Your inbox has probably been flooded recently with emails about the GDPR, so you don’t need us to tell you that GDPR stands for the European Union General Data Protection Regulation (GDPR) and that it comes into effect on 25 May 2018.  It applies to any organization that collects or retains information about EU citizens, so many global organizations are looking at it as an example.

The full GDPR text can be found here [https://gdpr-info.eu/chapter-1/].  While the GDPR is more stringent than existing rules, it is not a radical change in concept from existing privacy requirements in the EU or Canada. (The US does not have a national privacy law.)

The most important concept in privacy is consent. The GDPR requires that consent to receive and use personal data be given via a ‘clear affirmative action’ so that consent is ‘freely given, specific, informed and unambiguous’.  An ‘affirmative action’ can be as simple as ticking a box.  This elimination of ‘opt-out’ consent is a main feature of the GDPR.

The user must understand ‘consent for what?’. The future use of the information must be presented at the time when the information is collected, and the description must be clear and complete.   SDIA has defined its consent in terms broad enough to cover a variety of future activities: ‘to receive our newsletter and other emails that will keep you up-to-date about the people and work of Susila Dharma, and ways to support our global teams’,

It must be as easy to withdraw consent as it is to give it, and individuals have the right to see what information has been kept about them.

SDIA has a formal privacy policy (as required by GDPR), but the presentation of privacy policy and practices can be done in a layered fashion.  This means that a simplified version can be presented at the point where the information is collected, with links to more detailed information.

SDIA does not share personal information about its donors or subscribers with any other organizations.

Privacy is not primarily a technical issue. GDPR allows for the use of both organizational and technical means to keep personal information secure. There are two technical issues that may be of interest.  Website cookies may be subject to the GDPR, and SDIA has addressed this (more info here). External services used by SDIA, such as the email service Mailchimp, have taken concrete steps to ensure that they meet GDPR standards.