Every organisation that processes personal data must be compliant with new GDPR rules on 25 May 2018 and this includes charities and voluntary organisations. Getting to grips with GDPR can be daunting and it can be difficult to know where to start so this 12 point plan, adapted from the Information Commissioners Officer (ICO) guidance, is here to help you take the right steps.
1 Make sure the right people in your organisation know this is coming
Your trustee board and senior staff should be aware that the law is changing. They need to know enough to make good decisions about what you need to do to implement GDPR. They need to be aware that implementation may take considerable time and effort and add data protection to your risk register if you have one.
2 Identify what data you hold and where that data came from
If you don’t know what personal data you hold and where it came from you will need to organise an audit of your different systems and departments to find out. This means all personal data including employees and volunteers, service users, members, donors and supporters and more. You should document your findings as GDPR means you must keep records of your processing activities. You should also record if you share data with any third parties.
3 Update your privacy notices
You must always tell people in a concise, easy to understand way how you intend to use their data. Privacy notices are the most common way to do this. You may well already have privacy notices on your website for example but they will all need to be updated. Under GDPR privacy notices must give additional information such as how long you will keep data for and what lawful basis you have to process data. The ICO has guidance on GDPR compliant privacy notices.
4 Check your processes meet individuals’ new rights
GDPR will give people more rights over their data. For example GDPR gives someone the right to have their personal data deleted. Would you be able to find the relevant data and who would be responsible for making sure that happened? Get to know the eight rights and have the systems in place to be able to deliver on each of them.
5 Know how you will deal with ‘subject access requests’
Individuals have the right to know what data you hold on them, why the data is being processed and whether it will be given to any third party. They have the right to be given this information in a permanent form (hard copy). This is known as a subject access request. Your organisation needs to be able to identify a subject access request, find all the relevant data and comply within one month of receipt of the request. The ICO gives guidance on handling subject access requests.
6 Identify and document your ‘lawful basis’ for processing data
To legally process data under GDPR you must have a ‘lawful basis’ to do so. For example it is a lawful basis to process personal data to deliver a contract you have with an individual. There are a number of different criteria that give you lawful basis to process and crucially, different lawful basis give different right to individuals. For example if you rely on consent as a lawful basis, individuals have stronger rights to have their data deleted. Understand and document what lawful basis you have to process data using the ICO guidance on lawful basis.
7 Review how you get consent to use personal data
If you rely on consent as your lawful basis for processing personal data, then you need to review how you seek and manage consent. Under GDPR consent must be freely given, specific and easily withdrawn. You can’t rely on pre-ticked boxes, silence or inactivity to gain consent instead people must positively opt-in. Read the ICO guidance on consent and their consent review checklist. This expected to be published by the end of summer 2017.
8 Build in extra protection for children
Many charities support children and young people and GDPR brings in special protection for children’s personal data. GDPR says children under 16 cannot give consent (although this may be reduced to 13 in the UK) so you may have to seek consent from a parent or guardian. You will need to be able to verify that person giving consent on behalf of a child is allowed to do so and any privacy statements will need to be written in language that children can understand.
9 Get ready to detect, report and investigate personal data breaches
A data breach is a breach of security leading to ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. You will need to have the right procedures in place to detect, investigate and report a personal data breach. GDPR introduces a duty to report certain types of data breaches to the ICO and in some cases to the individuals concerned. You need to be able to demonstrate that you have appropriate technical and organisational measures in place to protect against a data breach. Read guidance from ICO on data breaches.
10 Build data protection into your new projects
Privacy by design means building data protection into all your new projects and services. It has always been good practice, but GDPR makes privacy by design an express legal requirement. To achieve this, data protection impact assessments should be undertaken where new technology is being deployed, where profiling may significantly affect individuals or sensitive categories of data will be processed on a large scale. Clarify who will be responsible for carrying out impact assessments, when you will use them and how you will record them. Read ICO guidance on privacy by design and data protection impact assessments.
11 Decide who will be responsible for data protection in your organisation
Someone in your organisation, or an external data protection advisor, has to take responsibility for compliance with data protection legislation and have the knowledge and authority to do this effectively. Some organisations will need formally appoint a data protection officer (DPO) for example if you organisation carries out large scale processing of sensitive personal data such as health records or information about criminal convictions. Find out more from the ICO about when to appoint a DPO.
12 Get up to speed on data protection and fundraising
The use of personal data is central to most fundraising activities and there has been a great deal of public and media scrutiny of fundraising techniques. If you use personal data to fundraise then you need to follow the latest guidance on fundraising and data protection. The Fundraising Regulator provides guidance which complements guidance from the ICO on direct marketing.
See our general page on data protection for more on data protection health checks, GDPR training and sample policies.
Sources: NCVO/ Know How Non Profit/ ICO
Contributors: Myles Kunzli and Lauren Bernard