EA Forum Bot Site
EA Forum

Hide table of contents
by gergo, Katalina Hernandez
3 min read 0

22

PolicyBuilding effective altruismBuilding the field of AI safetyCollections and resourcesCommunity infrastructureField-buildingOrganization strategy
Frontpage

Crossposted on Substack.

This is a guest post by Katalina Hernandez. She is a UK&EU lawyer and Data Protection Officer with expertise in GDPR compliance, though nothing in this post should be taken as formal legal advice.

TL;DR: Even small EA and AI Safety orgs or groups handle personal data and are subject to GDPR if based in the UK or EU, so skipping a privacy policy can harm trust and credibility—no matter if enforcement is unlikely. This guide offers tailored, plain-English templates and tips for adapting policies responsibly, plus free support for compliant, trustworthy data practices.

Subscribe to the Fieldbuilding Blog

Why you need a Privacy Policy

Whether you're coordinating a few AI Safety meetups, running a fellowship program, or exploring new community building ideas, you're likely handling personal data.
This could include things like signup forms, feedback surveys, or mailing lists.

If you're based in the UK or EU and deal with people’s personal data, there are certain (unavoidable) legal responsibilities under data protection laws like the GDPR[1]. In practice, it’s unlikely that your group would face a fine—regulators tend to prioritize larger-scale violations.

But skipping this step can still backfire: people might hesitate to engage if it’s unclear how their data will be handled, and it comes across as sloppy and unprofessional.

A simple privacy policy helps you avoid this. It shows transparency, builds trust with participants, and gives your group a more credible, intentional feel, especially when working with external collaborators or funders.

I’ve noticed that many EA-aligned orgs (especially early-stage ones) delay this step or copy/paste from elsewhere, often using LLMs. This often leads to either overkill or risky omissions.

I appreciate how burdensome it is to think about these "bureaucratic" details, and how unfair it may feel to be subject to these requirements by EU regulation even as a small org. I do agree that the administrative burden is excessive, even though there is always value in establishing data pipelines / “customer journeys” to better understand how much data you collect, why, and how to make better sense of your organisational processes!

Templates

Hence, I've prepared template documents designed specifically for the kinds of activities EA/AI Safety groups tend to run[2]:

  • Privacy Notice (compliant with GDPR, covers events, signups, career advice, etc.)
  • Terms & Conditions for participants (courses, events, and online spaces)
  • Volunteer NDA / Role Agreement (important to actually adapt it to the specific responsibilities of the role, and your jurisdiction!)

Link to the Folder with all templates: STANDARD TEMPLATES ONLY

These are:

  • Jurisdiction-agnostic within the UK and EU context.
  • Written in plain English.
  • Easy to adapt to your org's needs.

🚨 Important caveat: I’m a UK/EU lawyer and GDPR specialist. These templates are not suitable for non-EU and non-UK jurisdictions. Please don’t use them outside that scope. Please, don’t take anything in this post as official legal advice, these are generic considerations that I think may be useful for readers.

Tips for Using LLMs to Draft or Adapt Your Own Privacy Policies

If you want to customize the policies above using an AI model like ChatGPT, here are a few tips to avoid common pitfalls:

  1. Feed it context—don’t ask for a generic “privacy policy.” Instead, provide:
    • How you collect data (e.g. Google Forms, Airtable, Notion, Slack)
    • What types of data you collect at each stage
    • What purposes you use it for (e.g. event logistics, career mentoring)
    • Who you share it with (e.g. funders, hosting platforms)
    • How long you retain it
    • Who the data subjects are (students, facilitators, applicants?)
  2. Don’t copy-paste the output. Use it as a first draft, then refine iteratively.

  3. Know what’s boilerplate[3] and what isn’t. The accountability, transparency, and purpose limitation principles of GDPR mean that your policy must reflect your actual practices. If you can run this through a local data protection expert, that would be ideal. If you do not have anyone to reach out to, feel free to email me (if you are in the UK or EU, I can help. I can also point you to USA data protection specialists). 

Need Help?

I’m happy to assist any EA/AI Safety-aligned org (free of charge with options to donate) with reviewing or adapting these materials.

Whether you’re managing local events or launching a new initiative, feel free to reach out:

  1. ^

     Outside the UK and EU, different privacy laws apply. This article is intended specifically for individuals or organizations that are subject to the GDPR or operate in ways that trigger GDPR obligations—I’m not qualified to advise on the legal requirements in other jurisdictions such as the U.S., Asia, or Latin America.

  2. ^

     I have extensive experience in Data Protection / GDPR/  Privacy consultancy. However, please do not take anything in this post or the templates as legal advice. I strongly recommend consulting your legal team (if you have one) about your policies and data protection practices.

  3. ^

     The standard legal terms that are included in most contracts.

22

0
0

Reactions

0
0

More posts like this

Comments
No comments on this post yet.
Be the first to respond.
More from gergo
View more
Curated and popular this week
Relevant opportunities
View more