The GDPR experience...and panic
In end of May, inboxes all over Europe exploded. It was not a virus or love letters. It was privacy emails from companies and organisations, that we from time to time did not even know had our data. Panic all over, and with good reason. If you did not notice, on 25 May EU’s privacy protection monster legislation kicked in. What did European Youth Forum do? Tried not to panic. This is what we have done and will do.
Remember this article New Year resolution #1: get familiar with GDPR…and comply? It was our new year resolution to make sure that our Member Organisations got started to think about what to do with the new regulation kicking in May 2018. Following up on the New Year resolution, we facilitated two peer-to-peer with the Youth Forum membership - one with Belgium based Member Organisations in May and one at the YFJ Academy in June.
But what did the European Youth Forum do ourselves? It was the start of a long exploratory journey which now has transformed into our GDPR action list:
1. Mapping our data (Data Register)
We started our process to comply with mapping all our data streams in the organisation. This was done by surveying all around from policy/advocacy, to admin/finance, ICT, HR communications/events to membership management. Every rock within the Youth Forum had to be turned over so we could see what kind of data we are handling and with what software. This lengthy process resulted in the so-called Data Register, which is mandatory to the GDPR to have. Our register is a map that we can present to authorities if necessary.
2. When data is travelling outside EU (Data Processing Agreements)
We will need paperwork in case we need to send data outside the European Union. Which we will especially as we are a Pan-European organisation with a membership in all European countries. Additionally we are working on a global level. We will therefore ensure that we have templates ready and utilise them as needed.
4. Data Transfer Tool
When sending out data of the European Union, we will need a secure data transfer tool.
5. Who-what-when (Data Breach Procedure)
One mandatory item in the GDPR is to have an internal procedure in case there is a data breach. We have now developed this, so we have a plan in house of who-is-doing-what-and-when.
6. Board decision on Data Protection Officer and reassessment decision
At the Board meeting in Athens in June 2018, the European Youth Forum Board decided to follow the recommendation and not appoint a Data Protection Officer. The GDPR stipulates that an entity such as the European Youth Forum and since we are not handling sensitive data it is not mandatory (nor necessary) to have a Data Protection Officer. The Board also decided to reassess the implementation of GDPR in 2019.
8. Keep on GDPR’ing
GDPR was not just a one time thing for the European Youth Forum. Training and awareness raising about data privacy needs to be part of our DNA. So training for staff and board of the European Youth Forum is envisaged.