The European Union General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU): “The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU”
Any system (regardless of its location) that holds personal data about EU citizens needs to comply with this rule. Not complying could result in a fine of up to €20 million or up to 4% of the annual worldwide revenues.
Some of the key concepts of the regulations as they apply to Shambhala are:
Processing of data needs to be based on informed consent of the data subjects (our members and contacts). They have the right of withdrawal at any time.
Right to access, modify or erase (right to be forgotten) one's own data.
Ensure full transparency about the purposes of the processing, with whom the data is shared, and how we acquired the data.
Obligation of notification to the authorities and data subjects in case of data breach within 72 hours after becoming aware of the data breach.
Data protection by design and by default (meaning using a system that is conceived with data protection as the ground).
Protecting our data with a mechanism of Anonymisation or pseudonymisation
Collecting only needed info on data subject (do we need to know the gender of a person registering for an open meditation session?)
Exposing only necessary data to operator (does an NY admin need to have access to personal data of a member in Melbourne?)