We’ve read the headlines: large-scale breaches of highly sensitive information in the United States, in the Philippines, in Nigeria, in India … the list goes on. The message is consistent: somebody, somewhere, needs to do something to protect us. Enter the General Data Protection Regulations (GDPR), the EU’s (in)famous answer to protecting the personal data of its citizens. Some applaud it as the world’s strictest privacy standards; others consider it outdated from the start. (We’re in the age of blockchain and AI; you tell me how to exercise right to erasure here.) Either way, GDPR concepts are useful to international development contexts.
For those of us in international development, the challenges of GDPR are more specific to the operational nature of our work. This includes everything from the “why” (individual-centric privacy and consent as a Western concept helicoptered into developing-world contexts) to the “how” (the right to data portability as a cruel joke when we’re dealing with refugees who don’t even have smartphones or laptops). At the end of the day, we work with some of the most vulnerable people on the planet. Privacy is less of a concern for them than, shall we say, survival.
Fair enough. And yet, technology will always penetrate a market before the regulations catch up. While “move fast and break things” might work in Silicon Valley, in the space in which we operate, the “things” we risk breaking are human lives. Do we then dismiss regulations like GDPR and instead rely on our own good intentions to Do No Harm? Maybe my faith in our sector is too optimistic, but I seriously doubt that malicious neglect was to blame for these data breaches. No, it came entirely from good intentions with zero accountability to the protocols that mitigate against exactly what happened: security hacks that exposed the personal data of thousands of people.
While GDPR isn’t perfect, it is the strictest privacy standard in the world, and by applying its principles to your operations worldwide, it can serve as a fantastic tool to improve the quality of your work, while preserving the privacy of your beneficiaries.
Here are five privacy measures that any organisation, no matter how small, can implement:
1. Carry out an internal data audit. Understand where personal data is held in your organisation, in what platforms, who has access to it, and what you are doing with it. Keep it simple. Tap a point person for each department, share a simple spreadsheet to fill out, and make sure these key questions are answered:
What personal data do we collect?
From whom do we collect this data?
Why do we collect this data?
Do we really need this data?
Would we ever need this data for a different purpose?
Who has access to the data?
Do we share the data with anyone external or another data processor (tool)? If so, who?
Where is the data stored/held (physically)?
How long will we retain the data?
Bonus points: Turn it into a higher-level data inventory that can be shared (confidentially) with key partners and regulators. For the adrenaline junkies, I guarantee this one will be a terrifying—and enlightening—experience that exposes all your vulnerabilities and gives you a steer on where to focus your mitigating efforts.
2. Conduct data privacy impact assessments (DPIAs) for your projects. A DPIA is a useful tool for uncovering the key risks specific to any new project, as well as compelling your team to critically think about the justification behind collecting and using data—what the GDPR calls “the lawful base for processing.” A good DPIA will require you to ask and answer dozens of questions, before moving your key risks and mitigations into a clear report. Here’s a basic template to get you started.
Bonus points: Publish them publicly on your company website.
3. Implement prioritised data subject rights. By data subject, we mean the people you’re trying to serve. This is the most difficult to implement, as the rights were designed for literate, tech-savvy consumers with direct access to, say, a smartphone. For example, you can’t realistically be expected to fully apply the right to data portability in your projects. However, implementing these rights will significantly improve the privacy of your beneficiaries. What you can do is:
Prioritise which rights are fundamentally important, irrespective of how hard they might be to implement (e.g., the right to withdraw consent, if consent is used as the lawful base for processing).
Work with your relevant departments to implement short-term wins, such as a person designated for beneficiaries to contact to have their data deleted, and long-term robust changes, such as building training for frontline operators around privacy being a key human right.
Bonus points: Be public about the successes and failures of operationalising privacy rights. Share key insights with the industry; we’re all facing the same challenges, and your learnings can help us—and by extension, our beneficiaries—avoid the same pains.
4. Train your employees. Privacy cannot be a top-down mandate, or one that sits siloed away with your monitoring and evaluation team. It must be regarded in the same way good human resources practices are—a shared awareness and responsibility embedded across the entire organisation that no employee can fail to meet. To start:
Tap strong decentralised “privacy leaders” and train them to champion privacy protocols in their departments.
Make sure every single employee gets a proper privacy training. By proper, we mean a training curriculum that doesn’t simply check the minimum-requirement box, but rather articulates why this privacy focus is of paramount importance for your company. This is one instance where “drinking the Kool Aid” is a good thing.
Bonus points: Create a support structure for privacy leaders—for example, regular check-in meetings when they can voice concerns or share learnings across the company.
5. Set up an Integrity Council. You’ve set the bar in your company. Now you have to stick to it. One effective way to do this is to find a group of high-integrity individuals, independent of your company, and ideally with diverse backgrounds, approaches, and points of view, who can hold you accountable. They will form your Integrity Council. Similar to how a Board of Directors can serve as a CEO’s sounding board, an Integrity Council can serve as a sanity-check before you make key decisions (e.g., a new project in a high-risk location, a completely new use case, or a vulnerable population). For example, Yoti’s Guardian Council makes sure the company remains faithful to its three responsible data commitments. As of writing this post, we’re in the process of setting up our own council, and we’d be more than happy to share our experiences.
Bonus points: Arm the council with a DPIA when applicable so they can use it as a basis. If they raise concerns, be transparent and include these concerns (as well as your response) in communications with relevant project partners.
In international development, privacy is often treated as an afterthought. While this sentiment is understandable (seriously, we feel the pain), privacy in our digital age nevertheless remains a fundamental human right. How we extend this right to the most vulnerable populations we aim to serve can run along a spectrum, from complete disregard to a fierce application of every appropriate requirement. Identify the gap on the spectrum between where you are now and where you want to be, and take some of the measures above to start moving the needle.
Privacy as Protection
Beyond GDPR, the key question we all have to answer is this: How sensitive is the data you are collecting, how much are you collecting, and how high do you want to set the bar in light of your guiding principles and values, for the sake of people who have virtually no protection against exploitation? Do not underestimate the risks of data misuse and abuse. Good intentions will not be good enough, especially when we have an ethical and mission-driven obligation to our beneficiaries. Even the smallest movement toward a human-centred approach to privacy can make a huge difference.