I am a nonprofit/not-for-profit: What policies do I *really* need for GDPR?

Sharon Monts-DeOca looks at stuffed rabbit she was given on her first Christmas: Jacksonville, Florida — Florida Memories

Rules, rules, rules!

There is a long list of data protection-related policies that organizations present in the EU have implement for GDPR.

But do they really need them?

Here is Golden Data Law candid advice on what to invest in and what to avoid.

Because, let’s be honest, for resource strained nonprofits/not-for-profits deciding what not to do is just as important as deciding what to do and when…

ACKNOLEDGEMENT: Big thanks to Ismail Ali for his contributions to this article.

NOTE: This posting is part of a series of blog post by Golden Data Law dedicated to making freely available to the nonprofit community resources about privacy, data protection and cybersecurity. To learn more about us visit our site at https://goldendatalaw.com/

What does the General Data Protection Regulation (“GDPR”) say about policies?

Let’s set the record straight: GDPR does not contain a mandate for organizations to create any specific data protection policy/ies.

That said, Article 24 and Recital 78 specifically require organizations responsible for personal data subject to the GDPR to implement “technical and organisational measures” including data protection policies “where appropriate.”

So the real question is: when it is appropriate to create GDPR policies? The GDPR sets out seven principles that apply to organizations and include the following obligations:

• fair and transparent processing
• having a lawful basis to process personal data for specific purposes,
• only processing the minimal data necessary,
• keep such data up to date and
• stored only as long as necessary for those purposes and keep it secure.

Translating these principles into action and helping those responsible for implementation understand the requirements does require policies. This is particularly true for organizations that are responsible for the data (what GDPR calls “controllers” ) as they are required to demonstrate compliance with the GDPR under the accountability principle (see, Article 5(2) of the GDPR.)

Do the GDPR requirements apply to nonprofits/not-for-profits?

Yes, as a general rule all of the GDPR requirements apply equally to the for profit and the non for profit sectors.

How many polices does my nonprofit/not-for-profit *really* need?

Overview and strategy

Policies are to organizations what rules are to the players of a game. They act as a framework within which everyone can strive to support the mission of the organization.

A game is only as good as its rules, and how well we play the game is defined by how well we follow the rules. Too many rules can spoil the fun, but at the same time there needs to be a codification for consistency and to ensure fairness.

When it comes to considering the need for rules, the main difference between the nonprofit/not-for-profit sector and the for profit sector is that the former is playing a cooperative game while the latter is not. Successful nonprofits/not-for-profits understand that they must internally and externally coordinate their strategies because their missions embed the idea of a shared payoff.

Here are the guiding principles we recommend nonprofits/not-for-profits should follow when designing their “cooperative strategy approach” to GDPR policy compliance.

• Adopt a minimalistic design: Minimalist design is about prioritizing the essential and it is almost always the right approach for resource strained nonprofits/not-for-profits. Deciding what not to do is just as important as deciding what to do and when. Seek a legal advisor that can support your need for ruthless prioritization from the start and never try to imitate the for profit sector (or you will end up with a think stack of papers that overwhelms even the most compliance inclined members of your organization.)
• Always be team-building oriented: To be successfully implemented, your policies must help strengthen the bonds between internal stakeholders as opposed to pinning them against each other. The first step to achieving this is to get internal stakeholders to agree from the get go that (i) the policy needed and (ii) the policy supports the mission of your organization. Never start a conversation on policies with“GDPR requires us to […]” but with “This will help us achieve our mission and here is how I suggest we go about it, but I am open to your feedback.”
• Leave room for creativity: Setting the rules and getting everyone to agree on the rules is the first step to avoiding arguments when the competition has begun. But remember, sometimes it’s even more fun to make up your own rules as you go along so long as everyone is clear on the main goals and understand how the rules are to evolve. In other words (i) keep policies short and concise and leave room for the details to be fluxed out through implementation and (ii) revise your policies every other year (or yearly if possible) to adapt to the new realities within your organization.
• Get a good ref: Even if everyone agrees at the get go, the implementation of a rule may lead to arguments when the game starts. Settling those disputes fairly is easier if you identify a person or group within your organization that is responsible for interpreting and enforcing the rules. This may mean setting up an internal steering committee or having an existing committee take over the role.
• Stay on mission: Approach compliance as a journey instead of a destination. Do not over-commit and stick to your plan. It will take time to see tangible progress so make sure to celebrate any achievements along the journey.

And now for the list (…and GDL’s candid take on usefulness…)

There is a long list of data protection-related policies that might help your organization implement the GDPR principles, allow your staff to navigate their obligations, and help you demonstrate that you handle personal data in line with the EU requirements.

Below we provide a sample list and our candid opinion as to their usefulness for the nonprofit/not-for-profit sector.

(1) Data Retention Policy:

• What is this? This policy will provide guidance on how to comply with the storage limitation principle and what criteria to use to determine retention periods for different categories of personal data (in other words, it tells you how long you should you hold personal data.) For the EU you may need EU Member State-specific retention schedules to cater to national legal requirements (e.g., regarding HR, tax and social security data).
• Do I need one? You are going to need this one if you are operating in the EU. The real question is how granular it should be and the typical answers is as granular as you can realistically handle from an implementation point of view.

(2) Data Subjects Rights Policy (DSRP’s policy aka DSAR policy):

• What is this? This policy is meant to describe how to identify and respond to data subject rights requests (access, rectification, erasure, restriction, portability and objection to processing -including automated individual decision-making and profiling.) Sometimes it is accompanied by a table on differences in EU Member States’ rules in relation to the right of access.
• Do I need one? To be candid, at GDL we are not big fans of DSRP’s policies. For nonprofits/not-for-profits typically it is more valuable to generate a schematic of the procedure to be followed and creating a DSAR workflow in your internal collaboration tool to be deployed as needed. In addition, two things you should definitely consider are (i) getting training for the individual/s responsible of handling requests on how to recognize and answer DSAR’s (including training on email etiquette when communicating with data subjects to avoid mishaps), and (ii) generating templates for answers. Reach out to your DPO or external privacy counsel for rates on training and for help generating templates. If we identify good free resources we will post on that.

(3) EU Data Protection Policy:

• What is this? This policy is meant to serve as a central document listing the main principles of handling personal data with links to other more specific policies and processes, where appropriate.
• Do I need one? No, you don’t. It is a nice to have though, particularly if you want to have an organized centralized repository of links to all your other related policies/resources.

(4) Data Protection Impact Assessment (DPIA) Policy:

• What is this? This policy is meant to help you identify when and how to conduct DPIAs. It outlines when to carry out a DPIA (EU Member State may provide different/additional opinions on when a DPIA is (not) mandatory and this policy will contain a table on these requirements) and what the process and the resulting report should look like.
• Do I need one? It frankly depends on the processing activities you are carrying out. Most nonprofits/not-for-profits can skip this policy. That said, if the mission of your organization requires you to handle sensitive data (e.g. healthcare related data or political affiliation data) you probably would benefit from investing time and money to generate a DPIA policy to help you identify the processing activities that will trigger DPIA obligations and help you streamline this process and efficiently utilize internal resources when carrying these out. Whether you generate a DPIA Policy or not, your organization would benefit from DPIA training so that you know when DPIAs are required, what are the risks of non-compliance, what do they entail and when is a consultation with the Supervisory Authority required.

(5) Data Security Policy:

• What is this? This policy is meant to outline the technical and organizational measures to implement around data processing activities depending on the risk they might pose to the rights and freedoms of individuals (e.g. higher security measures around processing of criminal records data or special categories of personal data, such as health data)
• Do I need one? You definitely need policies and procedures on data security, but approaching it from an EU only “Data Security Policy” perspective is in our opinion a mistake. Our philosophy is to let CTO/CISOs lead the way when it comes to identifying what IT Security and Physical Security polices/procedures are needed, with legal providing feedback into the process instead of generating a separate “Data Security Policy” meant for regulators only. That said, depending on the country, some regulators do expect organizations to present a version of this document upon request so you may actually have to generate it whether it is actually useful or not. On a related note, definitely consider the need for a Data Breach Management Plan and the rules for periodic internal audit checks and reviews of security procedures. Again, the need for granularity and documentation will depend on the sensitivity of the data you actually handle.

(6) Data breach response policy:

• What is this? This policy provides an overview of the key requirements, procedures and notification deadlines, what to expect from Supervisory Authorities and how the GDPR rules differ from US notification requirements
• Do I need one? These days every organization should have a data breach response policy and invest on incident response training using table-top simulations to road-test the company’s incident response plans. That said, we favor drafting these policies with a global approach (as opposed to EU specific) and keeping them relatively short (10 to 15 pages range whenever possible.) Remember, accidental data leaks can constitute a data breach (it is not only about malicious access.)

(7) Marketing Policy

• What is this? This policy sets out rules on marketing activities like using business cards, sending direct marketing emails, and carrying out online campaigns using social media. This policy can also provide an essential guidance on use of cookies for marketing purposes and guidance on some of the essential Ad Tech-related issues (this can also be provided as a separate policy).
• Do I need one? Understanding the rules about how to lawfully to contact organizations and individuals and use the various marketing and advertising technologies is important. For the nonprofit/not-for-profit sector donor outreach is the most likely activity to be at risk of running afoul of EU rules so we do recommend a policy on this at the minimum to cover donor outreach.

(8) Third Party Contracts Policy/Guidance:

• What is this? This document is meant to ensure your organization has all agreements required under GDPR in place. Theoretically, this policy helps legal/contracts team determine the roles of business partners, vendors and customers under the GDPR (controller/processor/joint controller) in relation to various processing activities and apply the correct mandatory contractual terms, where applicable. This policy often includes guidelines on the adequate measures to use for lawful international transfers.
• Do I need one? This is a total overkill even for the for-profit sector. Invest in strengthening vendor due diligence procedures instead. That said, we do recommend generating templates for your contracts that involve personal data and short guidelines on how to negotiate them offering alternative language and provide training on the GDPR rules on contracts (in particular Articles 26 and 28 of the GDPR.)

(9) Closed-circuit television (CCTV) Policy

• What is this? A CCTV Policy sets out the rules as to when it is ok to use CCTV and what are the safeguards to ensure it is lawful in the EU.
• Do I need one? As crazy as this may sound to US based nonprofits/non-for-profits, depending on what countries you are present in, a CCTV Policy may be a must have. CCTV footage is subject to the GDPR and, if you are collecting it, you must inform individuals and allow them to exercise their GDPR rights. Also, you should think about limiting access to the recordings to those who need it complete a function of their job (generally be security personnel and management.) These rules equally apply to the use of CCTV to monitor employees.

(10) Product Development Policy/Biometric Access Controls Policy

• What are these? A product development policy establishes how to implement technical and organizational measures to ensure integration of data protection concerns into every aspect of processing activities. A biometric access controls policy sets out when it is OK to process biometric data and what are the safeguards to ensure it is lawful.
• Do I need one? Probably not. Honestly even for for-profit orgs generating a policy for this is a likely overkill. That said, any nonprofit/not-for-profit organization processing biometric data should invest in privacy by design and default training and awareness.

(11) Employee Privacy Policy

• What is this? This policy explains how your organization handles personnel personal data.
• Do I need one? If you have EU employees you do need one and, in our view, you might as well draft it to cover all of your employees. This helps ensure you have fair standards that equally apply across your whole team.

(12) Other policies to consider in the workplace: Keeping your employees informed and being openly accountable to them helps build trust and accountability. In that spirit, you should consider the need for the following additional policies:

• Call Recording Policy: how to carry out call recording lawfully.
• BYOD Policy: rules governing employee-owned PCs, smartphones and tablets.
• Whistleblowing Hotline Notice: where a company has a hotline, this aims to ensure that individuals are aware how their personal data will be used when reports are made.
• Internal Investigation Policy: On how you would handle an internal investigation involving personal data.