contributors. In an era in which Conversely, is the NGO sector under-comply- the political and operational space of civil soci- ing as it is overly-reliant on the premise that ety is “shrinking,” compliance with the GDPR its activities are all in the “public interest” and also provides a robust defense against adver- therefore a priori permissible under the GDPR? saries who may seek to use or abuse the GDPR Also, we were particularly interested in explor- in an attempt to undermine the activities of ing whether and how the GDPR has been or these organizations. Fluency in data protec- may be used by political opponents against tion also allows civil society organizations to civil society organizations and how the GDPR lead by example on the value of data privacy fits in with the growing compliance burden and demonstrate an alternative to the current associated with the shrinking space for civic model of unchecked, large-scale data exploita- activism on political issues. There can be no tion by many big technology companies. doubt that tenacious civil society organizations We were motivated to produce this report as have made powerful enemies; does the GDPR we witnessed many NGOs (non-governmental therefore leave them exposed to legal action organizations) tie themselves up in knots over by vexatious and litigious adversaries? Are their mailing lists in the run up to the GDPR. they aware of these risks and have they taken Countless civil society organizations flooded adequate steps to mitigate them? our inboxes with needless re-consent requests, The authors firmly believe in the importance of while large corporations gave the impression of comprehensive data protection, and the GDPR business as usual. With this report, we set out more specifically. Despite its detractors, the to better understand what the GDPR means GDPR is without doubt the best entry point to for NGOs in very practical terms, and provide begin to address the damage that massive data some practical guidance to NGOs on issues exploitation by big tech companies is doing to that they have struggled with. our societies—from political microtargeting

4 Introduction and societal polarization to the out-of-con- sought to ensure that the GDPR did not unduly trol “ad tech” industry and the emergence and restrict press freedom, other public interest consolidation of tech monopolies. But we also organizations were not so forward-thinking, acknowledge the challenges the GDPR creates which appears to have left a few “gray” areas. for civil society. For example, while smaller We hope this report can provide some practi- organizations are exempt from certain compli- cal guidance to NGOs on issues that they have ance requirements such as the appointment of struggled with: not by producing yet another a data protection officer, most of the legisla- GDPR checklist or “compliance tool,” but by tion applies in its entirety regardless of orga- thinking through the compliance issues that nization size and the compliance burden can may be unique to civil society organizations disproportionately impact these organizations. engaged in social justice and human rights This was recognized by the European Commis- activism. Unfortunately, there is no getting sion, which established a dedicated budget- away from the complexity of the GDPR—a line to help national data protection authorities problem compounded by the freedom left to assist small and medium-sized enterprises in the member states to apply and interpret many understanding and complying with the GDPR.1 of its key provisions in accordance with their This was aimed squarely at businesses, with own national legal traditions—so the usual no provision for the hundreds of thousands caveat about making additional checks for of non-profit organizations across Europe.2 consistency with national law before relying on It is also notable that whereas most business anything in the best practice section at Annex sectors lobbied for exemptions, special treat- 1 applies. ment or lower standards in the GDPR to protect their commercial interests and activities, civil The structure of the report reflects the chal- society organizations generally lobbied for high lenges and opportunities that our work standards across the board—without neces- revealed. In section 2, we discuss in more detail sarily thinking about the implications for their our findings from the survey and the follow-up own work. So while media organizations had conversations we engaged in. The following sections cover notable issues that arose as

1 “Restricted call for proposals: Ensure the highest level of protection of privacy and personal data,” Funding and Tender Opportuni- ties, European Commission, https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportunities/topic-details/ rec-rdat-trai-ag-2017, March 30, 2017. 2 In 2015, data compiled by the Donors and Foundations Networks in Europe and the European Foundation Centre and analyzed by the Foundation Center (New York) suggested that there are more than 141,000 registered “public benefit foundations” in Europe. Because many civil society organizations are unregistered, their total number is likely to be much higher, Number of Registered Public Benefit Foundations in Europe Exceeds 141,000, Lawrence T. McGill, Foundation Centre, available at https://www.swissfoundations. ch/sites/default/files/European_Foundation_Sector_Report_2015_0.pdf, 2015.

5 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance the project went on. Section 3 provides two 2. Our Research Findings examples of when civil society organizations While the GDPR addresses some fresh issues have been sanctioned for non-compliance and did introduce new safeguards and restric- with data protection law, and the lessons that tions on data processing, it is worth pointing can be learned by other civil society organi- out that most obligations pre-dated the new zations. Section 4 looks at the way in which legislation. Many core principles and require- Subject Access Requests—which are derived ments in national and European data protec- from the fundamental right to access data tion law have been present for almost 40 years.3 about us collected by governments and busi- Yet there was certainly no shortage of hype and nesses—have been used positively by civil fear mongering around the introduction of society organizations, but also at how organi- GDPR—much of it linked to consultancy sales zations have received and handled frustrating pitches. In the following, we summarize how and unfounded requests. Section 5 explores NGOs have responded to the GDPR. the difficulty of disentangling data protection from wider societal issues of power and resistance, and considers its impact in terms 2.1 High-level Findings of both push back against civil society organi- Mixed attitudes toward GDPR compliance: zations, and as a key factor in establishing an Many respondents emphasized that GDPR “enabling environment” that civil society needs compliance is in line with organizational values, to achieve positive social change. Sections 6 but many also pointed out that compliance is and 7 attempt to draw together the conclusions challenging for a whole set of reasons, not of our findings and make recommendations least because it is time and resource intensive. for different stakeholders. Annex 1 provides There is broad agreement that the application best practice guidance for civil society orga- deadline for the GDPR represented an oppor- nizations based upon our research and wider tunity to review organizational data practices, experience of dealing with GDPR compliance. but some respondents also stated that when added to a growing compliance burden already encompassing a raft of NGO transparency and accountability requirements, GDPR regulations make it harder for civil society organizations to concentrate on their core activities.

3 See EU Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (ETS No. 108, 28.01.1981).

6 Our Research Findings

Lack of good GDPR compliance advice, and the various risk appetites of civil society especially advice tailored to non-profits: organizations all contributed to why many This is what we found in our literature review respondents said they had to seek advice from of available guidance, and it was also empha- external lawyers or consultants. The major- sized by many survey respondents. Official ity of respondents (75 percent) indicated they advice from data protection authorities seems were satisfied with the guidance they sought to be particularly lacking in Eastern Europe, in navigating the uncertainty and lack of while the British, Dutch, and French author- clarity around their GDPR obligations. ities were singled out for providing the most The remaining 25 percent—a significant useful advice, even though much data protec- proportion of respondents—indicated that the tion advice is rarely tailored specifically to commercial advice received was conservative non-profits. Where relevant guidance does or otherwise unhelpful. This phenomenon exist, it is aimed at charities, and while some could be partially responsible for instances non-profits are charities, their activities, partic- of NGO over-compliance. ularly their activism, tend to raise a different set Expenditure of time and money on compli- of issues. The guidance for the charity sector ance: Two thirds of NGOs started their is in turn dominated by the issue of fund- compliance efforts in early 2018 or later, the raising, where best practice documents and rest started earlier. The majority of survey detailed guidance are available. The provision respondents (75 percent ) paid for advice from of substantial information about fundraising is consultants and/or lawyers. Not surprisingly, in response to fines recently issued by regula- the larger the organization, the more time tors against international NGOs and others for and money was spent on compliance.4 The their aggressive fund-raising tactics and failure exception to this rule is a very small organiza- to protect donor data. tion, which spent 40,000 euros (a third of their Reliance on external, tailored commer- annual organizational budget) following a data cial advice: Many of the respondents also breach and an investigation by the Data Protec- pointed out that they were largely beholden tion Authority. For half of the groups, the cost of to the commercial compliance industry that compliance was negligible, but almost a third was so visible in the run-up to May 2018, indicated that they spent up to 10,000 euros . offering packaged solutions often for a signif- The three that spent more than 50,000 euros icant fee. The complexity of the law, a lack of have annual budgets of over 1 million euros . internal capacity, the need for clear guidance, Some survey respondents also reported plans

4 Forty percent of survey respondents spent less than one month on compliance—most of those were small NGOs with 1 to10 employees. Only four respondents, large organizations, spent more than one year on compliance.

7 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance to upgrade their IT infrastructure to ensure marketing or outreach activities. It certainly better compliance with the GDPR, including did not meet the legal threshold for a manda- migrating data into new systems with gran- tory impact assessment. ular access controls. These upgrades would Examples of a pragmatic compliance require major financial investments. This approach: Several NGOs acknowledged the matters because financial resources are often requirements of the law, but chose to take a scarce and larger NGOs are under pressure to risk-based and proportionate approach, in minimize overheads relative to the money they some cases against external legal advice. spend on programmatic work. For example, one international NGO was Evidence of over-compliance: The most (wrongly) advised that they should nominate widespread example of over-compliance was a data protection officer in every EU jurisdic- the decision by many NGOs, often on the basis tion, but decided to ignore this advice because of external legal advice, to ask all of their mail- of the exorbitant cost involved. Instead, they ing list subscribers to “re-consent” to receiving contracted a single, external officer instead. newsletters and other organizational commu- Another organization decided not to seek nications. The results of this for many NGOs consent for the use of contact details for was that the number of mailing list subscribers communication with public officials, even was slashed, in some instances, quite dramati- though external counsel had advised the oppo- cally. Less worried and arguably better-advised site. Had the organization followed this advice, non-profits instead simply acknowledged the then its ability to communicate with policy entry into force of the GDPR and/or updated makers—a core part of its mission—would have their privacy policies, stated that they believed been seriously restricted. subscribers wished to continue receiving their communications and provided them with the 2.2 Specific Compliance Challenges opportunity to opt-out at any time. Beyond Civil society groups’ attitudes toward compli- this issue, concerns about over-compliance ance are likely shaped by the concrete expe- were widely shared among respondents. riences they have had working to achieve Another NGO, following the advice of their compliance. We asked organizations that had external data protection officer, undertook a struggled to comply what issues have been the data protection impact assessment of all most difficult and why. their data processing activities. While impact assessments are the best practice, the NGO that underwent the assessment holds very limited personal data and undertakes no

8 Our Research Findings

One of the biggest challenges identified by about how they are implementing the GDPR NGOs is the identification of the correct provisions relating to freedom of expression legal basis for their data processing oper- and information. Even transnational orga- ations: Although it is often assumed that the nizations seeking legal certainty cannot yet GDPR is all about obtaining consent from find it. The European Data Protection Board, the data subject, consent is merely one of six which promotes cooperation between national “legal bases” for processing, and by no means data protection authorities and contributes to the most widely used. From the feedback we the consistent application of data protection received, it seems NGOs found it easier to rules in the European Union, has recognized define the legal basis for their operational and these challenges and plans to issue guidance administrative work, but several NGOs are on the balance between free expression and still uncertain about the legal basis for their data protection. programmatic work. “We have all our non-pro- The development of a data retention policy grammatic processing documented. Employ- was another widely quoted compliance ees, donors, etc…” said one NGO worker. “I challenge: Such policies are required because am comfortable with the legal bases. But I have under the GDPR, organizations need to adhere questions about our journalistic activities. We to the data minimization principle. This princi- have an internal memo that says we take a wait ple stipulates that the amount of personal data and see approach. If we don’t get hit by regu- and the length of time for which it is stored lators, over time everything will become a lot must be limited to what is necessary for the clearer.” It also appears that many of the NGOs purposes for which it is processed. The partic- we spoke to are relying on the ”public interest” ular challenges highlighted by NGOs are the legal basis in the GDPR for their research and definition of retention periods (How long can investigative activities, as well as exemptions the data be kept? How is necessity determined?) designed for media organizations. However, and the institution of access controls (Who can the extent to which NGOs can rely on journal- have access to the data?). One respondent high- istic exemption when they provide research lighted the financial burden of implementing support services to investigative journalists such a policy: “People should only have access is far from clear. The relevant exemption to data they need. Right now, a lot of people provisions are subject to national interpreta- have access to everything. Our systems are tion, which means that what is permissible in not made in this way yet. We are only contem- one member state may not be permissible in plating this [moving data over to a new system another. Moreover, to date only 18 member with appropriate access controls] because of states have notified the European Commission the GDPR. This is cost-intensive.” Another

9 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance respondent identified challenges around the mation security and documentation of compli- technical limits of third-party platforms and ance efforts, which is particularly challenging tools used to process personal data, i.e., some for small organizations. tools make it very difficult to permanently Operating across multiple jurisdictions: erase data: “For example, when testing one A number of groups said they faced signif- tool—it only allowed us to delete profile infor- icant challenges in meeting privacy rights mation about a subject, but not discussions the requirements that could vary throughout subject had posted! We’re still working on how Europe. Derogations for freedom of expres- to ensure we can comply with all subject access sion, research, and archiving are some exam- requests when using third party tools.” ples of a whole host of areas in which member Several NGOs shared concerns about data states can deviate from and surpass the mini- security: One particular security concern for a mum requirements laid out in the GDPR when number of NGOS was the risk of data breaches implementing national law. “We struggled as a result of malicious attacks. The GDPR with conflicting interpretation of certain provi- requires all data controllers to take a risk-based sions between jurisdictions,” said one group approach and enact technical and organiza- member. Another one commented: “We can’t tional measures commensurate to the threats rely on advice from individual data protection they face and the risk that unauthorized access agencies (DPAs) for all European jurisdictions or disclosure of personal information poses we operate in.” A member of another group to data subjects. This is something that small that works in a decentralized and remote way NGOs in particular are not very well placed to remarked, “We weren’t sure which national achieve, as noted by survey respondents. “The regulatory authority to consult, as we all live level of resources and expertise available to in different countries.” NGOs is no match for sophisticated, targeted The GDPR requires data controllers to attacks,” said one respondent. This is an area concern themselves with the terms and where non-compliance with the GDPR can conditions of agreements with third party become a big vulnerability for NGOs. In the processors: A major challenge this presents event of a breach, the technical and organiza- is the fact that not all third party processors tional measures that have (or have not) been comply with the GDPR (at the time of writ- introduced by an organization will be key in ing even software and licensing agreements determining culpability. Preventing breaches provided by large companies like Microsoft are requires demonstrable efforts to enhance infor- under investigation for non-compliance in key

10 Our Research Findings areas).5 The power imbalance between NGOs data protection more broadly. A new and and large processors is stark, giving NGOs little updated ePrivacy Regulation was intended to to no influence over the content of agreements be released at the same time as the GDPR, but made with third parties. “The GDPR made us heavy lobbying from companies in the adtech take a serious look at the terms and conditions and online publishing ecosystem continues of the tools that we had signed up to,” said the to delay its finalization. As a result, there is director of an NGO. “Some were great, clearly tension between the laws as they currently noting that they were GDPR compliant and stand; in practice this is primarily around the having simple to understand terms, which issue of “consent” in the context of cookies.7 backed up their claims. Others were not so The online publishing industry in particular great. Clearly, some providers still need to has responded with outcry over the current make changes for the GDPR.” To ensure third practice across Europe of presenting cookie parties’ compliance status, a review of both banners. The banners tell a device user that a terms and conditions and the functionality website places cookies and implies that the user of putting these into practice is required. As is giving consent if they continue to navigate NGOs and organizations in other sectors start the website. Current banner practices could be to prioritize GDPR compliant processors, it is reconciled with the much higher threshold of hoped that processors will start competing on explicit, unambiguous, and revocable consent grounds of privacy and data security status. as set out in the GDPR. Across the internet, this Reconciling the GDPR with the ePrivacy issue has confused website owners, with even Regulation: Discrepancies between the GDPR the United Kingdom’s Information Commis- and the ePrivacy Regulation was an area of sioner’s Office admitting its cookie consent concern for a number of survey respondents. process was incorrect in June 2019.8 An array The ePrivacy Regulation,6 last updated 10 of approaches have been taken to managing years ago, addresses e-marketing, privacy of cookie consent and at present many websites communications content, and metadata as well offer data subjects granular control over the as cookies, while the GDPR regulates personal cookies dropped on their devices prior to land-

5 “EU Data Regulator Launches GDPR Probe into Microsoft Software Deals,” Graeme Burton, The Inquirer, https://www.theinquirer. net/inquirer/news/3073900/eu-gdpr-probe-microsoft-software-cloud-contracts, April 9, 2019. 6 Directive 2002/58/EC of the Euopean Parliament and of the Council of Europe,July 12, 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). 7 The Urgent Case for a New ePrivacy Law, Giovanni Buttarelli, European Data Protection Supervisor, https://edps.europa.eu/press-pub- lications/press-news/blog/urgent-case-new-eprivacy-law_en, October 19, 2018. 8 Twitter update from Adam Rose, https://twitter.com/adam_rose/status/1140151337834962944?s=21, June 15, 2019, although the Information Commissioner’s Office’s cookie notice has been updated since this time.

11 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance ing on a webpage through the use of off the all have an impact. It is also noteworthy that a shelf “consent management platforms.” These small number of NGOs, given the uncertain- platforms can be configured to offer website ties of the GDPR, decided to take a wait-and- visitors the opportunity to opt-in to the use of see approach toward compliance of their core non-essential cookies, for advertising or third activities. One respondent argued that the party tracking etc. This meets the GDPR stan- public interest protections will apply and the dard for consent. organization would not invest in compliance in any major way at this point. These issues are Primarily, this is an issue that will affect considered in more detail below. media and publishing organizations dependent on cookies to track their readership in order to drive advertising revenue. While it does ADVOCACY not directly touch upon the programmatic For the large majority of NGOs we consulted, work of civil society organizations, it is some- advocacy is their core business. In this report, thing that every organization with a website advocacy is understood as outreach not only must be aware of while remaining alert to the to policymakers but also the public writ large. changes that the impending ePrivacy Regula- As noted above, around May 2018, many tion may bring. NGOs sent out messages requiring their entire mailing lists to “re-consent.” The impact of this decision was drastic: “So far, the most 2.3 Impact of Compliance Efforts on evident impact [of compliance] on the orga- Core Activities nization was the drastic downsizing of the The GDPR has not had a major impact on number of recipients of our mailing list(s) (from NGO core activities such as advocacy and about 1000 to 104 contacts).” Another orga- investigations: With the exception of the nization noted, “The main negative effect has hysteria around mailing list consents and wide- been stripping back our number of email recip- spread enforcement action against charities ients list by 66 percent, from 45,000 people in the United Kingdom over their aggressive to 13,000 people. This has meant we have a fundraising practices, our survey found few smaller pool of people for marketing our ideas other major GDPR impacts on programmatic and fundraising.” work. However, the GDPR has only been in force for one year. Complaints by data subjects, There is now awareness among many NGOs enforcement actions by regulators, guidance that the decision to ask mailing list subscrib- from the European Data Protection Board, ers to re-consent was not necessary. An NGO and interpretation of issues that overlap with representative said, “Our head of admin other areas of legislation or are unclear, could decided 2-3 days before GDPR came into force

12 Our Research Findings to ask everyone to re-consent. We lost 15,000 government officials about policy positions and [a quarter] of our subscribers. And later we real- events we organize, even though they may not ized that we could have used legitimate interest have consented.” as a basis for processing.” Another remarked, “A rigid adherence to the rules has impacted INVESTIGATION AND RESEARCH on circulation lists for newsletters etc.” One Investigation and research into human rights respondent identified that the climate of fear abuses is another core activity of civil society. and uncertainty in the lead up to the GDPR It fuels advocacy for social change in exposing coming into force, along with both a lack of abuses of power and fundamental rights, and technical capacity and the desire to take visible is used to prosecute abusers, defend victims, action toward compliance, may have contrib- and challenge oppressive laws. uted to many NGOs’ decisions to radically cut This work is generally carried out by three types their mailing lists. of groups: specialized investigative reporting Interestingly, not all see the slashing of mail- outlets; human rights and social justice groups ing lists as negative. Some respondents feel that combine investigation with campaigning that outreach has now become more focused and advocacy; and groups that support inves- with better response rates. One NGO repre- tigative journalists, human rights researchers, sentative, for example, said, “Our mailing litigators, and advocates through the creation list has decreased significantly because we of data repositories and analysis. The latter deleted all the contact information on people category focuses on investigation and data we could not prove gave consent. Therefore, we gathering, but do not publish or advocate for increased our efforts to legally grow the data- change. This is relevant as national implement- base. However, the current mailing list has a ing legislation in some member states only much better response rate.” Another respon- makes provision for journalistic exemptions to dent noted, “It [outreach] has become much apply to the processing activities of entities that more focused instead of random ‘spraying’ of “intend to publish” the results of investigations, advertisements.” while the research and archiving exemptions Surprisingly, none of the NGOs seem to distin- have been designed with academic institu- guish between public officials and non-public tions and public bodies in mind. These issues— officials, except for this respondent: “Where it and how NGOs can deal with them—are consid- could have impacted our work, e.g., advocacy ered in the best practice section at Annex 1 in efforts that rely on database contacts, we have this report. taken a pragmatic view toward compliance to try and ensure that we can continue to contact

13 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

FUND RAISING both the provision and negotiation of services While many of our respondents are smaller related to a contract. The question of what to do NGOs that tend to receive a substantial with the data contained in unsuccessful grant amount of support from institutional funders, applications is more challenging, and organi- some do attempt direct fund raising from the zations retaining data beyond the application public and high-net-worth individuals. As process will need to determine that it is in their noted above, some respondents commented “legitimate interest” to do so. One action that that their GDPR compliance efforts led to a organizations can take is to implement a wider slashing of mailing lists, which in turn limited data protection framework that encompasses, their capacity to reach financial supporters, inter alia, transparency toward the applicant while other respondents were circumspect and retention periods (see Annex 1). This can in their reflections, observing that “a smaller be particularly challenging for grant-making mailing list reduced targets although those foundations that maintain large databases who did not re-consent were unlikely to donate to record grantee and applicant details and money.” Another issue raised was how to to provide their boards with an overview of approach potential donors in the absence of grant-making activities. These grant databases, an existing relationship. Some NGOs approach especially in the case of larger foundations, high-net-worth individuals to support their also have significant historical value as they work, even using “wealth profiling” compa- constitute an important, detailed record of civil nies to identify “targets,” and the GDPR has society at any given time. One organization we undermined their ability to do this, including spoke to is considering cleansing their data- by throwing into doubt the legitimacy of the base of personal data and, over the longer-term, profile service providers. placing the information in a public archive as a record of civil society work. A staff person from GRANT MAKING another organization explained that “we use a The answers we received from the survey do decision tree to determine specific legal clauses not indicate that the GDPR has had a detri- for each grant contract.” mental impact on grant-making practices. In part, this can be explained by the fact that grant making is done through contracts, which can make it easier to address data protection issues and provide a straightforward legal basis as required under the GDPR. Specifically, the GDPR allows you to process data in respect to

14 Our Research Findings

When Non-profits Get It • Staff and volunteers experienced serious online harassment in response to the breach, Wrong: Two Examples receiving 250,000 abusive tweets a week at the height of the crisis as well as personal Case one details of staff (home address and private A small NGO conducting research on the role photos) being published online. of social media platforms in the spread of • The NGO received around 200 Subject disinformation experienced a data breach a Access Requests following the breach. By few months after the GDPR came into effect. reallocating substantial resources, they The breach concerned the publication of indi- were able to respond to the requests. viduals’ Twitter handles clustered according Also, given the context of the breach and to political leanings—sensitive personal data harassment experienced by staff, it is highly in this context. At the time of the data breach, likely that at least some of the requests were the NGO had one full-time employee and made vexatiously. three part-time volunteers and GDPR compli- • The relevant data protection authority made ance efforts were underway. This major crisis contact immediately after the data breach, compelled the group to hire a lawyer and speed and launched a formal (ongoing) investiga- up its compliance efforts, but the fallout from tion a few months later. The NGO is now the breach has been substantial: working with their lawyer on responses to questions from the authority and is expecting • The NGO had to spend a third of its organi- to be sanctioned. zational budget for 2018 dealing with the

breach, which prevented them from hiring LESSONS LEARNED a new staff member. The executive director This case illustrates how NGO vulnerabil- said, “…we’ve been forced to work on this ity and the seemingly arcane topic of GDPR as the first priority, preventing us from fund compliance are intertwined. Vulnerability raising or delivering other projects. Without is heightened if the NGO is handling large a solid financial background, our organization could not have survived this.” volumes of personal data, but also if the NGO is conducting politically sensitive work. In an increasingly polarized world in which human rights and social justice advocates are targeted by right-wing activists, “hacking,” “doxxing” and hostile subject access requests are issues that civil society organizations are likely to contend with on an increasing basis. The case

15 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance also provides two more important reminders. gathered the personal data of potential donors First, “open source” does not mean “open from third parties offering data-matching season”— as soon an organization incorporates services and some pooled data together to personal data from the internet or other public trade between different organizations. This records into its own databases, it becomes a data was used to either contact individuals who data controller and the obligations under the had donated in the past, but for whom updated GDPR apply. Second, data protection author- contact details were not available, or to “fill the ities are, in practice, unlikely to show mercy gaps” of personal data available about potential to organizations on the basis of the nature of donors. Some charities also engaged third party their work—even to well-intentioned start-up companies to “wealth screen” potential donors NGOs with barely any staff. Finally, whereas i.e., rank people based on income and assets the NGO in this case was able to repurpose and their likelihood of making a donation. This existing, unrestricted funds to ensure both resulted in the invasive processing of sensitive GDPR compliance and organizational survival, data, all without the data subjects’ knowledge the case suggests that funders need to take or consent.9 their grantees’ information security and data While the ICO issued fines to offending charities handling practices seriously, in the same way that were below the maximum penalty amounts they do financial health and organizational available, all organizations engaged in raising governance. This in turn will require support funds from the public were effectively put on to enhance organizational resilience. notice. Eight charities voluntarily undertook a risk review process with the ICO that involved Case Two a detailed audit of their policies, procedures, From 2015 to 2017, the United Kingdom’s governance, and data management practices. Information Commissioner’s Office (ICO) This gave the charities the opportunity to under- undertook a large-scale investigation into the stand their own compliance status and to proac- data management practices of charities, with tively prepare for the GDPR, as well as provide a focus on their fund raising activities. Seri- the industry with a snapshot of its compliance ous breaches of the Data Protection Act 1998 position as a whole. The strengths and weak- were uncovered and 13 charities were issued nesses of the organizations’ practices were significant fines. Many of these charities had detailed in a publicly released report.10

9 “ICO Fines Eleven More Charities,” ICO, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/04/ ico-fines-eleven-more-charities/, April 5, 2017. 10 “Findings from ICO Information Risk Reviews at Eight Charities,” ICO, https://ico.org.uk/media/action-weve-taken/audits-and-ad- visory-visits/2259675/charities-audit-201808.pdf, April 2018.

16 Subject Access Requests: A Disruptive Tool

LESSONS LEARNED able for staff and volunteers to review. The The audit process revealed themes across the audits also revealed that many charities had charities in areas of good practice and issues a lack of policy management frameworks. to be remediated. The organizations were • Training: Policies were not always commu- typically engaged in data processing activities nicated effectively across the organizations. related to human resources and administra- This tied into a lack of adequate training for tion, service users, volunteers, supporters, and new recruits and “refresher” training for donors. Some sensitive data was processed existing staff and volunteers—despite the in relation to service users’ health, children, fact that these individuals are often involved and vulnerable people. Most of the organiza- in public interface and frontline data collec- tions had good governance structures in place, tion. appointed data protection officers or estab- • Monitoring and reporting: Most of the lished data protection working groups, mapped organizations had no routine compliance organizational data flows, and undertaken the checks for data protection or direct market- process of reviewing and updating staff training in place and internal audits were not ing procedures. The key areas where rectifica- conducted consistently. tion was required included: • Retention and disposal: There was a trend of holding onto data far longer than neces- • Consent and fair processing: Most orga- sary, mainly due to poor data management nizations lacked a formal process to give and the need for someone to be appointed notice to data subjects about how their data to manage and record this process. There would be processed, so consent had not been were also instances of groups retaining the validly obtained. personal data of previous supporters for long • Third party processors: Many charities periods in the hopes that these individuals outsourced data processing tasks to third might engage with the organization again. parties, but in many cases contracts containing appropriate data protection clauses had not been entered into. In other cases there 3. Subject Access Requests: was no contract documenting the relationship at all. A Disruptive Tool • Policies: Many charities lacked adequate Under the GDPR, data subjects can seek infor- information governance and incident report- mation about the data held on them by lodging ing policies or had failed to make these avail- a “subject access request” with a data control-

17 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance ler.11 Subject to limitation where justified, the GDPR requires member states to reconcile data subject access request confers on data subjects protection principles with the right to freedom of the right to obtain a copy of the data collected expression and information, powerful individu- about them, understand how it is collected, know als have already deployed the lodging of requests why it is being processed and which third parties to interfere in the work of investigative journal- receive it, review what safeguards are in place to ists and researchers who are reporting on them, protect transfers, receive an explanation of the particularly in order to expose or gain access to logic behind any profiling, and have personal data sources of leaked data.13 Finally, given the time deleted. With increased control over their data, and resources involved in responding to a subject individuals can be better informed and in some access request, adversaries or malicious actors instances may be able to choose to share their may lodge requests against CSOs in an attempt data with more discretion. In turn, this encour- to distract and disrupt their programmatic work. ages data controllers to be more accountable and One data-rights focused NGO we spoke to said transparent about how they treat personal data. that they had received numerous subject access This is particularly significant for organizations requests that they believe were an attempt to whose businesses are built on data harvesting derail their work. models. In the CSO space, subject access requests can Subject access requests used in impact organizations in several ways. First, these campaign for workers’ rights requests can be used as a tool to expose and Uber drivers in the United Kingdom have lodged understand how organizations process personal subject access requests with the platform in order data. A number of privacy and data protection to gain access to data about their hours spent CSOs engaged in advocacy work have mobi- logged in to the application, the dispatch of rides lized subject access requests in this way against (including the logic behind the algorithms used organizations that are processing data unfairly. to assign these), and other information. Driv- As noted earlier, the Cambridge Analytica case ers need this data to demonstrate their status as cascaded from a single subject access request employees rather than freelancers, the actual made by one individual.12 Second, while the hours spent working, entitlement to minimum

11 GDPR Article 15 extending the access rights afforded to individuals under the GDPR’s predecessor, the EU Data Protection Directive 1995 at Article 12 and giving effect to the right to data protection as enshrined in the EU Charter of Fundamental Rights at Article 8. 12 “One Man’s Obsessive Fight to Reclaim His Cambridge Analytica Data,” Wired, Issie Lapowsky, https://www.wired.com/story/ one-mans-obsessive-fight-to-reclaim-his-cambridge-analytica-data/, January 25, 2019. 13 “Information Commissioner Throws Out Beny Steinmetz Complaint Against Global Witness,” Global Witness, https://www.global- witness.org/en/archive/information-commissioner-throws-out-beny-steinmetz-complaint-against-global-witness/, December 21, 2014.

18 Subject Access Requests: A Disruptive Tool wage, and other employee benefits. This will do not receive a clear explanation about how the be a test case in establishing workers’ rights in Schufa scoring system works or what information the United Kingdom’s growing “gig economy.” it uses. The Open Knowledge Foundation has So far Uber has responded by providing limited encouraged individuals to exercise their subject datasets to drivers who applied directly to access request rights and share the responses the organization. It has denied a number of received. This has allowed the foundation to requests lodged by lawyers representing driv- review the accuracy and fairness of the scoring ers on grounds including intellectual property system and to attempt to find out what kind of (the alleged need to protect the algorithms that data it uses. Based on its review, the foundation contribute to the function of the platform) and asserts that Schufa’s scoring system is prone to that the data sought may contain personal data error and may have relied upon inaccurate data belonging to other individuals (i.e., details of in some cases. The foundation is seeking further passengers’ rides).14 explanation as to the algorithm behind the scores. Schufa is at present refusing to provide individu- Subject access requests used als with free information by email, instead offer- to challenge algorithmic ing only hard copy responses by mail and limited decision-making bias information beyond the individual’s personal score. The German Federal Ministry for Justice The Open Knowledge Foundation in Germany and Consumer Protection has announced that launched a campaign in 2018 encouraging credit rating agencies should reveal their algo- individuals to make subject access requests to rithms, clearly explain these to consumers, and Schufa, Germany’s major credit rating agency. cooperate with civil society groups, journalists, Businesses and organizations rely on Schufa and researchers investigating the issue. The to determine an individual’s creditworthiness foundation’s campaign is ongoing but has been for receiving financial resources such as loans, successful in drawing public attention to the need credit cards, and mortgages. Many individuals for more transparency around the issue of credit have been subject to negative decisions made by scoring.15 lenders apparently based largely on the “personal scores” provided by Schufa. Individuals often

14 “Uber Drivers Demand Their Data,” GDPR Today, https://www.gdprtoday.org/uber-drivers-demand-their-data/; https://www. economist.com/britain/2019/03/20/uber-drivers-demand-their-data, March 25, 2019; “Uber Drivers Demand Their Data,” Economist, https://www.economist.com/britain/2019/03/20/uber-drivers-demand-their-data, March 20, 2019. 15 OpenSchufa: Die Ergebnisse (Updates), Arne Semstrott and Walter Palmetshofer, Open Knowledge Foundation Deutschland, https:// okfn.de/blog/2018/11/openschufa-ergebnisse/, November 28, 2018; Handlungsempfehlungen, Open Knowledge Foundation Deutschland, https://okfn.de/files/blog/2018/10/SVRV_HR-Verbrauchergerechtes_Scoring.pdf, undated.

19 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

In Finland, a data subject lodged a complaint Establishing the journalistic with the Data Protection Ombudsman about exemption in respect to subject the personal data relied upon in assessing their access requests creditworthiness by Svea Ekonomi—a financial Global Witness, a U.K.-based organization lending company. Svea Ekonomi provides an engaged in international anticorruption inves- online credit decision-making service that the tigation and reporting, has extensively covered ombudsman found to be an automated deci- the corruption and bribery scandal around BSG sion-making process for the purposes of Article Resources Limited’s mining holdings in Guin- 22 of the GDPR. According to the ombuds- ea.17 In 2014, the company’s founder, Beny man’s findings and in line with GDPR, infor- Steinmetz, and three others associated with mation about the decision-making process and BSG Resources made subject access requests an avenue for human intervention and review to Global Witness under Section 7 of the then must be provided to the data subject. It was Data Protection Act 1998 UK (DPA 98). also revealed that the scoring system used an Global Witness did not respond to these upper age limit in determining creditworthi- requests and the data subjects consequently ness, i.e., applicants of a certain age and older lodged complaints with the ICO and initiated were immediately disqualified from obtaining High Court proceedings for breach of privacy credit. In its decision, the ombudsman ordered and non-compliance with the DPA 98.18 that the company change its automated decision-making process, declaring that the use of Global Witness relied on the public interest a categorical age limit contravened credit-lend- journalism exemption within the DPA 98 (an ing laws and could not alone be used to deter- exemption grounded in the GDPR’s prede- mine an applicant’s solvency.16 cessor—the EU Data Protection Directive 1995) but BSG Resources argued that because Global Witness also undertook advocacy and campaigning work it was not strictly undertaking the processing for the purposes of journalism (i.e., there was a secondary purpose at play tied to Global Witness’ social and environ-

16 “The Data Protection Ombudsman Ordered Svea Ekonomi to Correct Its Practices in the Processing of Personal ”Data,” European Data Protection Board, https://edpb.europa.eu/news/national-news/2019/data-protection-ombudsman-ordered-svea-ekonomi- correct-its-practices_en, April 24, 2019. 17 “Guinea’s ’Deal of the Century,’” Global Witness, https://www.globalwitness.org/en/reports/guineas-deal-century/, May 13, 2014. 18 “High Court to Consider Data Protection Act Bid to Halt Reporting of Corruption Allegations,” Jason Coppel QC, Panopticon, https:// panopticonblog.com/tag/steinmetz-and-others-v-global-witness-limited/, February 10, 2014.

20 Data Protection and Civic Space mental justice initiatives) and so could not rely 4. Data Protection on the journalistic exemption. This argument, and Civic Space if successful, would have very serious conse- quences for the work of Global Witness and Over the past decade, philanthropic foundations other similar organizations.19 and other supporters of civil society organizations have become increasingly preoccupied The issue was deferred from the High Court with the way in which governments, laws, poli- 20 to the ICO for determination. The ICO cies, and right-wing think tanks have been push- confirmed that Global Witness could benefit ing back against progressive causes and social from the journalistic exemption, clarifying justice campaigns around the world. the scope of the exemption by making clear it applied not just to conventional media organi- Examples of the way civic space is impacted zations but also to civil society organizations include “philanthropic protectionism,” which engaged in journalism and public interest encompasses a raft of government-imposed reporting.21 Significantly, under the GDPR constraints on the ability of domestic civil EU member states are expressly required by society organizations to receive international Article 85 to reconcile data subjects’ rights funding; domestic laws regulating the activi- and data protection principles more broadly ties of non-profits more broadly (for example “with the right to freedom of expression and when governments impose onerous registration, information, including processing for journal- licensing, reporting, and accounting obligations istic purposes and the purposes of academic, on NGOs); and policies and practices imposing artistic or literary expression.” The “journalism restrictions on the rights to freedom of assem- exemption” under the GDPR and the relation- bly and association (for example by prohibiting ship between data protection and free speech demonstrations, using national security laws is discussed further below. to restrict mobilization, or militarizing police forces in the name of “public order”).22

19 It is worth noting that the journalistic exemption contained in the DPA 1998 was narrow—applying where personal data was processed only for special purposes, including journalism (see s 32(1)). The exemption offered in the current DPA 2018 widens the application of the exemption to instances where the processing is for special purposes, regardless of secondary purposes (see Schedule 2, Part 5, s 26(2)). 20 Through an application by Global Witness under a provision of the DPA 98 that allows a party subject to special purposes proceedings of substantial public importance to request assistance from the office. This provision has been replicated in the DPA 2018 at s 175. 21 “Information Commissioner Throws Out Beny Steinmetz Complaint Against Global Witness,” Global Witness, https://www.global- witness.org/en/archive/information-commissioner-throws-out-beny-steinmetz-complaint-against-global-witness/, December 21, 2014. 22 “UK Data Office Says NGO Has Journalist Exemption, Rejects Steinmetz Claim,” Reuters, https://www.reuters.com/article/datapro- tection-steinmetz-idUSL6N0U61HE20141222, December 22, 2014.

21 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

Europe is clearly far from immune from these In this section, we provide some examples of the trends—a wide array of new laws, administrative ways in which data protection laws have been powers, and other tactics are being deployed by abused, how civil society is pushing back, and a growing number of EU member states in order places where tensions arise. Ultimately, like to apply pressure to and interfere with the work many laws, the GDPR is vulnerable to abuse of civil society organizations. We were aware of and—like other human rights provisions subject cases in which data protection laws were being to “balancing” tests—open to restrictive inter- used to try and force investigative journalists who pretation. GDPR expertise, vigilance, solidarity, had exposed political corruption to reveal their and advocacy are needed to address these threats. sources. Because of cases like these, we wanted to explore whether and how data protection laws Romania: GPDR enforcement might be adding to this new generation of restric- threatens media freedom tions on activism. As a human rights organization, In Romania, the national data protection author- we were also interested in the way in which data ity attempted to enforce the GDPR against protection laws can be used by civil society to journalists from the RISE Project (footnote 23) push back against encroachments on civic space. who had reported on alleged high-level politi- The assumption is that by providing civil soci- cal corruption. RISE supported their claims by ety organizations with legal tools that may publishing, among other data, photos and videos be used to enhance corporate accountabil- of individuals allegedly involved in the corrup- ity and check surveillance capitalism, EU tion. data protection law is very much a win in Shortly after this material was released, the terms of the “enabling environment” for Romanian data protection authority sent RISE a civil society activism. However, in our conver- letter23 demanding details of sources, access to sations with those who participated in our data, and an explanation as to why the subjects research, it also became clear that there are of the story were not informed about the leaked tensions between data protection and other key personal data prior to publication.24 RISE was legal instruments that civil society relies upon in threatened with a fine of up to 20 million euros its work and aspirations. in case of non-compliance with the request, but

23 English Translation of the Letter from the Romananian Data Protection Authority to RISE Project, OCCRP, https://www.occrp.org/ en/16-other/other-articles/8876-english-translation-of-the-letter-from-the-romanian-data-protection-authority-to-rise-project, November 9, 2018. 24 Purportedly relying on Articles 57, 58 and 14 GDPR; OCCRP Strongly Objects to Romania’s Misuse of GDPR to Muzzle Media, OCCRP, https://www.occrp.org/en/40-press-releases/presss-releases/8875-occrp-strongly-objects-to-romania-s-misuse-of- gdpr-to-muzzle-media, November 9, 2018.

22 Data Protection and Civic Space responded by declining to reveal its sources as tial function of a free, open, and democratic this would be a violation of an integral part of their society and must be duly protected. The appli- work as journalists and of freedom of expression. cation of the GDPR must also be consistent with RISE defended not informing the subjects prior the European human rights framework includ- to publishing because the material was presented ing the EU Charter of Fundamental Rights and for journalistic purposes and was reporting on the European Convention on Human Rights.27 a public authority figure. RISE maintained its The Romanian Association for Technology and decision was in line with the exceptions to certain Internet also sent a letter to the data protection requirements of the GDPR as provided by Roma- authority together with other Romanian civil nian law.25 As of the date of publication of this society organizations addressing these same report, the Romanian data protection authority issues and suggesting that there was a political has not yet responded to RISE. motive behind the action against RISE.28 Other civil society groups stepped in publicly In January 2019, the European Data Protec- to call out what in their view is a clear misap- tion Board replied to Privacy International, plication of the GDPR. Privacy International, commenting strongly on the Romanian data European Digital Rights, the Romanian Associ- protection authorities’ actions, advising that: ation for Technology and Internet, and 15 other digital rights organizations sent a letter26 to the • the exercise of a protection authority’s European Data Protection Board, the European powers in the protection of personal data must be balanced against other equally Commission, and the Romanian data protection important fundamental rights including authority expressing concern that the GDPR was freedom of the press; being used to threaten media freedom in Roma- nia. Supported by Article 85 and Recitals 4 and • under Article 85 of the GPDR, it is the 153 of the GDPR, the groups argued that the responsibility of member states to reconcile the rights to freedom of expression and protection of personal data must be balanced information with data protection in national against the freedom of information and expres- implementing legislation and this must also sion and that investigative journalism is an essen- align with the decisions of the EU Court of

25 Article 7 of Romanian Law 190/2018 excludes certain data processing from compliance with the transparency requirements of GDPR Articles 13 and 14. 26 See https://privacyinternational.org/sites/default/files/2018-11/letter%20to%20EDPB%20re%20Romanian%20case%20final. pdf 27 Data Protection Law Is Not a Tool to Undermine Freedom of the Media, Privacy International, https://privacyinternational.org/advocacy-briefing/2455/data-protection-law-not-tool-undermine-freedom-media, November 21, 2018. 28 Freedom of Expression Must Be Properly Understood in the Context of the Protection of Personal Data, Bogdan Manolea, ApTI, https:// www.apti.ro/libertate-de-exprimare-trebuie-inteles-corect-context-date-personale, November 13, 2018.

23 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

Justice and the EU Court of Human Rights; government website. Civil society organiza- • the data protection authority’s powers must tions that fail to register can be penalized finan- be exercised in a proportionate manner, cially or shut down. including in the application of fines; and In August 2017, the Hungarian Helsinki • judicial remedies are available at a European Committee and the Hungarian Civil Liberties level against decisions of data protection Union together with 12 other NGOs lodged a authorities per Article 78.29 complaint with the Hungarian Constitutional Court arguing that the Foreign Funding Law’s Hungary’s foreign funding law motive is to stigmatize, create public distrust, and interfere with or abolish these civil society In June 2017, the Hungarian Parliament organizations and the work they do. Follow- adopted the Law on Transparency of Orga- ing a lack of action by the Hungarian Consti- nizations Supported from Abroad, also tutional Court, in December 2017 the NGOs known as the Foreign Funding Law, which submitted an application to the European requires civil society organizations to register Court of Human Rights. as “Foreign Funded Organizations” where they are engaged in humanitarian and social In their submission, the NGOs included a data change work and are receiving the equivalent protection argument that the Foreign Funding of 22,000 euros or more from sources outside Law’s requirement to disclose and make public Hungary. This requirement applies regardless the personal data of individual donors (includ- of the percentage of total funding the foreign ing the name, country, and city of foreign funds make up. Those civil society organiza- donors) violates the right to privacy enshrined tions are required to display this classification in the European Convention on Human 30 on all materials they publish. They are also Rights. The NGOs also referenced Article 9 required to report in detail on the sources of of the GDPR, which prohibits the processing of their funding including individually naming special category data such as political opinions and providing location details of the donors and religious or philosophical beliefs, since it outside Hungary who individually contribute is inevitable that publishing the personal data the equivalent of 1,600 euros, with the list of individuals who support NGOs subject to of these donors made public on a Hungarian the Foreign Funding Law will publicly reveal

29 EDPB Reminds National Data Protection Authorities to Exercise Their Powers Proportionally and in Respect of Fundamental Rights, Privacy International, https://privacyinternational.org/blog/2713/ebpb-reminds-national-data-protection-authorities-exercise-their-powers-proportionally, February 13, 2019; See https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_letter_to_civil_society_organi- sations_on_romanian_dpa_investigation_en.pdf. 30 ECHR Article 8 provides the right to private and family life, home, and correspondence.

24 Data Protection and Civic Space some of this special category data (i.e., their Estonia: Data Protection is used to political leanings). harass a human rights NGO Article 9 of the GDPR does include some legit- In November 2017, a complaint against imate derogations where the processing is for the Estonian Human Rights Centre (EHRC) reasons of substantial public interest, propor- was made with the national Data Protection tionate to the ends being pursued, respectful Authority. It related to UNI-FORM, a tool of the “essence” of the right to data protec- for reporting incidents of hate crime against tion, and subject to suitable safeguards.31 The LGBT+ persons developed by a Portugese Hungarian Helsinki Committee filings argue NGO. The EHRC was in a partnership with this that the Foreign Funding Law has no propor- Portugese NGO in an EU project.34 tionate or legitimate aim to support such an Initially, the local anti-gay activists – SAPTK, interference with personal privacy. Nor does it a very successful Estonian branch of the have a legal basis under the GDPR; in a demo- anti-progressive movement, Tradition, Family cratic state, there is no justification to make and Property – started spreading false infor- and publish a list of individuals who support mation about the tool. SAPTK argued that 32 certain organizations. the tool would be used to create a database In July 2017, the European Commission of homophobes and initially spread this false launched an infringement procedure against information on their own portal. The website Hungary in relation to the funding law. A letter of the far-right EKRE party also published the of formal notice was issued, beginning the information. When SAPTK failed to spread proceedings and inviting Hungary’s response. the false information about UNI-FORM into Hungary has responded to the notice advising the mainstream media, they submitted a that the government intends to maintain the complaint to the Estonian Data Protection Foreign Funding Law.33 Authority, which started an investigation on the basis of its supervisory powers under the Personal Data Protection Act in force at the time, which has now been replaced by a new

31 GDPR Article 9(2)(g). 32 What Is the Problem with the Hungarian Law on Foreign Funded NGOs?, Hungarian Helsinki Committee, https://www.helsinki.hu/ wp-content/uploads/What-is-the-Problem-with-the-Law-on-Foreign-Funded-NGOs.pdf, October 9, 2017. 33 The Government’s Response to the European Commission: The “Stop Soros” Bill Is Here to Stay, Hungarian Ministry of Justice, http://www. kormany.hu/en/ministry-of-justice/news/the-government-s-response-to-the-european-commission-the-stop-soros-bill-is-here- to-stay, September 19, 2018. 34 https://uni-form.eu/welcome?country=EE&locale=en

25 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance national law enacting the GDPR. The EHRC ety organizations to publish the personal data was approached for an explanation by the Data of certain donors, ostensibly to make public Protection Authority. the financial influence being exerted on these organizations, which can indicate their moti- As a result of these proceedings, the main- vations and purposes. Specifically, the draft stream media became interested in the act is intended to expose and prevent civil story and started to cover it, which meant society organizations from being associated the EHRC had to engage in crisis communi- with “undesirable influences and the abuse of cations to defuse the situation. They had to democratic freedom.”35 Among other details, submit corrections to news outlets and work to the names and cities of residence of donors contain the story (reasonably successfully). whose donations total 15,000 euros or more Fortunately, the EHRC had strong in-house per year are to be published. Failure to comply data protection expertise and was prepared with this requirement would result in financial to expertly respond to the Data Protection penalties against the organization. Authority’s investigation. It nevertheless caused stress among the NGO’s employees While the Explanatory Memorandum accom- and supporters for several months, requiring panying the draft act indicates that European them to reallocated resources to crisis commu- human rights laws were taken into account in nications and redirect attention from their the drafting process, the draft act‘s require- substantive work and other pressing issues. In ments would still impinge upon donors’ the end, the Data Protection Authority closed rights to privacy and the protection of their the investigation in April 2018 because they personal data. This would put individu- could not identify any concrete instances of als in a position where they have to choose data protection violations. between making donations of this scale or protecting their private information. If made Going Dutch into law, the draft act would make it impossible to give donations of 15,000 euros or more In December 2018, the Dutch Government anonymously to Dutch civil society organiza- published the Draft Act on the Transparency tions. Clearly, this could have a drastic impact of Civil Society Organizations, which is simi- on the level of funding available to organiza- lar in character to Hungary’s Foreign Funding tions working on contentious or divisive social Law. If passed, this would require civil soci- issues, as well as putting donors at risk of harm

35 Draft Bill on Transparency of Civil Society Organizations: Foundations and Associations Must Publish Donations and Financial Data, Meijburg & Co Tax Lawyers, https://meijburg.com/news/draft-bill-on-transparency-of-civil-society-organizations-foundations-and-associations-must-publish-donations-and-financial-data, January 11, 2019.

26 Data Protection and Civic Space by exposing their personal data. Given the tance, it will at times be necessary to make current political climate in Europe, this must public the personal data of particular indi- be seen as a genuine threat. viduals, for example in documenting alleged corruption or abuses of power in connection Civil society actors responded quickly to the to the behavior or actions of public figures or call for consultation on the draft act. Among the discharge of public duties. It is necessary to others, the European Center for Not-for-Profit balance the two rights to ensure that personal Law, the European Foundation Centre, the data is protected appropriately and that infor- Donors and Foundations Networks in Europe, mation is made publicly available. and Data Protection Support & Manage- ment all provided commentary highlighting In the context of freedom of information, how the requirements of the draft act interfere achieving this balance requires the separation not only with the fundamental rights of donors, of personal data from information that serves but also with the free movement of capital and a key issue or that people are entitled to have. the right to funding enjoyed by civil society The boundaries of this endeavor are being organizations. interpreted by national courts and where interpretation of the GDPR itself is concerned, the Freedom of information and EU courts. These courts are also interpreting data protection the rights that individuals have over data that has been published by others, particularly in The right to freedom of information forms an the context of the “right to be forgotten” codi- integral part of the right to freedom of expres- fied by the GDPR. The EU courts have recently sion. Freedom of information is grounded in established some important precedents on the principle that information held by govern- these issues. ments and public bodies should be freely available, in the interests of increasing account- In the ground-breaking “Google Spain” ruling ability and rendering internal practices and in 2014, the Court of Justice of the European decision-making processes transparent. Such Union found in favor of a Spanish national information may only be withheld and kept who had brought an action against Google to private in circumstances where there are legit- have search results about him removed from imate reasons to protect it, e.g., in the interests the search engine’s index. The search results of protecting privacy and security, both of indi- related to legal proceedings brought against viduals and the state. There is therefore neces- the individual years prior regarding social secu- sarily tension between freedom of information rity debts – their appearance in search results and the right to the protection of personal data. was impacting his reputation, his position was To expose information that has public impor- that the proceedings had been resolved and

27 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance were no longer relevant and should therefore In 2017, the EU Court of Justice found that be removed from search results. The individual in some circumstances, the public’s right to initially made a complaint to the Spanish Data know certain information will override the Protection Authority, which held that operat- individual’s right to privacy, even where this ing the internet search engine made Google a has a negative impact on the individual. An data processor subject to data protection laws, Italian citizen who was director of a liquidated including the exercise of data subject rights company sought to have his personal data and the protection of the individual’s right to removed from the public register of companies privacy. The matter eventually came before in Italy. He requested this on the basis that the the EU Court of Justice, which confirmed that indexing of his personal data here had a nega- Google’s Spanish subsidiary was a data control- tive impact on his ability to sell properties and ler in this context and that the central issue a sufficiently long period of time had passed to be determined was the balance between since the company’s liquidation. The court the public’s right to access this information decided that, in this case, the public’s right to against the individual’s right to privacy and the know this information was sufficient justifica- protection of personal data. The judgment tion for the individual’s name to remain on the found that in this particular case the indi- register. The personal impact this had on him vidual’s right to privacy trumped the search was not a sufficiently overriding reason to bar engine’s right to index the results. The court, public access to the data.37 however, noted that in general this balance In weighing the importance of data protection will depend on the nature of the information in against the EU Regulation on Public Docu- question and the interest of the public in having ments—the EU’s equivalent of a freedom of access to that information—which will vary information act—the court has taken an equally depending on the circumstances, particularly robust stand, endorsing the use of data protec- where the data subject plays a role in public tion as a means to restrict access to documents. life. Notably, the judgment did not require the Transparency International, a global anticor- actual sources of information that the results ruption NGO, has spent many years seeking linked to (newspaper articles and media publi- information about the spending of public cations) to be removed.36 funds by members of the EU Parliament on

36 Google Spain SL v Agencia Española de Protección de Datos, Columbia Global Freedom of Expression, https://globalfreedomofexpression. columbia.edu/cases/google-spain-sl-v-agencia-espanola-de-proteccion-de-datos-aepd/, undated. 37 Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v Salvatore Manni, Columbia Global Freedom of Expression, https:// globalfreedomofexpression.columbia.edu/cases/camera-di-commercio-industria-artigianato-e-agricoltura-di-lecce-v-salvatore-manni/, undated.

28 Data Protection and Civic Space travel and general allowances. The European Freedom of expression Parliament responded to its request for access Freedom of expression is a cornerstone of to the relevant documents by declining to democratic society that protects journalism, provide the information sought on a number research, and artistic expression—ensuring of grounds centered around data protection that information flows to the public and that arguments. Parliament representatives stated private entities and public institutions and that releasing this information would compro- figures are held to account for their actions. mise the privacy and protection of parliament The principles of both privacy and transparency members’ personal data. The parliament found are crucial in carrying out reporting, research, that that there was no justification for sharing and investigation in this context. On one hand, such personal data with Transparency Interna- the right to privacy and data protection shields tional, holding that the public interest in want- sources, allowing for sensitive information to ing to scrutinize public spending and assess the be shared without fear of retaliation or repri- parliament’s control mechanisms in this arena sal, and ensures that secure communication was “too abstract” to be considered a sufficient channels are available for the transfer of infor- 38 reason to transfer the information. Transpar- mation. On the other hand, the purpose of ency International disagreed strongly with this this work is to expose and make known response and brought the matter before the EU otherwise confidential information that should Court of Justice. In September 2018, the court be in the public domain. Investigative jour- found that the EU Parliament is indeed entitled nalism and research are ultimately directed 39 to withhold this information. toward ensuring greater transparency and accountability, yet at the same time they rely on the right to privacy and data protection principles in order to do this work. In recogni- tion for the need to find balance between the exercise of these rights, the GDPR requires member states to enact legislative measures that reconcile freedom of information and expression with the right to the protection of

38 “The General Court Confirms the Parliament’s Refusal to Grant Access to Documents Relating to MEP’s Subsistence Allowances, Travel Expenses and Parliamentary Assistance Allowances,” General Court of the European Union, Press Release 138/18, https:// curia.europa.eu/jcms/upload/docs/application/pdf/2018-09/cp180138en.pdf, September 25, 2018. 39 “ECJ Rules against MEP Expenses Transparency,” Transparency International EU, https://transparency.eu/ecj-rules-against-mep-expenses-transparency/, 25 September 2018. 29 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance personal data.40 Member states must exempt inform the European Commission as to their data processing undertaken for journalistic, implementation of Article 85.43 The Council of academic, literary, and artistic purposes from Europe published Guidelines on Safeguarding some of the provisions of the GDPR to the Privacy in the Media in late 2018. The guide- extent that these would interfere with carrying lines address the balance between the right to out those purposes.41 privacy and freedom of expression and serves as a useful manual for operating within the EU While the exemption is to be interpreted human rights framework. broadly in national implementing legislation,42 these exemptions do not provide a data A recent decision by the EU Court of Justice protection “free pass”—personal data must has consolidated the scope of application be still be stored and managed securely as all of the journalistic exemption, finding that a member states have other regulatory require- layperson engaged in blogging (on YouTube ments that will apply to the operations and data in this case, but likely also on other platforms management procedures of media outlets and like Twitter and Facebook, etc.) can rely on the academic researchers (e.g., professional codes protections designed for the media.44 In the of conduct and ethics, industry standards, YouTube case, an individual filmed his interac- copyright, and libel must all be taken into tion with police officers at a local police station account). Because of the wide scope for dero- and later published the video to YouTube in gation given by the wording in the GDPR, these order to make public the alleged illegal conduct exemptions will apply differently depending on of the officers. While the decision was made in how they are made into law in each member relation to the EU Data Protection Directive state. It is important for civil society organi- 1995, the exemption provisions of the GDPR zations engaged in this work to consult their are very similar and in fact broader, to the relevant national implementing legislation to extent that journalism must only be a purpose determine the precise scope and application of of the processing,45 not the sole purpose of the the exemptions. At this stage, only 18 out of 28 processing.46 The decision shows a willingness member states have fulfilled their obligation to of the court to interpret the journalistic exemp-

40 GDPR Article 85, which reinforces the exemption that existed in the GDPR’s predecessor, the Data Protection Directive 1995 at Article 9. 41 Article 85 GDPR. 42 Recital 153 GDPR. 43 See https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu/eu-countries-gdpr-specific-notifications_en. 44 Judgment of February 14, 2019, Buivids, C-345/17, ECLI:EU:C:2019:122. 45 GDPR Article 85(1). 46 Data Protection Directive 1995 Article 9.

30 Data Protection and Civic Space tion broadly and can be considered a win for ment, and nuclear safety laws. The directive freedom of expression. The broader implica- does this by creating higher and new standards tions are that individuals who publish personal of protection for whistle-blowers against retal- data for the purpose of journalism may be able iation from employers and other actors. The to benefit from the exemption without neces- provisions include (i) creating new reporting sarily being tied to a professional outlet, but pathways—establishing a system of safe chan- again this will depend on how member states nels for reporting within an organization and to choose to interpret Article 85.47 public authorities; (ii) establishing safer reporting channels—whistle-blowers may disclose to Whistle-blower Directive (and data) authorities directly where reporting internally could jeopardize later investigation or put the In the wake of the LuxLeaks, Panama and Para- individual at risk of retaliation, or to the media dise Papers, Cambridge Analytica, and Diesel- where the organization or public authority gate scandals, the European Commission put fails to take timely action and (iii) preventing forward a legislative proposal in April 2018 to retaliation—providing protection in judicial extend the protections afforded to individuals proceedings and against dismissal or demotion reporting breaches of EU law. Prior to this, the by employers. EU member states must now protections for whistle-blowers across member align their existing laws or enact new ones states were fractious, covering only specific that implement the directive’s requirements. sectors or offenses, with many states lacking They will also be required to inform citizens any comprehensive protection framework at all. of whistleblowing procedures and protections In early 2019, the EU Parliament and Council available to them. reached provisional agreement on the content of the proposed Whistle-blower Directive—a significant step forward in protecting whistle-blowers and a great achievement by civil society advocates. The directive is designed to encourage individuals across public and private organizations to report breaches of money laundering, corporate taxation, data protection, privacy, food, product, environ-

47 In France, for example, data protection laws stipulate that only professional journalists (defined by French case law as someone working for a media company) may rely on the exemption. It is therefore imperative that civil society organizations seeking to rely on this exemption are familiar with their national legislation implementing the GDPR.

31 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

There are several issues where civil society While we do not have the depth of data to be organizations will be looking closely at the certain, it appears that at least some civil soci- implementation of the directive. First, it must ety organizations have over-complied with be ensured that civil society organizations are elements of the GDPR—for example by delet- recognized as legitimate reporting pathways ing significant amounts data or conducting for whistleblowers. Second, it should be estab- impact assessments unnecessarily. Among lished that civil society organizations have a those NGOs we talked to that did over-comply, legitimate basis for processing whistle-blower we were not surprised to find the most egre- data, in the same way that public institutions gious instances in countries where govern- and bodies do. Regardless of how the directive ments are harassing civil society organizations. is implemented, all organizations processing Civil society may also have set a higher bar for whistle-blower data must still apply basic data compliance because of a perceived need to protection principles to the datasets.48 meet the highest standards in terms of “good governance” at least as compared to other societal actors. Data protection service provid- 5. Conclusions ers leveraging fears about non-compliance to attract business and media hype around 5.1 Compliance is viewed as a some of the GDPR’s requirements may have chance to lead by example, but been another reason for over compliance. compliance challenges are real This scenario was likely compounded by a lack of clear guidance for non-profits from Compliance is viewed by many organizations many data protection supervisory authorities. as being in line with their organizational values, While some civil society organizations have and a chance to become more data literate evidently over-complied, others have led by and lead by example in how to govern data example taking a risk-based and proportion- responsibly. However, it is resource intensive ate approach and ignoring what they consid- and often requires the engagement of external ered to be conservative advice by commercial service providers. This can result in resources consultants. For example, they decided not being diverted away from programmatic work. to seek consent for the use of contact details This is particularly challenging for civil soci- for communication with public officials. Had ety organizations that are under pressure to they followed the advice, the organization’s minimize overheads relative to the money they ability to communicate with policymakers—a spend on achieving their mission.

48 The European data protection supervisor has produced guidance for EU institutions on how they should process whistle-blower data, providing safeguards and advice that all organizations processing such data are encouraged to rely upon.

32 Conclusions core part of its mission—would have been may face significant challenges. These NGOs seriously restricted. Yet others have taken may face difficulties such as establishing a a “wait-and see” approach before investing clear legal basis for processing and implement- significant resources in data protection or ing appropriate safeguards for data subjects, their IT infrastructure. As more examples of achieving an adequate level of transparency good compliance become available over time, around their data processing operations, and and as data protection authorities and courts implementing appropriate technical and orga- provide clarity on key issues, developing and nizational measures. Organizations working on maintaining good data governance practices the assumption that because their work is in the should become easier. public interest the associated data processing must be legitimate could easily find themselves 5.2 Compliance for programmatic in breach of the GDPR, depending upon the activities may be more jurisdiction in which they operate. While it is challenging than compliance for clear that the letter and spirit of the GDPR seek operational ones to preserve freedom of expression and facili- Although many organizations have addressed tate research in the public interest, much is left the more visible data protection challenges to EU member states in terms of implementa- with regards to the operational part of their tion. It is therefore imperative that civil society work, few of the organizations that we spoke organizations are confident about their status to appear to have mainstreamed data protec- and position under both national and EU law. tion compliance into their programmatic data processing activities. This is significant because 5.3 Subject access requests have the biggest data protection challenges for not yet been widely weaponized data-intensive social justice and human rights against NGOs organizations may be the programmatic activ- One of the main questions we investigated is ities rather than operational ones. The collec- whether the GDPR leaves NGOs exposed to tion of sensitive personal data about issues action by vexatious and litigious adversaries and such as human rights abuses, corruption cases, has implications for what is now widely recog- and right-wing activism could be a liability as nized as the “shrinking space” for civil society. well as an asset for civil society organizations This question is particularly relevant as risks with powerful adversaries. NGOs providing for NGOs are growing in an increasingly polar- research support services to investigative jour- ized world in which human rights and social nalists who may not be able to rely on the jour- justice advocates are targeted by both repres- nalistic or research exemptions in the GDPR sive governments as well as right-wing activists.

33 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

In our research, we did come across attempts how the GPDR applies specifically to their work. by hostile governments and groups to use data The European Union has prioritized outreach protection law against NGOs, for example to and support to small and medium-sized enter- prevent NGOS from publishing or distributing prises but has apparently not yet considered the information revealing illegal activities. Though challenges faced by non-profit organizations. suppression efforts have been unsuccessful In the absence of clear guidance and support, to date, they have in some instances created civil society organizations that want to ensure significant legal hurdles for NGOs. In explor- they are compliant are disproportionately ing whether subject access requests are being burdened—at least as compared to the business “weaponized” against NGOs, we have not found community—and left with little option but to this to be a serious threat yet. We only came expend scarce resources on expert advice. The across one instance where an NGO received situation is unlikely to change unless political numerous requests (following a data breach) demands are placed on national and EU data that they believe were an attempt to disrupt protection authorities and resources are made their work. However, we remain concerned available to support data protection compli- that NGOs may be vulnerable to weaponization ance in the non-profit sector. attempts, especially where they have failed to establish a clear legal basis and specific purpose 5.5 The interpretation of national and for processing the data they hold, or to imple- EU data protection law will have a ment the requisite safeguards. significant impact on an “enabling environment” for civil society 5.4 Data protection authorities While data protection laws may be used to try currently do not provide and limit free speech and expression, partic- satisfactory guidance for ularly in the context of investigative journal- or support to civil society ism and anti-corruption and human rights organizations activism, data protection is also a core part of Our survey suggested that many civil society the enabling environment for civil society. It organizations are dissatisfied with the guid- allows civil society groups to challenge egre- ance that has been provided by their national gious practices in the private sector and push data protection authorities and have faced back on egregious practices and data monop- significant difficulties in obtaining free and olies. Crucially, because of the intersection relevant advice. While generalized compliance between data protection and other tools and resources are available, civil society organiza- constructs on which civil society depends— tions have many unanswered questions about such as freedom of expression, freedom of

34 Conclusions association, freedom of information, access to face increasingly well-resourced adversaries, financial services, and effective whistle-blower the risks of “hacking,” “doxing,” surveillance, protection—the way that data protection law is subversion, and disruption are growing. While interpreted by supervisory authorities and the different organizations face different threats courts will inevitably extend or constrain civil and levels of risk, good data protection prac- society space in subtle but vitally important tices including technical and organizational ways. Almost all sectors of the economy sent measures to prevent unauthorized access professional bodies, trade associations, and to personal information are a critical line of lobbyists to Brussels in an attempt to ensure defense against malevolent actors. that the GDPR did not affect business as usual while civil society simply pushed for a high bar 5.7 Links between the responsible of data protection, including by pushing back data, digital security, and data against these private interests. As issues that protection communities need to affect the space and means for civil society to be strengthened operate, advocate for social justice, and hold Data protection is but one of several core the powerful to account are legislated and digital challenges that civil society has faced interpreted, it is imperative that civil society in recent years. However, these challenges considers its own interests as well as those of are being addressed in a rather disjointed others it seeks to defend. manner. The Snowden revelations and the ramping up of surveillance and political polic- 5.6 GDPR compliance and ing have catalyzed significant investment organizational resiliency are in digital security on the part of numerous intimately linked NGOs and funders. At the same time, as civil Because of the link between legality of process- society organizations seek to enhance their ing and vulnerability to vexatious litigation, impact, many have invested in using data more GDPR compliance and organizational resil- effectively and responsibly to support their iency are deeply intertwined. At a more general investigations, campaigns, and other objec- level, regardless of the areas in which particular tives. Data protection compliance was added civil society organizations work, data breaches to the mix somewhat later as the 2018 GDPR or poor data protection practices can also lead deadline approached. to costly enforcement actions by data protec- Strengthening the links between these tion authorities, as noted in our case studies. communities will be critical going forward. In an increasingly polarized world in which The core data protection principles provide a human rights and social justice advocates logical basis around which to orient new data

35 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance programs and innovations (see best practice ing the programmatic operations will make section at Annex 1). Good digital security and organizations more resilient in the face of data hygiene can go a long way in ensuring that significant risks to their operations from organizations implement technical and orga- malpractice. This is far from easy to achieve nizational measures to meet their data secu- and requires attention by NGO leadership and the securing of resources for this effort. rity obligations, which are an integral part of Ultimately, NGOs will not be able to achieve data protection compliance. By considering GDPR compliance if is not prioritized and data protection as something to be achieved in adequately funded. practice rather than something with which to comply, civil society organizations will be much • NGO leaders should educate themselves and better placed to address compliance challenges dedicate resources to supporting their staff in implementing and designing GDPR-compli- in their programs and operations, and meet the ant practices. accountability requirements that the GDPR contains. This will require program staff, data • Umbrella organizations in the non-profit specialists, information and communication sector should mainstream data protection technology service providers, and compliance into their thematic and operational work by officers to work together from the outset of new addressing policy matters and providing their members with practical tools to meet sectoral initiatives, which may in turn require a cultural compliance challenges. shift within particular organizations.

For funders

6. Recommendations • In the short term, funders should think of their grantees’ organizational resilience and GDPR For Non-Governmental Organizations compliance as intimately linked. In practice, this means that donors need to add data protec- • Data intensive civil society organizations tion compliance to the list of criteria used to should review their data gathering opera- determine organizational resilience and make tions to ensure that they comply with the flexible institutional funding available to help GDPR. The best practice section at Annex their grantees with GDPR compliance. They 1 below can serve as a starting point. Civil should also support data-intensive social society organization leadership should in justice and human rights NGOs to pair up with turn properly factor GDPR compliance into GDPR compliance experts to work through their risk assessment for the organization. some of the particularly thorny compliance • Ensuring data protection is mainstreamed questions in a set of diverse contexts, and into all data processing operations includ- support a living best practice document and

36 Methodology

forum where NGOs can find answers to dom of association, freedom of expression, and their questions. freedom of information with a view to ensuring an enabling environment for civil society in the • Over the mid-term, funders need to create a European Union. more holistic support infrastructure for civil society integrating expertise in data protection, responsible data, and digital security. It is, for example, imperative that the experts making 7. Methodology up this support infrastructure follow and This report is the product of three substantive engage in debates about the ongoing interpre- research efforts: (i) desk research and the analysis tation of data protection provisions that affect of guidance on the implementation of the GDPR civil society and its operational activities. The responsible data community, given its found- available to non-profits; (ii) a survey canvassing ing principle of a rights-based approach to the views of non-profits on their experience of data, has an important role to play in fostering complying with the GDPR; (iii) semi-structured connections between these communities of interviews with representatives of non-profits on experts. Increasingly, this infrastructure will GDPR-related topics. need to concern itself with the role data grant- At the beginning of the project, we also spoke ees are exposed to on a day-to-day basis and with various interlocutors and stakeholders, how it creates harm (e.g., secondary trauma) including data protection bodies and umbrella and creates an additional risk for organizational resilience. organizations representing non-profits and civil society groups. The goal was to ascertain interest in the project, validate our approach, For data protection authorities and seek assistance in the distribution of the • In consultation with NGOs, the European survey and the identification of potential Data Protection Supervisor, and national respondents. We also used the conversations Data Protection Authorities should support the to develop the questionnaire, frame specific drafting of a dedicated data protection hand- questions, and pilot the survey. book for civil society organizations. Through the survey and follow-up interviews, • Supervisory authorities must be made to we wanted to know about the investments of refrain from using data protection laws to time and money that organizations have made unduly restrict the activities of civil society in complying with the GDPR. We also wanted organizations. The European Data Protection to learn about the issues that they struggled Supervisor and the EU Agency for Fundamen- with, how they felt about available guidance, tal Rights should provide updated guidance on where they looked to for help with this work, the relationship between data protection, free-

37 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance how the GDPR affected specific areas of dents but are satisfied that this is a represen- work (advocacy, grant making, research and tative sample of target organizations with investigation). Another area of our inquiries legitimate concerns and experiences. was whether NGOs and civil society groups Our sample is biased in the following ways, had been subject to enforcement actions or which should be taken into account when received subject access requests, and whether reading the report: most of our respondents they deemed these to be vexatious or malicious. are small NGOs, i.e., around half of the respon- In the survey, we also left room for qualitative dents have 1 to 10 employees and only 4 have responses. The survey is reproduced in full in more than 50 employees. Twelve respondents Appendix 1. are grant makers, the majority are grant seek- We sent the survey directly to organizations ers, and a small number do both. Almost all within the networks of our organizations. We respondents (47) are headquartered in the also approached foundations and umbrella European Union, with the highest number organizations to help disseminate the survey based in Belgium, the Netherlands, and the including Ariadne—the European network of United Kingdom. We also have good repre- funders supporting social change and human sentation from groups in Eastern Europe, but rights—and civil society support organizations groups from Southern Europe and the Nordic such as the European Centre for Non-Profit countries are largely absent from our sample. Law. Lastly, we distributed the survey via social As most of our survey respondents are advo- media and in GDPR Today.49 cacy organizations, we aimed to correct for this Our goal was to reach Europe-based NGOs or bias in our sample by conducting post-survey NGOs that worked internationally but were interviews with respondents working in other subject to the GDPR because they were very areas and general information gathering inter- likely handling the personal data of Europeans. views with eight other civil society organizations. These were all data-heavy organizations The survey was open from late January until engaged in substantial investigation, research, early March 2019. We received responses from and documentation into human rights and 52 civil society organizations, the majority of social justice issues. Through these semi-struc- which are advocacy organizations working in tured interviews, we were able to follow-up on human rights and social justice (only two iden- survey responses and ask people specific ques- tify as research and education organizations). tions about issues of interest. We had hoped to get a larger pool of respon-

49 “GDPR’s impact on the non-profit sector: seeking your input,”GDPR Today, https://www.gdprtoday.org/gdprs-impact-on-the-non- profit-sector-seeking-your-input/, January 28, 2019.

38 Methodology

One word on terminology: We are using the terms non-governmental organizations (most commonly referred to as “NGOs”), non-profit organizations, and civil society organizations interchangeably throughout this report.

39 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

Annex 1—Complying with KEY STEPS FOR CIVIL SOCIETY ORGANIZATIONS TO TAKE the GDPR: Best Practices for • AUTHORIZE someone to implement and Civil Society Organizations monitor data protection compliance and When we created this report, we envisaged ensure they have the support and buy-in producing a best practice section based from the rest of the organization. on the responses to the survey and the discus- • KNOW what data you hold, what you are doing sions we had with key respondents. In prac- with it and why—this can be achieved by creat- tice, these conversations yielded more ing and regularly updating a data processing questions than answers. We therefore decided inventory. to take a practical and sector-specific approach • ASSESS the risk level (for both the organization to compliance issues where there still appears and data subject) of each processing activity and to be a lack of clarity for civil society orga- the overall data operations of the organization. nizations. Our best practice section is still • PRIORITIZE compliance efforts based on the based primarily upon the outcomes of the level of risk. survey, addressing the key issues identified by multiple respondents, those that arose during • IMPLEMENT the core data protection principles using the following steps: the course of the post-survey interviews we conducted, and some of the gaps identified in − have a legal basis for each processing activity; the existing guidance. − only collect, hold and process data that is demon- Rather than restating existing regulatory author- strably necessary—each processing activity must have a purpose and the data you process must be ity or general advice, the purpose of this section is tied to that purpose. The common sense applica- to share knowledge and build upon the information of this principle is to only process data that tion gathered and lessons learned by the organi- you can justify having, and if you can’t justify why zations we contacted.While the guidance will be you have it then you need to delete it; practical and actionable and provide some clari- − keep the data secure, both technically, with fication about how to solve these recurrent issues, appropriate digital defenses, and organization- it is not legal advice and not intended to be relied ally, through operational policies and procedures upon in this way. Organizations should always that support data protection; first consult their relevant national implement- − ensure that any data transfers are secure and ing legislation and regulatory authority advice supported by an agreement or other transfer where available, as well as keep in mind that this mechanism where necessary; and is a developing body of law with evolving jurispru- dence and regularly updated guidance.

40 Annex 1—Complying with the GDPR: Best Practices for Civil Society Organizations

− be transparent with the data subjects, update INTRODUCTION: WHAT YOU NEED TO KNOW ABOUT privacy policies and information notices to THE GDPR ensure that the data subject would not be Scope surprised to know how their data is being processed. The GDPR’s application is very broad and any entity (person or organization) that meets any • FAMILIARIZE yourself with the national of the following conditions will need to comply: data protection law in your country and understand how it applies exactly to your • the entity is located in the European Union organization—there may be relevant excep- and processes personal data in the European 50 tions to certain requirements available Union; depending on the nature of work you under- • the entity is established in the European take. Union and processes personal data as part of • REVIEW your compliance status on a regu- its activities, regardless of where the process- 51 lar basis—this work is not static and the steps ing itself takes place; above must be undertaken on a continuous • the entity is located anywhere in the world basis, keeping up with changes in the data, and processes the personal data of EU data the organization processes, the activities subjects, either linked to selling goods and compliance requires, the hiring of new staff, services or monitoring the behavior of those and changes in law. individuals; and

Below we set out guidance on steps 1–5 and • the entity is established anywhere else that provide in depth explanations of the legal basis EU member state law applies by virtue of 52 and the policies your organization needs. public international law.

50 “GDPR’s impact on the non-profit sector: seeking your input,”GDPR Today, https://www.gdprtoday.org/gdprs-impact-on-the-non- profit-sector-seeking-your-input/, January 28, 2019. 51 “Established” here means that the entity has a presence in the European Union, this may apply where an international organization has an office in France but undertakes some or all of its data processing operations to its U.S. headquarters for example. 52 GDPR Article 3(1), Recitals 22, 23, and 25.

41 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

• The GPDR will not apply where that prohibit the processing of special category the processing is strictly for personal data unless certain conditions are met. These or household reasons (e.g., keeping a include obtaining the data subject’s explicit personal contact list or managing family consent and ensuring appropriate safeguards matters),53 the activities are outside are in place to protect data subjects. the scope or EU law,54 or certain activ- Processing is also defined very broadly under ities undertaken by the European the GDPR to the extent that doing pretty much Union an EU member state or law anything at all with personal data will likely fall enforcement body.55 within its scope—collecting, recording, orga- nizing, structuring, storing, adapting, altering, Definitions retrieving, consulting, using, transmitting, Personal data is defined very broadly under disseminating or making available, aligning, the GDPR and includes any information relat- combining, restricting, erasing or destroying ing to a living individual that will either iden- personal data are all data processing activi- tify them (e.g., name, address, phone number, ties.57 Essentially, where an organization deals email address, ID or contact details of any with personal data in any capacity, it will be kind) or make them identifiable (e.g., location engaging in data processing. This applies to data, IP address or information that relates both internal data (chiefly human resources) to the individual’s physical, genetic, mental, and data gathered on other persons (dealing economic, cultural or social identity).56 Some with supporters, donors, beneficiaries, etc.). types of information are more sensitive than others and there is consequently a higher risk It is also important to understand the roles of associated with processing this data. This is the “data controller” and the “data processor.” recognized in the GDPR through the concept of The former is the entity that decides what data “special category data,” which is personal data to process and why, and which entity will be that is or may be sensitive and includes race, in charge of managing, directing or oversee- 58 ethnicity, political opinions, religious or philo- ing data processing operations. Sometimes, sophical beliefs and details of sex life or sexual two or more entities will make these decisions orientation. Restrictions are set out in Article 9 about the same personal data together and

53 GDPR Article 2(2)(c). 54 GDPR Article 2(2)(a). 55 GDPR Article 2(2)(b) and (d). 56 GDPR Article 4(1). 57 GDPR Article 4(2). 58 GDPR Article 4(7).

42 Annex 1—Complying with the GDPR: Best Practices for Civil Society Organizations in these instances will be joint controllers in qualifies as “personal data,” it is increasingly respect of the particular processing activity.59 difficult to “fully and irreversibly” anonymize The “data processor” is the entity that conducts personal datasets to meet the re-identification data processing operations on the instruc- test required by data protection law.61 More- tion of a data controller and can only process over, many datasets that that are considered personal data in accordance with those instruc- anonymous by their users may still contain a tions.60 For example, a charity (data control- unique identifier that is connected to their real- ler) contracts an email service provider (data world identity. Such data is “pseudonymized” processor) to send out monthly newsletters to rather than anonymized and still falls within its subscriber database (data processing activ- the scope of the GDPR. Even if the data has ity). It is quite possible that a single entity could been pseudonymized using techniques such as be both a data controller and a data processor coding or hashing, basic data protection obliga- in respect of different data sets or processing tions still apply if it is possible to re-identify the operations at the same time. individual data subjects by reversing the pseud- onymization process. 62These obligations only Finally, there are two issues that seem to cause cease to apply when the data are fully and irre- endless confusion on the part of researchers. versibly anonymized. The first is the use of personal data that is already in the public domain. Whereas many people correctly assume that by publishing IMPLEMENTING THE KEY STEPS information on social media platforms etc., the 1. Give responsibility to people in individuals concerned have largely abdicated your organization their right to privacy. However, it remains the Even though small organizations may be case that if you are collecting and/or re-using exempt from appointing a data protection offi- this data you are still bound by the GDPR and cer, it is crucial that key staff within the organi- must ensure that your use of the data conforms zation make data protection their responsibility, to its requirements (see further “open source and that any data protection risks are properly data,” below). The second issue is that while it identified, brought to senior management, and is also the case that fully “anonymized” data that action is planned to mitigate them. Creat- is exempt from the GDPR because it no longer

59 GDPR Article 26. 60 GDPR Article 28(3)(a). 61 Anonymization: Managing Data Protection Risk Code of Practice, ICO, https://ico.org.uk/media/1061/anonymisation-code.pdf, November 2012. Note – this document is currently being updated by the ICO. 62 Through these processes and depending upon how the keys/codes are handled, it is quite conceivable in practice that data may be pseudonymized by one data controller and made available to another in an effectively anonymized format.

43 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance ing a data protection working group is one data is sensitive, then a data protection officer solution that ensures that knowledge is spread should be appointed and given the resources throughout the organization, rather than and management support to discharge their sitting with one person, and for larger NGOs, responsibilities.65 that the different needs within the organization Even where appointing a data protection officer are represented. is not mandatory, an organization can choose Appointing a data protection officer is manda- to appoint one voluntarily. For all organiza- tory in any of the following cases: tions, whether or not a data protection officer is appointed, data protection needs to be • you undertake large-scale, regular and someone’s job. For small organizations, regular systematic monitoring of individuals as a review of policy and practice by a competent core part of your work; staff member may suffice; in larger organiza- • you undertake large-scale processing of tions it will be more appropriate to share data special categories of data or data relating protection responsibilities across management to criminal convictions or offenses as a core and operations. For more complex data protec- part of your work; and tion issues, such as the governance of data • you are a public authority or body (except sharing between organizations, which may for courts).63 require data sharing or controller-processing agreements, you should consider developing While a specific determination of what is “large a “toolkit” containing step-by-step guidance scale” in this context is not available, certain and model agreements. factors should be taken into account including

(i) the number of individuals concerned, (ii) the 2. Establish a data processing inventory amount and type of data involved and (iii) the Creating a data processing inventory (also scale of processing activities (what the data is known as a record of processing activities) used for and how long it is retained, etc.).64 In allows you to map what, how, and why personal short, where an organization’s work requires data is processed by your organization.66 the processing of a lot of personal data on a Although it is not mandatory for all organiza- regular basis, and especially where some of that

63 GDPR Article 37. 64 Article 29 Working Party Guidelines on Data Protection Officers (DPOs) adopted December 13, 2016. 65 Data Protection Officer (DPO), European Data Protection Supervisor, https://edps.europa.eu/data-protection/data-protection/reference-library/data-protection-officer-dpo_en, undated. 66 GDPR Article 30.

44 Annex 1—Complying with the GDPR: Best Practices for Civil Society Organizations tions,67 producing the inventory will help you • The legal basis for processing: You need to rationalize your data processing operations be confident you have a legal basis to support by providing an overview of the personal data each processing operation/activity. Guid- your organization is processing and a basis for ance on determining and relying on particu- assessing its legitimacy. It will also help you lar legal bases is provided further below. improve or implement appropriate data gover- • The specific purpose of the processing: nance and meet some of the key accountabil- You also need to ensure that you know and ity components of the GDPR. Both the French have specified the purpose for which you (CNIL) and Belgian data protection authorities are collecting the data, and that the data have produced helpful inventory templates collected is necessary to fulfill that purpose. that show the kinds of information that should If you do not have a specific purpose for retaining the data then you do not have an be included in the inventory.68 We have also appropriate basis for processing it. If you are included a template inventory at Appendix 3 holding data you don’t need then you should that some organizations have found helpful. consider deleting (or, if justified, archiving) The data processing inventory should detail: the data and changing data collection practices going forward. • Each data processing or set of data • Access controls: You should also detail who processing operations and the categories has access to the data within the organiza- of personal data involved: It is not essen- tion and why. Only staff who need access to tial to identify each and every processing personal data for the purposes for which it is operation from the outset, but organizations processed should be able to access the data in should at least have an overview—even if practice; sensitive or “special category data” data processing tasks undertaken for the should be subject to strict access controls. same purpose are grouped together into single operations. For example, it may be • Retention periods: As noted above, you sufficient to group all human resources tasks should establish retention periods for all together as one data processing operation of the personal data that your organization (i.e., payment of salaries, recording availabil- processes. If data is only needed for a limited ity and leave, health and emergency contact period, or is no longer actively processed, data, performance evaluations and so on). procedures should be in place for deleting or archiving the data pursuant to the retention

67 GDPR Article 30(5) exempts organizations with fewer than 250 employees who are engaged in low risk data processing only. 68 See the CNIL inventory template https://www.cnil.fr/fr/cartographier-vos-traitements-de-donnees-personnelles (in French) and One Trust’s unofficial translation to English of the Belgian Data Protection Authority’s inventory template available here https:// www.onetrust.com/belgian-dpa-publishes-template-article-30-records/.

45 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

schedules. If data is needed on an ongoing to implement. Given the need for civil soci- basis, it should be subject to periodic review ety organizations to protect their data from to ensure that it is actually necessary and hackers and surveillance, good data secu- proportionate to keep it. rity is essential. This requires good information security including access controls and • Processing modalities: For each data encryption, as well as good “digital hygiene” processing operation/activity, you should on the part of all employees. also document the tools, systems, and software you are using to process the data and The inventory should be a living document that ensure that the contracts in place with these is subject to regular review and update. providers are GDPR compliant (this includes everything from database software and 3. Assess the risk level word processors to physical data destruc- The GDPR presents two significant departures tion services). There are particular requirements in place for the terms and conditions in the approach of its predecessor, the EU Data of contracts between controllers and proces- Protection Directive of 1995. First, there has sors set out in Article 28 of the GDPR. If you been the move away from a “checklist” based have concerns, reach out to the third party approach, which required organizations to and ask questions. meet key requirements such as registration with a supervisory authority. The GDPR takes a • Data transfers: You should also maintain a record of personal data that is transferred to risk-based approach that makes organizations partners and service providers. The GDPR that handle personal data responsible for estab- contains strict rules for such transfers and lishing a level of data protection that is propor- you should ensure that data transfers are tionate to the risks posed to data subjects if subject to appropriate governance mecha- their data is accessed unlawfully or otherwise nisms and safeguards (see further below). misused. The second significant change is a • Data security: The inventory should also focus on accountability for data processing. confirm that there are sufficient techni- This means organizations need to demonstrate cal and organizational security measures their compliance. More than half of the articles in place to protect the data (this includes within the GDPR imply some kind of account- establishing appropriate policies, training ability component. The GDPR also enhances staff, and ensuring there are appropriate digi- the level of transparency that organizations tal and physical safeguards around data). It processing personal data should attain. follows from the risk-based approach that the The best way to meet these challenges is to greater the risk to the data subject of unauthorized access to the data, the greater the properly identify higher risk processing oper- level of data security the controller needs ations, document the compliance efforts that

46 Annex 1—Complying with the GDPR: Best Practices for Civil Society Organizations have been undertaken to ensure respect for for “informed consent,” has transparency of data subjects’ rights, and provide an appropri- processing, and allows subjects to withdraw ate level of transparency toward those affected their consent. Further advice on these issues by the data processing. To borrow a phrase is provided below. coined by data protection consultants, “Say For more data intensive operations concerned what you do, do what you say, and be prepared for example with the investigation, research, to justify it to a regulator.” In the event that and/or documentation of human rights and your organization is subject to complaints social justice-related issues, and in particular from data subjects or investigations by a data the role of individual persons in specific cases, protection supervisory authority, being able issues or campaigns, compliance is inevitably to explain how and why data is processed and more challenging and complex. These chal- protected—and to demonstrate this in prac- lenges include determining an appropriate tice—will provide the best mitigation. It is not legal basis and specified purpose for the data enough to theorize about such practices. You being used in the “public interest” or “journal- need to have effective policies in place and staff istic work.” The challenges also include apply- whose responsibilities include data manage- ing data protection principles including “data ment and protection. minimization” to ensure that groups collecting and holding data only process the data they 4. Prioritize compliance efforts based on risk-level need, and meet transparency requirements where data is not collected directly from the Different organizations will clearly have data subject. These determinations should different data protection compliance needs guide operational policy and practice in order that reflect the amount and sensitivity of the to ensure compliance with the GDPR. Staff personal data that they process. For instance, members and associates who collect and use small non-profits that are only handling data on the data should be centrally involved in the their staff and supporters, and only minimally elaboration of these policies, together with processing data about other people should not those responsible for managing and secur- have much difficulty complying with the GDPR. ing the IT infrastructure. While there is much They need to ensure that they have a legal basis overlap between information security and data for all of the data they hold. They also need to protection, it is now essential to factor the latter ensure that the data is collected for a specified into the former through “data protection by purpose and only used for that purpose, and design and default” processes that consider that any “consent” based processing covers the use as well as the security of new systems. the following: respects private subscribers or While it is far from easy, these kinds of compli- supporters, meets the minimum standards

47 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance ance efforts, when done properly, can improve research purposes or statistical purposes the efficiency and effectiveness of organiza- is considered compatible with the original tions by rationalizing data collection and purpose). enhancing data governance. • Data minimization: This means that the actual data processed in relation to the speci- 5. Understand and implement the core data fied purpose must be adequate, relevant and protection principles limited to what is necessary to achieve the The GDPR sets out seven data protection prin- purpose. Necessity has a proportionality ciples. These are common sense standards that component, which means that the purpose should guide all responsible data collection: should be achieved in the least invasive way available to the controller. The data minimi- • Lawfulness, fairness, and transparency: zation principle should be applied to every For data processing to be lawful, it must be aspect of the processing, i.e., from collec- based on one of the “legal bases” set out in tion, access, and retention to transferring the GDPR (see further below). Processing and archiving. must also be fair to the data subject. The • Accuracy: This means that the data you processing may still have an adverse impact process must be accurate and, where neces- on the individual concerned, but that impact sary, kept up to date. if there are doubts about must be justifiable; data processing is unfair the accuracy of the data being processed, it if it has an unjustifiably negative impact. may still be legitimate to keep it as long as you Data processing must also be rendered trans- have a legitimate basis and purpose for doing parent to data subjects, either at the point the so. The data, however, should be marked as data is collected from them, or, where data potentially unreliable. is not acquired directly, within one month of its acquisition (there are several exemptions • Storage limitation: This means that you may to this requirement, see further below). Data only keep personal data as long as you need subjects may not be misled and should not be it for a specific purpose. Retention periods surprised by data controllers as regards the should be established, justified, and docu- nature of the processing. mented. Data should be periodically reviewed and deleted or anonymized in the event that • Purpose limitation: This means that data it is no longer needed. Data may be retained must be collected for specified, explicit, following the expiration of the retention and legitimate purposes and not further period if it is needed for archiving purposes processed in a manner that is incompati- in the public interest, scientific or historical ble with those purposes (note that further research, or statistical purposes. If it is to be processing for archiving purposes in the archived it should undergo a minimization public interest, scientific or historical

48 Annex 1—Complying with the GDPR: Best Practices for Civil Society Organizations

review and wherever appropriate, subject to relevant depending on the context of the data psuedonymization or anonymization. processing and the relationship between the • Integrity and confidentiality (security): As data subject and the data controller. noted above, you are required to adopt appro- In determining the legal basis supporting a priate technical and organizational measures processing activity, it is advisable to consider to protect personal data following a risk-based all applicable bases and document the reasoning approach. While you may take into account supporting the decision making process. There the costs of applying data security measures may be situations where two or more legal when deciding what measures to implement, these measures must be appropriate to both bases are applicable and all of them should be your circumstances and the risk the process- recorded as supporting the activity in order to ing poses. Where appropriate, you should look strengthen the rationale for the data process- to use measures such as using pseudonyms ing. The key issues to consider here are why the and encryption. You should also ensure that data are being processed and whether or not the data is backed up and that procedures are in processing falls within the scope of what is envis- place to test your back-up procedures. aged by the GDPR. In most cases, answering • Accountability: As noted above, you must these questions should lead to a clear indication have appropriate measures and records in of which basis or bases may fit, but at times it place to be able to demonstrate your compli- may not be clear cut. ance with the data protection principles and Crucially, some of the civil society organizations the requirements of the GDPR. Establishing we engaged with appear to be over-reliant on a data processing inventory is a key first step the premise that the work they are engaged in (see further below). is broadly in the “public interest.” This implies that this somehow provides a legitimate basis DETERMINING THE LEGAL BASIS for all of their programmatic data processing As noted above, a legal basis is required for all activities, or even that the organization was data processing that falls within the scope of the somehow “exempt” from complying with the GDPR and while there are six legal bases avail- general principles and requirements of the 69 able (see table below), the idea that consent is GDPR. This is not the case. The “public interest” somehow more important than the other legal basis for processing is defined quite restrictively, bases continues to cloud many organization’s and requires data controllers to meet several thinking on this issue. In practice, alternative important criteria (see further in the table on legal bases will likely be more appropriate or

69 The other legal bases are consent, performance of a contract, compliance with a legal obligation, protecting the vital interests of the data subject, public interest, and legitimate interest (GDPR Article 6).

49 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance the following page). Organizations will only be exempted from compliance where and to the extent that a relevant exemption applies, not on the basis of the nature of the work it undertakes. As discussed above and explored further below, certain exemptions are available for journalism, academic work, and artistic and literary expression, but this will depend on the national implementing legislation in the relevant member state. It is imperative that civil society organizations are confident that they are processing data in accordance with a legal basis and that any exemptions they rely upon are codified into national law.

50 Annex 1—Complying with the GDPR: Best Practices for Civil Society Organizations

Overview of Application of Legal Bases

Legal basis GDPR definition – Article 6 Application

Consent (a) the data subject has given Only valid where consent can be freely given by consent to the processing of fully informed data subjects before the data is their personal data for one or processed. more specific purposes; This means that consent will NOT be an available See also Articles 7, 8, 9 and legal basis where an individual can’t make a real Recitals 32, 42, 43, and 171. choice—e.g., when personal data is processed by an organization providing humanitarian aid or other vital services (food, money, accommodation, medicine, etc.) and the data subject has to provide their personal data in order to receive the items. This isn’t a real choice for a vulnerable person in need of assistance because their consent cannot be freely given.

This legal basis will also be invalid where there is a significant power imbalance between the parties that makes the data subject unable to freely give their consent—e.g., in the context of employment an employee may not always be able to freely provide their consent to their employer because they may be concerned about how the situation could impact their job security.

In the above examples, the data processing may still be allowed to occur, where it can be supported by a different legal basis and it can be ensured that there is no disproportionate interference with the data subject’s rights and freedoms.

51 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

Legal basis GDPR definition – Article 6 Application

Performance of a (b) processing is necessary for This basis applies where a contract is being entered contract the performance of a contract into between a data subject and data controller, e.g., to which the data subject is for the provision of goods and services. party or in order to take steps at the request of the data subject prior to entering into a contract;

See also Article 20.

Compliance with (c) processing is necessary In certain contexts, personal data must be a legal obligation for compliance with a legal processed to meet a particular legal obligation obligation to which the (e.g., for employment law and taxation purposes). controller is subject; Data processed for safeguarding purposes, or for “due diligence” procedures to comply with money laundering and terrorist financing regulations would also be covered here, as would compliance with a judicial warrant compelling disclosure of personal data.

52 Annex 1—Complying with the GDPR: Best Practices for Civil Society Organizations

Legal basis GDPR definition – Article 6 Application

Vital interests (d) processing is necessary Vital interests can be relied upon where personal in order to protect the vital data must be processed in order to protect an interests of the data subject; individual’s life and the person is incapable of giving their consent (e.g., where a person is unconscious and you reach into the pocket to get their driver’s license to look for contact or health details). If the processing can be undertaken in a less intrusive way, then this legal basis will not be available.

This cannot be relied upon to process health or other special category data if the individual is able to give their consent, but refuses to do so—for example where a person needs medical attention and details of any existing health conditions are required from them, but they decline to share this data then the vital interest basis can’t be used to override the individual’s decision. When relying on this basis, it is important to document the circumstances so that the decision and reasoning can be justified.

Public interest (e) processing is necessary Where the organization can demonstrate that the for the performance of a processing is carried out in the performance of a task carried out in the public specific task that is in the public interestAND is interest or in the exercise of supported by a mandate set out in law, then this official authority vested in the legal basis will apply. controller; Whereas organizations providing humanitarian or other social assistance in accordance with a legal mandate or provision of IHL have been able to rely on the public interest, it is not a justification for data processing by public interest organizations.

53 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

Legal basis GDPR definition – Article 6 Application

Legitimate (f) processing is necessary This basis may be relevant for data processing interest for the purposes of the undertaken in the course of carrying out work in legitimate interests pursued the organization’s legitimate interests, e.g., in the by a controller, except course of undertaking public advocacy and reaching where such interests are out to decision makers and other stakeholders, or overridden by the interests research and documentation work activities. or fundamental rights and When assessing whether the “legitimate interest” freedoms of the data subject, basis is appropriate, a Legitimate Interest which require protection of Assessment (LIA) should be conducted, allowing personal data, in particular you to weigh the benefit to the organization against where the data subject is a the impact on the rights and freedoms of the data child. This shall not apply subjects. The former cannot outweigh the latter, to processing carried out and it must be clear that there will be no undue by public authorities in the impact on the data subjects. performance of their tasks. This legal basis can apply in a variety of contexts, See also Articles 13 and 21 so long as the above preconditions are met and you and Recitals 113, 47, and 48. are confident that the reasoning behind your LIA can support your decision to rely on it if questioned by a data subject or regulatory authority. One of the key requirements when relying on legitimate interest is to never surprise the data subject—that is, if the processing is well outside the bounds of something a data subject would reasonably expect to happen to their data then this is an indication that the legitimate interest basis may not be relied upon in this case.

54 Annex 1—Complying with the GDPR: Best Practices for Civil Society Organizations

LEGAL BASES FOR SPECIFIC a whistle-blower leaks information directly PROGRAMMATIC OPERATIONS to a journalistic outlet, the protections Research and publication data: Can you rely on of the directive may take effect to protect the journalism exemption? the action of the whistle-blower, while the Organizations conducting journalistic work publisher may be exempted from the require- and intending to rely upon the exemption ments of the GDPR through Article 85—but again national implementing legislation provided in Article 85 must: must be consulted; • Consult national implementing legislation • Ensure that you have adequate technical and to ensure that an exemption has been organizational security measures in place to provided in the relevant member state law. protect the data; At the time of drafting, 10 member states • Comply with any other professional obliga- have not made notification to the European tions as they may apply; Commission about how the exemptions have been made into national law, which means • While the exemptions that the GDPR has it is possible that there is data protection provided are quite broad in principle, it is or other legislation in place that applies to essential to know how the relevant member journalistic work and has not been updated state law applies to your organization’s to reflect the exemptions as made in the data processing so that you can effectively GDPR. In the case of any disparity between respond should you be faced with subject these laws, the regulatory authority and access, deletion or other requests from data relevant professional associations should subjects that you may be exempted from be contacted for advice; having to grant; • Make sure that your work falls within the defi- • If in doubt, follow the advice on the Euro- nition of “journalism” as set out in national pean Data Protection Supervisor on the law and that you meet any additional require- application of data protection provisions to ments—e.g., in the United Kingdom, the whistle-blower data.70 data processing must be undertaken with the intention to publish the work and with RESEARCH AND DOCUMENTATION ACTIVITIES— a reasonable belief that the work is in the ENSURING YOU HAVE A LEGAL BASIS public interest; Civil society organizations not relying on the • If working with leaked personal data from a journalistic exemption, or those that are unsure whistle-blower, be aware of how the Whis- that the exemption can be applied to all of their tle-blower Directive may impact this. Where research and documentation activities, must

70 See https://edps.europa.eu/data-protection/data-protection/reference-library/whistleblowing_en.

55 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance ensure that they have a legal basis for all of the on the consent of the interviewees to the extent personal data they process in this context. As that such consent is fully informed and freely noted above, unless your organization is estab- given. For consent to be legally valid, the data lished by a legal charter or specifically tasked subject must be furnished with comprehensive with an activity that requires the processing information about the intended processing and of personal data by statutory legislation, you a record of the consent must be retained by the should not rely on the “public interest” legal data controller. The requisite information to be basis set out in the GDPR, regardless of the provided to the data subject is as follows: actual public interest in your work. Instead, you should use the “legitimate interests” basis in • the identity of the data controller and, where the context of pursuing your mission or imple- applicable, the contact details of the data protection officer; menting your mandate. In doing so, you must ensure that your interest in processing the data • the legal basis and specific purpose(s) of the does not override the fundamental rights and processing for which the personal data will freedoms of the individuals concerned. This be used; determination will depend upon what you • the data subject’s rights as guaranteed by the intend to do with the data and the implica- GDPR and the EU Charter of Fundamental tions for the data subjects. As noted above, you Rights, in particular the right to withdraw should begin by (internally) documenting the consent or access their data, the procedures rationale behind any legitimate interest deter- to follow should they wish to do so, and the mination, and ensure that it does not override right to lodge a complaint with a supervisory the rights and freedoms of the data subject. For authority; organizations whose processing activities are • any automated decision-making activities, expressly designed to identify abuse of power including profiling; or criminal activity—activities that clearly have • information as to whether data will be shared the potential to undermine individual rights with or transferred to third parties and for and freedoms—it is crucial that safeguards are what purposes; and implemented to ensure that data is accurate, • how long the data will be retained before relevant, necessary, and proportionate, and they are destroyed.71 that the data is subject to a high level of security. The data subjects must also be made aware if Researchers conducting in-depth research data are to be used for any other purposes, and such as interviews of data subjects may also rely

71 If the data subject is already in possession of particular information categories, you need only provide the information that is newly relevant when collecting further data.

56 Annex 1—Complying with the GDPR: Best Practices for Civil Society Organizations any legitimate interest pursued should be spelt Practically, this means that you must deter- out. Data subjects must also be notified if data mine a legal basis for the processing, specify is to be transferred to organizations outside the purpose(s), set appropriate retention peri- the European Union.72 Importantly, if the ods, and ensure that all the data collected is data processing entails potential risks to the explicitly related to the purpose(s) and only data subjects’ rights and freedoms, the subject retained as long as it is needed. Crucially, you must be made aware of these risks during the must also render the data processing trans- informed consent procedure. parent to the data subjects. The GDPR stipulates that where data is not acquired directly COLLECTING “OPEN SOURCE” DATA from the data subject and is, for example, Even where information comes from a public acquired from a third party or collected from source (“open source data”), it may still be public records or social media platforms—data considered personal data under the GDPR subjects must be informed about the process- and the obligations to appropriately protect ing by the controller within one month (or if the the data will still apply. This is because once purpose is to contact the data subject, when you collect personal data that was published the context takes place). Importantly for civil by an individual or another entity for a certain society organizations collecting and utilizing purpose and process it for your own purposes, open source data for their research and docu- you become a controller of that data. Some mentation, there are two important exemp- of the organizations we spoke to, conduct tions to this requirement. The first is the level research that involves collecting the personal of difficulty and expense involved in contacting data of private individuals from public sources the data subjects—“in particular for processing like social media accounts. Although in this for archiving purposes in the public interest, context the information has been willingly scientific or historical research purposes or published by the data subject, that individ- statistical purposes.” While data protection ual would not necessarily have expected authorities are beginning to enforce these or intended that their data would later be provisions, there are no firmly established collected and processed by a separate entity for rules here. However, it follows that where it is another purpose. Regardless, the bottom line relatively straightforward to contact the data is that organizations processing open source subjects, for example, if you have their email personal data are data controllers under the address, this is eminently feasible. Conversely, GDPR and the data subjects’ rights must still if the dataset does not include contact details be upheld here. and it would entail significant effort and there-

72 GDPR Articles 12 and 13.

57 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance fore cost to obtain them, the exemption may ADVOCACY be relied upon. The second exemption allows Organizations engaged in advocacy work can data controllers to elect not to contact the data reach out to public officials and other relevant subject if it would “render impossible or seri- stakeholders such as NGOs, associations, and ously impair the achievement of the objectives companies without having to first get their of [the] processing.” In this instance you must consent, where they can demonstrate that this still take appropriate measures to “protect is within the organization’s legitimate inter- the data subject’s rights and freedoms and ests. This type of communication should be legitimate interests,” including making the considered as distinct from engagement with information publicly available. For organiza- subscribers, supporters, and other parties, and tions processing open source data at scale, it is legitimate where it forms a critical part of is strongly advisable to maintain an inventory the organization’s work and purpose. When of the data sources and be transparent about contacting people for advocacy purposes it is their use. In practice, people whose data may in principle still necessary to conduct a legiti- be included should be able to ascertain that mate interest assessment, but in reaching out this may be the case and seek to enforce their to public officials and other stakeholders in rights as data subjects should they wish to do so. the course of social justice advocacy, the data Finally, whenever you are engaged in research processing is unlikely to be deemed to have and documentation activities, it is advisable disproportionate impact on the data subject. to conduct a “data minimization” review. Ask If contacting named individuals directly, it is your researchers to review (and document) the important to state the purpose and justification extent of the personal data being processed, for the communication and, in the event that with a view to ensuring that it is necessary, the recipient objects to the contact, to handle proportionate, and legitimate in the context the response appropriately in accordance with of the specified purpose for which it is being your obligations to the data subject (see further collected. This is particularly important where below). sensitive (“special category”) data is processed. Ultimately, if you cannot justify the data collec- GRANT MANAGEMENT tion in the context of your overall mission and As noted above, the performance of a contract specific research objectives, you risk processing provides a solid legal basis for the processing data unlawfully. of data related to grant applications, and where a grant agreement is entered into, processing grantee data related to the grant’s implementation and review. The issue of what do with this

58 Annex 1—Complying with the GDPR: Best Practices for Civil Society Organizations data in the longer term may appear less clear- restricted to the extent that it is no longer cut, particularly where grant applications are “actively processed.” unsuccessful. This does not, however, mean • If archiving grantee data, establish clear that you do not have a basis for retaining data rules for the transfer of data to the archives, related to the application. The following factors including data minimization, and access should be taken into consideration: controls to the data therein. If you do intend to make the data available to persons outside • Do you need to keep data for the purposes of the organization, procedures should be in compliance with due diligence obligations, place to remove personally identifiable data, accountancy, financial audit or review? If or if this is not possible, to seek the permis- you are required to keep the data in order to sion of the data subject prior to disclosure. comply with a legal obligation, then the legal Again, having clear, transparent policies basis for retaining the data is clear. about what will happen to grantee data from • It may also be in your legitimate interests to the outset is crucial. If you are planning to retain data about grantees for the purposes of archive the data for historical reference, facilitating further applications, or to main- make applicants aware of this fact and the tain a historical record or archive of your safeguards you will employ from the outset. grant-making activity. • When keeping grantee data for the purposes POLICIES—WHAT YOU SHOULD HAVE IN PLACE other than performance of a contract or • Privacy policy—a public-facing privacy compliance with a legal obligation—and policy governing the management of indeed for these purposes—it is crucial to personal data needs to be produced and (i) conduct a data minimization review to made available to data subjects to inform ensure that only the data that is needed to them about how their data is being dealt with meet whatever objective is fulfilled by the in order to comply with the transparency retention; (ii) set a retention period; and (iii) requirements of the GDPR.73 The specific render your practices clear to the data subject content of this policy will depend on how and at the point of application and contracting. why the organization collects and processes • In minimizing the data processing, you data but at minimum it will need to be easily should also restrict access to the data to accessible and straightforward. Such a policy those people in the organization who actu- will cover: ally need access to the data. If data is held − who the organization is for compliance or archiving rather than operational purposes, access should be further − what data is being collected from data subjects

73 GDPR Article 12.

59 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

− why and how the data is being processed ing an internal policy will allow you to explain − who the data is being shared with and document how you are implementing or meeting the requirements of the GDPR − how data subjects can exercise their rights and provide an operations guide to help staff under the GDPR understand their responsibilities in helping − details of how to seek further information, the organization meet its data protection including the data protection officer’s contact obligations. Applicable safeguards should details where one has been appointed. be explained to data subjects upon request.

If your organization collects data about people • Cookie policy—websites using cookies need on a basis other than consent, for example in the to have a cookie policy that explains what context of human rights research, investigative cookies are dropped by the website, what journalism or the processing of open source data, data is collected, how and why this data is then a transparency statement should also be processed, and how data subjects can control incorporated into the privacy policy to support those cookies. This may be achieved through those activities. In this way, the data subjects a tool or platform that allows individuals to who may be affected by this work can understand manage these settings. In addition to provid- what is happening to their data and seek recourse ing granular control and requiring the user to or further information if required. The use of opt-in rather than opt-out, the best cookie “open source” data is discussed further above in this section. policies explain why the organization uses particular cookies. A good policy will also • Overarching data protection policy—in set out the implications for the user of allow- addition to public-facing policies, there ing the cookie onto their device and who should also be an internal policy that sets will have access to the data compiled by the out the procedures in place to apply the data cookie. protection principles and accountability • Mailing list policy—post-GDPR, data requirements into practice across the orga- subjects must actively consent to join your nization’s operations, addressing issues email list. Meeting the minimum trans- like retention periods and setting out a data parency requirements outlined above and breach response plan. This can be achieved implementing a two-step procedure that either by incorporating data protection requires an email confirmation on the part principles into existing operations policies of the data subject that they do indeed wish (e.g., policies around beneficiaries, human to join the list is the best way of mitigating resources, and other key areas of work) or against potential complaints engendered by producing an overarching internal data by mistakes or malpractice. Data subjects protection policy for the organization. While must be informed of their right to opt-out this is not required under the GDPR, produc- of non-essential communications at any

60 Annex 1—Complying with the GDPR: Best Practices for Civil Society Organizations

time and be provided with an easily accessi- individuals must be able to exercise their ble way of doing so. This information should rights against each controller. Because joint be included in any subscriber correspon- controllers may be jointly liable for damages dence as well as within the organization’s caused by the processing, it is crucial to have privacy policy. some form of agreement in place. If your organization routinely shares personal data • Data sharing policy—sharing personal with contractors or partners, you should data between organizations, or passing it consider establishing standard operating to third parties such as researchers, consul- and record-keeping procedures to ensure tants, lawyers or service providers poses that staff are aware of their data protection numerous data protection challenges. While obligations and provided with the tools and standardized data sharing clauses can be templates and they need to meet them. implemented to govern controller-processor relationships, for example where an orga- • Data breach policy—given both the impli- nization uses third party solutions to store cations for data subjects and the enhanced or analyze data, other relationships can be enforcement powers of supervisory author- more difficult to work through. Primarily, ities, it is imperative that staff understand you must ensure that you have a specified how to identify and respond to a data breach. purpose and legal basis for the data transfer, The former can be achieved through basic and ensure that the recipient only uses the training and should be integrated into an data for that specific purpose. You should information security awareness program also document all data transfers, and ensure that takes into account the most common that data is returned or verifiably deleted by ways in which data breaches happen as well processors when it is no longer needed for as the tactics used by “hackers” and other the purpose for which it was transferred. If adversaries. The latter requires your organi- you are dealing with contractors, dedicated zation to be able to detect breaches and have data protection provisions can be included a plan in place should a breach occur. At the in your agreement with them. If you are very least, this plan should cover how your engaged in a joint research or advocacy organization will contain and respond to a project, where different organizations may data breach. Such a plan should include guid- process the data for different purposes, you ance on when it will be necessary to report may need a formal “joint controller” agree- the breach to a regulatory authority and the ment. Such an agreement will set out your data subjects themselves, and how this will agreed roles and responsibilities for comply- be done. The GDPR requires you to report ing with the GDPR. While the joint control- a data breach to the relevant supervisory ler relationship does not require an actual authority within 72 hours, depending on the contract to be in place, the arrangement likelihood and severity of the resulting risk must be transparent to the data subject, and to people’s rights and freedoms. If there is a

61 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

high risk of adverse impacts, you must also inform the data subjects themselves “without undue delay.” Regardless of whether you are required to notify the supervisory authority or not, you must keep a record of all data breaches. Requiring staff to report even the most minor of data breaches to a data protection officer or focal point is a good way of building a culture of information security within your organization. • Subject access request policy—organizations in regular receipt of subject access requests should consider establishing a policy on how to respond to particular requests to ensure consistent practice. If there are practical limits to data subjects’ rights engendered by the architecture of the data, or you seek to rely on exemptions that would limit those rights because compliance would prejudice, prevent or seriously impair you from processing personal data that is required or necessary for your purpose, then you should document and justify the basis for doing do. Whereas all subject access requests must be treated on merit on a case- by-case basis, if you know that you are unable to comply with certain requests because you have for example stripped key identifi- ers from a dataset, then it is good practice to state this in your information notices and data processing statements. You should log all subject access requests, your responses to them, and any justification for refusing to comply in case the data subject seeks redress from a supervisory authority or court.

62 Annex 1—Complying with the GDPR: Best Practices for Civil Society Organizations

Annex 2—Copy of Survey 4. Annual budget (Euros) Questions a. 0-100K b. 100-250K ORGANIZATION DETAILS c. 250-500K 1. Organization type d. 500-1 million a. predominantly grant-seeking/fundraising e. 1 million + b. predominantly grant-making 5. Headquarters’ location c. predominantly advocacy d. Other • Drop down list of countries

2. Focus of work 6. Scope of activities

a. Human Rights a. National b. Political/social change b. European c. Education c. International d. Health COMPLIANCE EFFORTS e. Media 1. Have you made efforts to comply with GDPR f. Environment g. Other a. Yes b. No 3. Size of organization (employees) 2. If Y when did you start? a. 1-10 b. 10 - 25 a. After GDPR was published (in/before April 2016) c. 25 - 50 b. Early 2017 d. 50 - 100 c. Late 2017 e. 100 - 250 d. Early 2018 f. 250+

63 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

e. Just before the deadline (May 25, 2018) s. Designated a privacy officer or other dedicated staff member f. No compliance efforts made t. Revised or introduced data breach policy 3. If you made efforts to comply with GDPR, did u. Staff awareness you do any of the following v. Data protection training a. Published or revised privacy policy/state- w. Other ment

b. Published or revised cookie policy 4. How much time in total do you estimate your c. Mailing list – reconsented / reviewed / organization has spent on GDPR compliance? deleted mailing list subscribers a. < 1 month d. Adopted or revised internal policies b. 1 - 3 months e. Adopted or revised staff rules c. 3 - 6 months f. Adopted or revised agreements with partners d. 6 - 12 months / processors e. 12+ months g. Produced or updated inventory of processing operations 5. Have the compliance efforts you’ve made had h. Reviewed or changed fundraising proce- a financial impact on your organization? If yes dures please estimate the cost (in Euros).

i. Reviewed or changed grant-making proce- a. Negligible dures b. 1 - 10k j. Reviewed or changed advocacy procedures c. 10 - 25k k. Reviewed or change research procedures d. 25 - 50k l. Conducted risk assessment e. 50 - 100k m. Conducted DPIA f. 100k+ n. Implemented new IT systems o. Enhanced information security p. Deleted data q. Reviewed or changed data retention policies r. Designated a DPO

64 Annex 1—Complying with the GDPR: Best Practices for Civil Society Organizations

PERCEPTION a. Scale 1-10 (1 poor, 5 neutral, 10 excellent)

1. What is your perception of the GDPR in b. Other comments (free text response) terms of the obligations it imposes on your organization 2. How do you rate the advice provided by your national regulatory authority in terms of its • Scale 1-10 (1 perfectly reasonable, 5 neutral, relevance and helpfulness? 10 too onerous) a. Scale 1-10 (1 poor, 5 neutral, 10 excellent) 2. What kind of impact have your compliance b. Other comments (free text response) efforts had on your organization (please add comments) 3. Have you had to seek external data protection • Scale 1-10 (1 negative, 5 neutral, 10 posi- advice, if so who did you contact? tive) a. Regulatory authority

3. Across your organization as a whole, to what b. Lawyers extent has there been buy-in that GDPR c. Consultants compliance policies are important? d. Other NGO • Scale 1-10 (1 minimal, 5 moderate, 10 e. Charity regulator comprehensive) f. Umbrella group 4. To what extent has the organization’s g. No external advice sought leadership been involved in advocating for the important of GDPR compliance? h. Other

• Scale 1-10 (1 minimal, 5 moderate, 10 4. Is there any advice you found particularly comprehensive) helpful, if so please specify or provide a link here (free text response) 5. Please comment on the impact of your compliance efforts on your organization (free SELF ASSESSMENT text response) 1. How do you feel that your organization is placed in terms of its compliance status at ADVICE present? 1. How do you feel about the quality of publicly available advice available to help your • Scale 1-10 (1 concerned about compliance, organization comply with the GDPR? 5 neutral, 10 confident)

65 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

2. How do you feel that your organization f. Information security is placed in terms of its understanding/ g. Determining what qualifies as personal data awareness/familiarity with GDPR? h. Developing technical solutions to satisfy data • Scale 1-10 (1 poorly-informed, 5 neutral, 10 subject requests (e.g. deletion or access) very well informed) i. Other

3. Do you feel that your organization has taken a relaxed or cautious/conservative approach to 2. Please elaborate on the compliance issues compliance? encountered (free text response) Has your organization adopted a procedure for • Scale 1-10 (1 relaxed, 5 neutral, 10 over- responding to subject access requests? ly-cautious) a. Yes 4. How would you categorize your compliance efforts b. No

a. Ad-hoc 3. Has your organization received any subject b. Checklist-based access requests? c. Risk-based and proportionate a. Yes – from employees past or present d. Comprehensive b. Yes – from mailing list subscribers e. Overly cautious c. Yes – from people you are investigating

f. Other d. Yes – from the police e. No COMPLIANCE ISSUES f. Other 1. Have you struggled with any of the following issues? 4. What did the requests concern

a. Mapping and making an inventory of a. Access personal data processing activities b. Correction b. Legal basis for processing c. Deletion c. Obtaining and recording consent d. Erasure/right to be forgotten d. Maintenance/operation of mailing lists e. N/A e. Retention periods f. Other

66 Annex 1—Complying with the GDPR: Best Practices for Civil Society Organizations

5. Do you consider any of the subject access 3. How concerned are you about other forms of requests you have been to be “vexatious”, i.e. unauthorized access/hacking etc? maliciously made in order to inconvenience your organization or get access to information • Scale 1-10 (1 not concerned, 5 neutral, 10 that should otherwise be confidential? extremely worried)

a. Yes 4. How concerned are you about the protection b. No of personal data related to partners/ collaborators/information sources?

6. Please provide further details about the • Scale 1-10 (1 not concerned, 5 neutral, 10 vexatious subject access request (without extremely worried) including any personal details about the data subject) 5. Do you have any other data security 7. Have you had to seek external advice as to concerns? (free text response) how respond to subject access requests? 6. Have the steps you have taken to address a. Yes concerns about information security changed because of the GDPR? b. No a. Yes

DATA SECURITY b. No

1. Do you have an organizational data security c. N/A policy 7. Has your organization ever experienced a a. Yes personal data breach? b. No a. Yes

2. How concerned are you about government b. No surveillance? 8. If yes, please provide details on the data • Scale 1-10 (1 not concerned, 5 neutral, 10 breach (excluding any information the could extremely worried) compromise your organization)

67 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

GDPR’S IMPACT ON YOUR CORE ACTIVITIES d. Collection of personal data related to investigative journalism and reporting Advocacy e. Collection of personal data related to public 1. If your organization engages in advocacy, opinion (surveys etc) has the GDPR impacted any of the following practices? f. N/A g. Other a. Outreach to supporters

b. Outreach to policy-makers 4. What effect has GDPR had on your c. Use of traditional media (phone, postal, organization’s research work? email) • Scale 1-10 (1 detrimental, 5 neutral, 10 very d. Use of social media positive) e. Retention of data 5. Please add any other comments about the f. N/A effect of the GDPR on your organization’s g. Other investigation, research and documentation work (free text response)

2. What effect has GDPR had on your Fundraising practices organization’s advocacy work? 1. If your organization engages in fundraising • Scale 1-10 (1 detrimental, 5 neutral, 10 posi- from the public has the GDPR impacted any of tive) the following practices?

Research a. Communication with individual donors b. Donor mailing list 3. If your organization engages in research and documentation has the GDPR impacted any of c. Management of payments the following practices? d. Use of third party fundraisers a. Collection of personal data related to human e. N/A rights violations f. Other b. Collection of personal data related to abuse of power c. Collection of personal data related to corruption

68 Annex 1—Complying with the GDPR: Best Practices for Civil Society Organizations

2. What effect overall has GDPR had on your Enforcement organization’s fundraising work? 1. Has your organization been the subject of • Scale 1- 10 (1 detrimental, 5 neutral, 10 very enforcement action by a regulatory authority positive) for an alleged violation of GDPR or data protection laws?

3. Please add any other comments about a. Yes the effect of GDPR on your organization’s fundraising work (free text response) b. No

Grant-making 2. If yes, please describe what happened (free text response) 1. If your organization engages in grant-making has the GDPR impacted any of the following 3. Do you know of any another non-profit practices? organizations that have been the subject of enforcement action by a regulatory authority a. Communications with applicants and grant- for an alleged violation of GDPR or data ees protection laws? b. Application procedures a. Yes c. Retention of application/grantee data b. No d. Use of application/grantee data e. N/A 4. If yes and the information is in the public domain please provide further details (free f. Other text response)

2. What effect overall has GDPR had on your a. Beyond the GDPR organization’s grant making work? b. National law • Scale 1-10 (1 detrimental, 5 neutral, 10 very positive) 5. Does national data protection law require you to register as a Data Controller?

3. Please add any other comments about the a. Yes effect of GDPR on your organization’s grant making work (free text response) b. No

69 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

6. Does your national law introduce additional data protection compliance obligations?

a. Yes b. No

7. If yes please provide further details (free text response)

Relationship with other legal requirements

1. Have you encountered tensions between GDPR and other regulatory requirements that apply to your organization?

a. Yes b. No

2. If yes what do these relate to?

a. Licensing/registration b. AML/CFT rules c. Beneficial ownership d. Transparency requirements e. N/A f. Other

Any other comments

3. Please provide any other information about your organization’s experience with GDPR

70 Annex 3—Guidance and reference documents consulted

Annex 3—Guidance crime and national security) must be consistent with and reflect international human and reference documents rights law. consulted INFORMATION COMMISSIONER’S OFFICE (ICO) EUROPEAN CENTRE FOR NOT-FOR-PROFIT LAW Resources for charities Issues Addressed: Resources for charities Data Protection Standards for Civil Society Organisations, Carly Nyst 2018. • ICO Charity GDPR page provides resources, Issues Addressed: CSO fundraising links, responses to FAQs. • A GDPR self assessment toolkit is available • Overview of international data protection to help organisations generally determine legal framework; their compliance status. • Interaction of data protection with other • No charity specific GDPR guidance has been legal frameworks including anti-money issued by ICO (general guidance has been laundering and counterterrorism financing issued as outlined below), but ICO advise obligations; that they are engaging with representatives • Impact of GDPR on CSO fundraising initia- from the charity sector to assist them in tives; producing their own sector specific guidance. • Findings/recommendations: • A helpline was opened to allow small organi-

− Data protection laws may curtail some CSO sations to contact ICO and get advice directly. fundraising activities because individuals’ consent may be required (e.g. wealth screen- GDPR FAQs for charities ing); Issues Addressed: How to deal with health data, − CSOs of all types must comply with the data consent and appointing a DPO for charities protection requirements applicable to them, including GDPR; • Key points:

− Smaller CSOs may struggle to meet onerous − All charities, regardless of size, must comply compliance obligations; with the law, including GDPR.

− CSO specific guidance should be issued to − Health data, which is sensitive personal data provide support and certainty to CSOs about under the DPA, will come under the definition their GDPR and data protection obligations; of special category data under the GDPR. − Domestic legislation (including laws around charity fundraising, data protection, cyber

71 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

− Consent for marketing obtained prior to the • The investigations uncovered serious effective date of GDPR should be reviewed to breaches of the DPA 1998 related to wealth ensure that it meets the GDPR standard and screening without individuals’ consent (the can continue to be relied upon. Where exist- practice of tracing and targeting individuals ing consent do not meet the GDPR standard by bringing together personal information or are poorly documented, then that consent from numerous sources, some charities were should be refreshed, a different lawful basis also trading personal details with other char- should be identified or the processing should ities, creating a large pool of donor data for be stopped. sale). − Consent is not the only lawful basis that can be relied upon for marketing under GDPR but • While the activity of wealth screening was it is required for some calls, texts and emails not explicitly prohibited by the law, the prac- under the Privacy and Electronic Communi- tice contravenes the fundamental principles cations Regulations 2003 (PECR). of data protection laws when done without the consent of the individuals affected. − Any organisation is able to appoint a DPO. Public authorities and organisations whose • Data protection is a matter for the board- core activities include large scale systematic room, not to be dealt with in isolation by one monitoring of individuals, and/or relate to or more parts of a charity (e.g. IT or fund- large scale processing of special categories of raising). data or data related to criminal convictions or offences. Regardless of whether a DPO is • Public information is not “fair game”, once required under GPDR, all organisations must it comes into the hands of a charity, that data ensure they have sufficient staff and skills to must be treated fairly and in line with the law, adhere to the obligations under GDPR. which includes treating the data in a way that people would expect. Transcript of speech delivered by the • Profiling and wealth screening is not some- Information Commissioner to the thing that people would expect to happen to Fundraising and Regulatory Compliance them without their knowledge or consent. Conference in February 2017 • Consent must be freely given, informed and Issues Addressed: Charity fundraising unambiguous and you must be able to prove you have it if you rely on it for processing. A • Addresses compliance with the then current pre-ticked box will not be valid consent. Data Protection Act (DPA) 1998 and how to prepare for the GDPR, primarily in response to the findings produced from ICO investigations into a number of charitable organisations’ fundraising practices.

72 Annex 3—Guidance and reference documents consulted

Conference presentation and ICO Guide to the GDPR conference paper Issues Addressed: General compliance guide Issues Addressed: Charity fundraising • ICO GDPR general compliance guide • Focused on considerations for charities regarding the use of publicly available data, INTERNATIONAL COMMITTEE OF THE RED CROSS wealth screening, data matching and teleappealing. Handbook of Data Protection in • Addresses consent, legitimate interests and Humanitarian Action fairness and transparency of processing Issues Addressed: Compliance guide specific to under DPA 1998. humanitarian actors in emergency situations

• The use of publicly available information is • Guidance on data protection principles as still subject to proper treatment under data applicable to humanitarian emergencies; protection laws regardless of how it was • Provides specific guidance on the interpre- obtained. tation of data protection principles in the • Consideration of the data protection impli- context of humanitarian action, particularly cations of wealth screening, data matching where new technologies are employed. and teleappealing

FUNDRAISING REGULATOR (FR) Findings from ICO information risk reviews at eight charities Regulatory guidance and resources Issues Addressed: Data management review of eight Issues Addressed: Charity fundraising UK charities • FR has produced briefing notes which cover • In April 2018, ICO published findings from GDPR compliance matters specific to fund- its review of eight charities highlighting raising for: the effectiveness of the controls in place − Corporate entities; to safely manage data, and to what extent these practices were embedded. The report − Legacies; sets out areas of good practice and areas for − Community groups; improvement, including governance; poli- − Charitable trusts; cies and procedures; monitoring and reporting; training; consent; fair processing and − As well as a general introduction to GDPR. data sharing; business continuity; incident reporting and retention and disposal. • These notes relate specifically to how GDPR

73 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

impacts fundraising activities, particularly provide a service for the charity. around contacting individuals for donations, covering matters including: • Consent case studies from eight charities who have reconsidered their approach to − direct marketing under GDPR; donor consent since 2016 − an explanation of the consent and legitimate interest lawful bases; − case studies detailing the approach by eight charities to managing their existing mailing − the lawful basis that may be relied upon list and changing their approach to opting for different types of communication when new individuals in, in line with the require- reaching out to individuals for fundraising ments of GDPR, covering “consent refresh- purposes; ing” and other approaches from Age UK, − the content of privacy notices Cancer Research UK, Macmillan Cancer Support, Rethink Mental Illness, RNLI, Rose − some information about the interaction Road Association, RSPCA and The Children’s between GDPR and the Privacy and Electron- Society. ics Communication Regulation 2013 (PECR).

• Consent self-assessment tool Personal information and • Checklist for charities using consent fundraising resources Issues Addressed: Charity fundraising INSTITUTE OF FUNDRAISING • Personal information and fundraising: consent, purpose and transparency Connecting people to causes: a practical guide to fundraising research − focus on direct marketing and communi- Issues Addressed: Fundraising guidance for charities cation for the purpose of fundraising in the context of data protection laws; • Guidance for charities on using and collect- − establishing a lawful basis for different types ing personal data from individuals who they of communication (email, SMS, automated wish to target for the purposes of fundraising, calls, fax, live calls and post); including publicly available information. − opt-in/opt-out consent under GDPR; • “GDPR is principles-based, rather than − fairness and transparency requirements directly prescriptive”, the document aims under GDPR; to provide an outline of the process to go through to help guide organisations’ use of − advice on using third party data suppliers (fundraising platform providers, buying personal data in fundraising work. personal data and data collection) and where a third party supplier uses charity data to GDPR resources

74 Annex 3—Guidance and reference documents consulted

Issues Addressed: Resources for fundraisers status;

• Resources and advice for charities especially • Q&A session at end covering: around GDPR and direct marketing, which − Consent – what level of granularity required? includes fundraising activities. Separate consents for separate processing operations required under GDPR, but question is how to separate out those operations? DIRECT MARKETING ASSOCIATION − Fundraising Regulators guidance says that GDPR Checklist separating out the activities of the organisa- Issues Addressed: Guidance for managing personal tion should guide how to separate consent data for direct marketing purposes (applicable to for contacting individuals, e.g. an organisa- advocacy) tion may undertake research, fundraising, advocacy campaigning, running events = a • Applies to direct marketing activities, includ- number of different activities that individuals ing fundraising; may or may not want to participate in or be contacted about, so consent to contact about • Covers legitimate interests, consent, the these different activities must be separated kind of information that needs to be supplied out. Where an organisation chooses not to to data subjects, the use of data sourced from separate out consent in these circumstances, third parties, profiling and legacy data. they need to be confident about why they are making this decision and be able to support this and consider that withdrawal of the NATIONAL COUNCIL FOR VOLUNTARY ORGANISATIONS consent would impact contact about all of (NCVO), INCLUDING THE KNOW HOW NON-PROFIT these different processes. RESOURCES − Records of consent must be kept. Where the GDPR webinar consent relates to sensitive personal data, a Issues Addressed: General compliance advice for strong record of agreement should be created voluntary organisations (e.g. a more detailed consent form requiring electronic signature). For less sensitive infor- • Covers data protection principles; mation, a record of an unambiguous consent may suffice (e.g. a tick box). • Organisational structure and steps to take toward compliance; − Evidence for consent received verbally e.g. over the phone - guidance from ICO (in draft • Lawful bases; at the time of the session) is clear about being • Appointment of a DPO; able to demonstrate back to the person what they agreed to. If it is verbal, is there a set • Includes interactive responses from organ- statement that was read to the individual and isations to gauge preparedness/compliance they agreed? Having a script or clarity of this

75 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

kind on record is essential. For more sensi- Data Protection and GDPR, Know How tive data a recording of the consent may be Non Profit required. Issues Addressed: Resources for non-profits − Many ways to obtain GDPR standard consent when it comes to non-sensitive personal infor- • Links and resources to GDPR compliance mation. guidance material from ICO; − When should consent be sought? Do clients • Guidance on how to write privacy policies and and volunteers need to opt-in to receive sample policies; contact about organisational events? For organisational information critical to the • Access to a GDPR compliance “health check” role of the client/volunteer/operations of review service by NCVO consultants. the organisation, there is a legitimate inter- • How to Comply with GDPR, Know How est in communicating this without asking for Non Profit consent. For communication about non-mission critical information (e.g. invitations to • General compliance advice social/other events) these should be sent on − Advice to non-profits: an opt-in basis as it is reasonable to provide individuals with a choice about receiving − Ensure trustee board and senior staff are aware these. of the organisation’s compliance obligations;

− Understand what messages NEED to be − Identify data held and its source, communicated vs circumstances where indi- − Update privacy notices in compliance with viduals might reasonably be given a choice GDPR; about receiving messages. − Review processing activities against individ- − DPO – to whom should a DPO report? Senior ual’s rights, e.g. right to deletion/correction of management within the organisation, for data; charities that is trustee level (they can make decisions about allocating budget and − Put a plan in place for dealing with subject resource and the management of information access requests; in the organisation). − Identify processing activities and their lawful basis;

− Review consent practices;

− Build in extra protections for children where relevant;

− Put a plan in place to detect, report and inves- tigate personal data breaches;

− Ensure fundraising practices are compliant.

76 Annex 3—Guidance and reference documents consulted

EUROPEAN COMMISSION ARTICLE 29 mated decision-making – Chapter III; WORKING PARTY • Specific provisions on solely automated deci- Article 29 Guidelines sion-making defined in Article 22 - Chapter Issues Addressed: Detailed guidance on the application IV; of particular principles of GPDR • Children and profiling – Chapter V;

Transparency • Data protection impact assessments and data protection officers– Chapter VI; • Provides practical guidance and interpre- tative assistance on the new obligation of • Best practice recommendations, building on transparency concerning the processing of the experience gained in EU Member States. personal data under the GDPR. Personal data breach notification • Transparency is an overarching obligation under the GDPR applying to three central • Explanation of the circumstances in which areas: a personal data breach is to be notified to a national supervisory authority or lead − (1) the provision of information to data authority, and communicated to the individ- subjects related to fair processing; uals whose personal data have been affected. − (2) how data controllers communicate with data subjects in relation to their rights under Consent the GDPR; and • Thorough analysis of the notion of consent. − (3) how data controllers facilitate the exercise by data subjects of their rights. • The concept of consent as used in the Data Protection Directive and in the e-Privacy • These guidelines are, like all WP29 guide- Directive to date, has evolved. lines, intended to be generally applicable • The GDPR provides further clarification and and relevant to controllers irrespective of specification of the requirements for obtain- the sectoral, industry or regulatory specifi- ing and demonstrating valid consent. cations particular to any given data controller. • These Guidelines focus on these changes, providing practical guidance to ensure Automated individual decision-making and Profiling compliance with the GDPR and building upon Opinion 15/2011 on consent. • Definitions of profiling and automated decision-making and the GDPR approach • The obligation is on controllers to innovate to these in general – Chapter II; to find new solutions that operate within the parameters of the law and better support the • General provisions on profiling and auto-

77 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

protection of personal data and the interests Data Portability of data subjects. • Explanation of the right to data portability and how it can be given effect by Application and setting of administrative fines data controllers. • This document is intended for use by the • Data subjects have the right to receive the supervisory authorities to ensure better personal data that they have provided to a application and enforcement of the GDPR data controller in a structured, commonly and expresses their understanding of the used and machine-readable format that can provisions of article 83 as well as its interplay be transmitted to another data controller with articles 58 and 70 and their correspond- without hindrance. ing recitals. • In particular, according to article 70, (1) Guidelines on Data Protection Impact (e), the European Data Protection Board Assessment (DPIA) is empowered to issue guidelines, recom- • The purpose of this document is to clarify mendations and best practices in order to the relevant provisions of the GDPR in order encourage consistent application of the to help controllers to comply with the law GDPR and the setting and application of and to provide legal certainty for controllers administrative fines. who are required to carry out a DPIA. These Guidelines also seek to promote the devel- Lead Supervisory Authority opment of:

• Explains in what circumstances the LSA prin- − a common European Union list of process- ciple is relevant and applicable, i.e. where a ing operations for which a DPIA is manda- controller or processor engages in cross-bor- tory (Article 35(4)); der processing of personal data, the LSA is − a common EU list of processing operations for the authority with the primary responsibility which a DPIA is not necessary (Article 35(5)); for dealing with a cross-border data processing activity, for example when a data subject − common criteria on the methodology for makes a complaint about the processing of carrying out a DPIA (Article 35(5)); his or her personal data. − common criteria for specifying when the supervisory authority shall be consulted (Arti- Data Protection Officers (DPO) cle 36(1));

• Explains the role of the DPO and in what − recommendations, where possible, building on the experience gained in EU Member circumstances a DPO should and/or must States. be appointed.

78 Annex 3—Guidance and reference documents consulted

EUROPEAN UNION AGENCY FOR FUNDAMENTAL CONCORD HUMAN RIGHTS (FRA) What does GDPR mean for Handbook on European data protection law your organisation? 2018 Issues Addressed: Webinar presentation for relief and Issues Addressed: General compliance advice for legal development NGOs practitioners • Concord attended several GDPR confer- • Handbook designed to familiarise legal prac- ences, exchanged information with some titioners not specialised in data protection Concord members and peers and consulted with this emerging area of the law. a lawyer who helped them to order their compliance process and give them the Information society, privacy and data framework to develop the tools they require protection to be complaint. Issues Addressed: Compliance advice and information • With this information Concord organized a on data protection generally. webinar open to members and partners in which they share what they had learnt and • FRA’s work on information society, privacy the compliance steps they had taken. and data protection (including links to all relevant FRA reports). UNITED NATIONS

CHARITY FINANCE GROUP Data, privacy, ethics and protection guidance note on big data for achievement GDPR: A guide for charities of the 2030 agenda Issues Addressed: General compliance advice for Issues Addressed: Guidance document setting charities out general guidance on data privacy, protection and data ethics for the United Nations Development Group • Advice on governance, fundraising, financial data, beneficiary data, employee data • The guidance sets out principles for obtaining, retaining, using and quality controlling data from the private sector

79 Open Society Foundations Civil Society Organizations and General Data Protection Regulation Compliance

Annex 4—Data processing inventory template

Dataset Individual donors Subscriber mailing list Staff travel booking

Owner Fundraising lead Director, Community HR Developer

Data processed Name, email address, Name, email address Staff name, personal amount donated, contact details, copies of frequency passports.

Purpose Fundraising Reaching out to and Arranging staff informing network of ongoing work and upcoming events

Legal basis Consent (initial contact), Consent Compliance with a legal legitimate interest obligation (information (follow up contact with required to book travel) individuals who have and contract (condition donated) of employment that this information will be processed)

Risk level Medium Low High

Storage Organization server Organization server, Organization server, email service provider travel booking platform platform and websites

Status Active Active Active

Access Fundraising team Community HR Development Team

80 Annex 4—Data processing inventory template

Dataset Individual donors Subscriber mailing list Staff travel booking

Data sharing with n/a Email service provider Travel booking platform third parties platform and websites

Policies / notices Information notice to Information notice to Clause within required obtain consent from data obtain consent from employment contract that subjects data subjects. explains how staff data will be processed for this purpose.