What I’ve been working on lately: GDPR Compliance
My name is Johnna Armstrong. Like a lot of us at SkyTruth, I wear a couple of different hats, but mostly I’m a Sys. Admin, and I also do some project management, keep the website and our in-house tools running, and (try to) keep up with the latest security hacks and phishing exploits.
For the last couple of months, however, I’ve been pretty busy with the General Data Protection Regulation, or GDPR. This European regulation is nicknamed “privacy by default,” and it requires all companies and organizations that provide goods and services (free or not) to European citizens to respect and protect their personal data, even companies and organizations that aren’t in the EU. We have subscribers, supporters and volunteers in Europe, so the GDPR applies to us. It’s not clear yet how the EU will enforce the GDPR, but because it is so far-reaching, and because it would be prohibitively expensive to maintain multiple systems for the various countries and their laws, a lot of companies and nonprofits, including SkyTruth, are opting to treat everyone as if they were a European citizen, and that’s good for data protection here in the U.S.
In fact, we think that the intent of the GDPR is terrific. It hasn’t been a lot of fun wading through the GDPR’s 99 articles, performing audits of our websites and apps, and taking care of paperwork and learning the new tools that our third party partners have implemented on their end to make sure that they’re in compliance. The requirements have been costly and labor-intensive to implement, particularly for small organizations like us. And we know that they have been a huge hassle for you too. But at its core, the GDPR is all is all about transparency in the handling of your personal data and the protection of it, which aligns pretty well with our philosophy of transparency in the handling of the environment and the protection of it.
Like all those other organizations that have been sending you email, we have been asking you to re-confirm your subscriptions to our blog and news releases. The GDPR requires us to get your consent, and it says that consent expires, although it does not specifically state when that happens. So you are likely to see more of these consent emails from the organizations you interact with in the future. We hope that you’ll stick with us as we make these changes, which we believe are in all of our best interests. If you want to continue to receive emails when we publish blog posts but didn’t confirm your subscription with us, here’s a link to our form. If you are a journalist and would like us to send you news releases, that form is here.
And for those who suffer from insomnia, the GDPR has been turned into a bedtime story for adults.