The GDPR guide for small organisations
Your first steps to compliance
GENERAL DATA PROTECTION REGULATION 2018
Information to be provided to and permissions required from individuals to justify use of their personal data.
Make No Assumptions
Consent to be unambiguous and not “to be assumed from inaction”
Prior consent from parents for children under 16
All relevant staff must be familiar with polices and procedures
Personal Data Breach for all data controllers regardless of sector
Personal data must be kept secure with limited access and only shared with approved policies
Know Your Rights
Enhanced rights – Data subjects are given substantial rights
You need to appoint a member of your organization whom takes responsibility for data on a daily basis.
Data Protection Principles
Controller’s responsibility is to demonstrate compliance with data protection principles.
LAWFULNESS AND TRANSPARENCY
LAWFULNESS AND TRANSPARENCY
General Data Protection Regulation (GDPR) Introduction
General Data Protection Regulation (GDPR) will become law on the 25th May 2018. It is the first major overhaul of data protection in the UK for 20 years. The purpose is to give individuals more rights, to have more transparency and to ensure that any organisation that collects, handles or shares personal data does so with a clear and lawful purpose.
As you may not have been fully informed about the rules under the current Data Protection Act 1998 (DPA), you could have been breaking current data protection regulations without realising it. If so, you might find GDPR more difficult to embrace as you will need to change more of your organisation’s procedures around data. This could also include changes to the way you communicate with your audience. Regardless of this, here are eight steps toward achieving better, more lawful processes when handling the data of your donors, supporters and members.
GDPR - Will it be good for my organisation?
There are some really good things about the GDPR, things that will help you to reconnect with your audience as well as potentially helping you to save money in the future. We really believe that ultimately you will have a much better more transparent relationship with everybody you wish to communicate with because they will trust you to store and use their data responsibly.
There are some aspects however that may prove more challenging. The Privacy and Electronic Communications Regulation (PECR) governs the use of electronic channels for communication such as email. This states that you cannot email people marketing messages without clear and freely given consent. Consent must be demonstrable should anyone wish to check you have actually got it. If you rely upon electronic channels for any income and you don’t have consent or a version of it, you will have to stop this method of marketing straightaway. Some organisations have recently been fined by the Information Commissioners Office (ICO) who enforce data protection in the UK for emailing people to ask if that can email them in the future. This is strictly forbidden under the PECR. So it’s a mixed bag of good and bad, but you will have to comply no matter how big or small your organisation may be.
GDPR - What do I need to do?
Identify the right people – GDPR would like you to identify a framework of people responsible for data protection. In a small organisation this probably won’t be too difficult. You will mostly need a Data Controller who takes responsibility for data on a daily basis. Make the identity of this person known to your data subjects whenever you communicate with them, and post it on your website too.
Data Processors and third party contractors – If you’re sharing data with anyone you will need a written processor contract between the organisations. GDPR says that if you share data with another organisation so that they might perform a task on your behalf, they too must be GDPR data compliant. So for example, if you are printing a batch of letters and need a local printer to help, you will need a clear agreement before you can share your data base with them. The agreement will make it clear that they too should handle the data with care, restrict access to it, keep it secure and only use it for the purpose you have agreed. 70% of data breaches occur when a processor is involved. You will be responsible for their mistakes should there be a problem, so think carefully about who you will be working with in the future.
Have a clear reason for sending communications – GDPR states that there are six conditions for processing data. Effectively, a condition is a reason or a purpose. We think there are three charities may be able to use in the future. You only need to apply one at any time to be lawful.
Consent – Must to unambiguous, freely given, clear and demonstrable. It must be all of these things or it isn’t GDPR compliant. This is clearly the best condition as it enables you to send any kind of message that your privacy notice has explained and by any channel you may have asked to use. The period consent is valid from depends on your interpretation of the rules. The Fundraising Regulator has suggested it might need refreshing every two years.
Legitimate Interest – You need to write down and demonstrate what your interest is and make a case for it. Nearly always it will be the aims and objectives of your organisation. To pursue these you will need to raise money or sell something to someone. Justifying your interest will be a key part of establishing a way to communicate with your audience. You can use your Legitimate Interest in printed communications but not in electronic channels. The rights and freedoms of individuals on your database must always be considered and their right to object and ‘Opt-Out’ of this form of marketing must be very clear and strictly upheld.
Necessary for a contract – If you sell products or services then you may use this condition to service that sale. For example, if you sell tickets to an event you will have created a contract between the buyer and seller. The buyer has the right to appeal against you if you don’t supply the said purchase or if they are dissatisfied. Therefore, you will need to communicate with them potentially about the date or the the arrangements made for the event or it may even be about other similar events in the future. It can’t be a marketing message about a completely different subject. These communicates can be send by email if you collected the address at point of sale.
Privacy Notices – GDPR wants you to be very clear about why you are collecting data. It’s all about giving people clear choice. Gone are the long never-read notices written in a language only a lawyer could understand. The new way will be short, easily understood that are relevant, transparent and unambiguous. It will be a challenge, but we’ll all be better off for this approach. So break down your information, avoid ‘catch all’ statements and go with separate statements for each request you make.
A policy and procedure framework – GDPR wants you to start writing a series of policies that demonstrate your understanding of the regulation. You should start by deciding which policies you will need. You’ll definitely need a DP policy statement as well as a data retention policy. You will also need a Processor policy for when you are deleting data or disposing of hardware data may have been kept on. An Internal data breach log is necessary for when minor mistakes have occurred but not reported. It is also strongly advised that you have a plan in place that will guide you if you ever have to report a breach to the ICO. Some important questions to consider include; ‘How will you decide it should be reported?’ ’Who will do this?’ ‘How will you inform data subjects?’.