Add mention of GDPR in indicator 7

[lacabra]

This PR continues the conversation started in #2, from this comment thread

[Lucyeoh]

In accordance with the new governance.md protocol below I am commenting on this issue to document and exploring the implications of accepting or rejecting the proposed change. This should trigger a two week community input period that will end November 12th, 2020.

Recommendation: Add mention of GDPR, alongside other examples, to the form but make no changes to indicator 7 of the standard. 
Reason: Standards are helpful for people completing the questions but are not inherent to defining digital public goods and so should not be included in the standard itself. 

Prompt "Perhaps the GDPR could be adopted as an exemplar to follow for the time being?"

Options:

1. Add GDPR into indicator 7 as an example aka.

**7. Adherence to privacy and applicable laws** | The project must state that
to the best of its knowledge it complies with relevant privacy laws (for example 
the General Data Protection Regulation (GDPR)), and all applicable international 
and domestic laws.

2. Add GDPR into indicator 7 as an requirement aka.

**7. Adherence to privacy and applicable laws** | The project must state that
to the best of its knowledge it complies with relevant privacy laws (including 
the General Data Protection Regulation (GDPR)), and all applicable international 
and domestic laws.

3. Add GDPR as a prompt on the collection form standard-questions but do not add it to the standard itself.

* Does this project comply with all relevant privacy laws such as the General Data Protection Regulation (GDPR)?

Implications of accepting the recommendation and adding GDPR as an exemplar in the form:

• Gives a concrete example of the kinds of policies to consider and sets a bar.
• Doesn't add specifics to the Standard (designed to create consensus around whether something is a digital public good)
• GDPR is a regulation in the European Union (EU) and the European Economic Area (EEA) and GDPR became a model for many national laws outside EU, including Chile, Japan, Brazil, South Korea, Argentina and Kenya. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the GDPR

Implications of adding GDPR into indicator 7:

• Is very Eurocentric, could be mitigated by listing other policies from other continents as well such as Framework for Cyber laws for the East African Community, Supplementary Act A/SA.1/01/10 on Personal Data Protection Within ECOWAS for the Economic Community of West African States (ECOWAS) et al.
• Sets "the bar" fairly high in some areas so we might want to take a bit more time to consider the language around this as the could exclude some very interesting startup-projects.
• Not enforceable - we have no way of knowing whether they're complying with GDPR.

**We invite you to leave your comments for or against the removal of 9a below. This two week community input period will end November 12th, 2020. **

During this period we will inform the members of the Alliance's Internal Strategy Group (ISG) giving them an equal chance to comment. The final decision will require consensus from the 2 co-leads and 2 technical leads.

[Lucyeoh]

Decision: To add to the standard-questions "description"

"For example the General Data Protection Regulation (GDPR) or frameworks for the East African Community, Supplementary Act A/SA.1/01/10 on Personal Data Protection Within ECOWAS for the Economic Community of West African States (ECOWAS) et al."