GDPR: WHAT YOU NEED TO KNOW TO BE COMPLIANT

“GDPR” or General Data Protection Regulation comes into force on 25th May 2018.

The objective is to make it easier for consumers to control how their data is used. Any organisation holding personal information must collect consent from the consumer about what they can use and how they can use it. There are no exemptions on grounds of size which means that even the smallest charities need to think about how GDPR impacts them.

The Department for Digital, Culture, Media and Sport recently published the results into its research regarding readiness for GDPR. The results highlight how much work is left to do, especially in the charity sector.  Of the 569 charities included in the research, only 44% were aware of the existence of GDPR and just over a quarter of those aware of GDPR had made any changes other policies and procedures.

Charities need to have an action plan to deal with the implementation of GDPR. If by 25th May, you are not compliant you must have an action plan to achieve compliance, with a clear timetable for deliverables.

 

 “Failure to demonstrate compliance can lead to fines of up to €20m or 4% of an organisation’s income, whichever is highest.”

 

This article was a feature in our Spring Edition of Charity Aid which can be found here.

If you would like more information of Charity Aid or be on our mailing list for the publication please get in contact at hello@garbutt-elliott.co.uk.

 

Information you hold

You must understand the data you hold before you can put any effective actions into place. Completing a data audit and maintaining an information register will give a detailed picture of the data you hold, what you need and what you don’t.

Once GDPR is implemented it’s against the law to hold data you don’t need, so use this as a chance to clear out your database and archives!

It is key that your data audit really does cover all personal data not just the obvious. For example, does your organisation hold photographs of historical events?

 

Consent and privacy

When an individual shares personal data with your charity you must obtain consent and inform them of how and why you will use their data. This must be presented to them in a clear and unambiguous way. This also applies to existing data too.

The regulations specifically say that ‘silence, pre-ticked boxes or inactivity should not constitute consent’. Given this an ‘opt in’ rather than ‘opt out’ capture method of consumer data is strongly recommended, with many taking the double opt-in option.  This is where there are tick box options to select as well as a verification email, which is certainly the recommendation for new data.

All data without adequate consent must be deleted completely.

 

Awareness

Key people in your organisation need to be aware that the law is changing and the impact this will have on working practices. Without this awareness there is a risk that staff and/or volunteers may not act in accordance with GDPR and expose the organisation.

Charities should also be prepared for access requests from donors who may want to check the data you hold and what you do with it. You should have a plan in place for handling requests within the appropriate timescales.

The ICO recommends that larger organisations should have a Data Protection Officer and for smaller organisations somebody should be clearly responsible for data collection compliance.

 

Controls and procedures to prevent, detect and investigate

Failure to demonstrate compliance can lead to fines of up to €20m or 4% of an organisation’s income, whichever is higher. If your charity does breach, there is also a duty to report to The Information Commissions office (“ICO’s”).

Your organisation must have appropriate procedures and controls in place to detect and report a breach. Breaches must be investigated to determine the root cause and ensure systems are modified to prevent future breaches.

During the early days of GDPR fines are likely to be rare for minor breaches but the reputational impact on your charity, given the sensitivity of certain data held, could be costlier than even the maximum fines allowed!

 

Data Storage

Data security plays an important role in the new GDPR regulations, and the best way to avoid sanctions is to put robust procedures in place to prevent data breaches in the first place. If there are any doubts about your data management system, consider implementing a new, safer, data storage system.

Consider any technical requirements as well as who has access to which data. Remember to document any steps you take to maintain security of the data you hold – this will help your cause should a breach occur.

 

Data Access

Anyone has the right to access and see what data you have relating to them, with the new regulations stipulating that their data must be provided to them and they must have an ability to rectify or update data preferences at any time.

People have the ‘right to be forgotten’, meaning that people can request their data to be removed completely from your records. Depending on what kind of charity you are this could include supporter, staff, and volunteer information and even potentially more sensitive information on beneficiaries.

The Information Commissioner’s Office (“ICO”) has recently published a FAQ on GDPR which they have aimed at charities. This covers 12 key areas in respect of GDPR and gives a package of tools to help organisations prepare for its implementation.

Laura Masheder

If you would lie to get in touch you can email us at hello@garbutt-elliott.co.uk

 

This article was a feature in our Spring Edition of Charity Aid which can be found here.

If you would like more information of Charity Aid or be on our mailing list for the publication please get in contact.