Ready, Set, Respect: Navigating the Era of Data Privacy and Access Requests

In today's digital era, digital trust is fast-becoming a vital component in  building relationships with constituents. The General Data Protection Regulation (GDPR) of 2018 established a framework for understanding individuals' rights to privacy and the need for organizations to provide transparency and security. This framework is reflected in emerging privacy legislation in the United States and other countries. As people become more conscious of data privacy, we can expect an increase in focus on protecting personal information. One way this is likely to be reflected is in organizations receiving data subject access requests,  also known as DSARs. Often these arrive in the form of data deletion requests where an organization receives an email from a constituent requesting that data be deleted.

As organizations start receiving Data Subject Access Requests (DSAR's), nonprofit professionals are grappling with a multifaceted issue. It is not only about adhering to various national or state-determined regulations. These requests also put the spotlight on an organization’s response to privacy rights. We can expect requests from automated commercial tools to be on the rise. Some will be legitimate while others are not. Nevertheless, this reality is pushing organizations to answer a key question:  When DSARs originate from regions without applicable legal ordinances, should we still honor their request or adhere solely to our own guidelines? There will be some cases where we are legally required to retain records for a specified time, such as donation transactions, what if that’s not the case?  When a constituent whose data we have asks us to remove it, should we honor that request? 

If the answer is yes, then this adds a new dimension to data management capacity that many organizations have not had to consider. Data management capacity refers to the ability of your organization to effectively collect, store, and manage the data that you hold. This includes having a clear understanding of what data you have, where it's stored, and who has access to it. With this information, you can then develop policies and procedures that outline how to handle data in a responsible and secure manner.

Where do you start when it comes to building data management capacity? The first step is to take inventory of your data and data systems. This includes creating a comprehensive list of all the data that your organization holds. Whose data do you collect? What are you collecting? Where and how is the data stored and accessed?  

Once you have a clear understanding of your data, you can then develop a system for data classification, and the handling policies for that data. This policy should spell out the types of data that your organization collects, the purpose for which it's collected, and the retention periods for each type of data. It should also specify who is responsible for managing the data and what security measures should be in place to protect it. By having a clear guidance in place, you can ensure that your organization is handling data in a consistent and secure manner. 

So, what happens when you receive a DSAR? It's also important to have a defined process in place for handling these requests. This process should include the steps for identifying the relevant data, determining whether the data is subject to deletion, and, if so, how it will be deleted. 

Clarifying the steps in the process will help to ensure that the response is consistent and effective, and will minimize the risk of errors or omissions. Below is an illustration that walks through the different workflow steps or tasks that you will follow each time you receive a request. 

Creating a workflow provides clarity and guides you through the process from start to finish. By defining your workflow, you can ensure that all staff know what steps to take, and you can make sure that the response is consistent each time (and no one has to reinvent the wheel).

Building data management capacity is an important step for nonprofits in the digital age. It includes taking inventory of your data and data systems, developing a Data Classification and Handling policy, educating your staff on data handling practices, including responding to DSARs. By taking these steps, your organization will also be building the capacity to ensure that yours is an organization whose digital practices constituents can trust.