What I’ve been working on lately: GDPR Compliance

My name is Johnna Armstrong. Like a lot of us at SkyTruth, I wear a couple of different hats, but mostly I’m a Sys. Admin, and I also do some project management, keep the website and our in-house tools running, and (try to) keep up with the latest security hacks and phishing exploits.

For the last couple of months, however, I’ve been pretty busy with the General Data Protection Regulation, or GDPR. This European regulation is nicknamed “privacy by default,” and it requires all companies and organizations that provide goods and services (free or not) to European citizens to respect and protect their personal data, even companies and organizations that aren’t in the EU. We have subscribers, supporters and volunteers in Europe, so the GDPR applies to us. It’s not clear yet how the EU will enforce the GDPR, but because it is so far-reaching, and because it would be prohibitively expensive to maintain multiple systems for the various countries and their laws, a lot of companies and nonprofits, including SkyTruth, are opting to treat everyone as if they were a European citizen, and that’s good for data protection here in the U.S.

The GDPR passed in April of 2016, bringing together all the existing laws of European countries into one set of rules in less than five years, which seems like a remarkable achievement to me. Imagine how long it might take all 50 states here to create the same kind of uniform law. The GDPR became enforceable as of May 25, which is why your inboxes have been full of emails notifying you about privacy policy changes and asking you to opt into email subscriptions that you signed up for once already. We’re sorry that all of these emails are clogging up your inboxes, but we’re not sorry that the GDPR is spurring organizations to treat personal data with more respect.

In fact, we think that the intent of the GDPR is terrific. It hasn’t been a lot of fun wading through the GDPR’s 99 articles, performing audits of our websites and apps, and taking care of paperwork and learning the new tools that our third party partners have implemented on their end to make sure that they’re in compliance. The requirements have been costly and labor-intensive to implement, particularly for small organizations like us. And we know that they have been a huge hassle for you too. But at its core, the GDPR is all is all about transparency in the handling of your personal data and the protection of it, which aligns pretty well with our philosophy of transparency in the handling of the environment and the protection of it.

At SkyTruth, it’s always been our policy to treat your personal information with respect, but now we have a privacy policy specifically spelling it out, in plain English. It tells you what kinds of information you give us when you do things like sign up to volunteer for a crowd-sourced project or to receive SkyTruth Alerts for places you care about. It tells you what we do with that information, how you can control and manage your data, and it outlines the third party companies we partner with to do our work, and includes links to their privacy policies. We had already made our website more secure by adding SSL/HTTPS so that data you give us is encrypted and transmitted securely. And because we use Google Analytics to track web traffic in the aggregate, and we now have a notification on our website letting you know know that our sites use cookies and that you have control of that in the settings of your web browser.

Like all those other organizations that have been sending you email, we have been asking you to re-confirm your subscriptions to our blog and news releases. The GDPR requires us to get your consent, and it says that consent expires, although it does not specifically state when that happens. So you are likely to see more of these consent emails from the organizations you interact with in the future. We hope that you’ll stick with us as we make these changes, which we believe are in all of our best interests. If you want to continue to receive emails when we publish blog posts but didn’t confirm your subscription with us, here’s a link to our form. If you are a journalist and would like us to send you news releases, that form is here.

And for those who suffer from insomnia, the GDPR has been turned into a bedtime story for adults.