In the new year, the General Data Protection Regulation (GDPR) is set to be a major challenge for charities, and given the widespread use of personal data in many organisations and potentially crippling fines that can be imposed for non-compliance, this issue cannot be ignored. I am working with Eastside Primetimers as one of their member consultants to develop a GDPR compliance approach with three discrete phases, to ensure that charities can face this new environment with confidence. I am also performing an audit within Eastside Primetimers itself to ensure that all of our interactions with our friends, partners and clients in the not-for-profit sector will be GDPR-compliant, because as a social change consultancy dedicated to a strong and effective sector, it is vital that we practice what we preach.
To help raise awareness and highlight the key issues, especially for small- and medium-sized charities, we have prepared a brief summary on this vital topic.
What’s it all about?
The GDPR is new data protection legislation which is coming into force on May 25th 2018. It is stricter than current regulation, the Data Protection Act (DPA). It’s a European-wide set of regulations which has been introduced to protect any individual whose data is retained by any organisation. However, this isn’t just about a set of regulations – it is aimed to be about increasing trust and transparency with an organisation’s stakeholders, whether they are donors, staff or employees. Ultimately being GDPR compliant should be a benefit, as it means those that do share information should have greater confidence in the organisation they are sharing it with.
Who is affected?
The new regulation affects anyone holding and handling personal data such as donor lists, newsletter distributions lists or beneficiary, volunteer or employee information. Ultimately it relates to any data by which an individual can be identified (e.g. name, contact details, IP address, associations and so on).
Why do I need to care?
Since December 2016 thirteen charities have been fined by the Information Commissioner’s Office (ICO) for breaching the Data Protection Act. The size of these fines was reduced because they were charities, but this will not be the case in the future under the GDPR, where a worst-case scenario data breach can now attract a fine of 4% of annual global revenue or €20m, whichever is the greater. Even a relatively modest breach could cost tens of thousands of pounds, so gone are the days of a strongly-worded letter from the Information Commissioners Office for a data breach. The ICO has teeth and it will bite hard.
The impact on the organisation will not just be about the size of the fine but on its broader reputation. Fines and adverse publicity don’t breed confidence in donors and funders. It is also expected that there will be an increase in litigations. Win or lose, this could bankrupt a charity.
What is changing from DPA, the old regulation?
The emphasis under the GDPR is on ‘Privacy by Design’. Data privacy should be the default, not an afterthought. Consent for use of personal data for marketing or sharing with third parties must now be strictly ‘opt in’, so there will be no more “Tick this box if you don’t want…….”. Now “Tick this box if you do want……..” becomes the norm.
Access to people’s personal data will need to be more robustly controlled. Many charities are used to doing this for beneficiary data, but less so for donor data. Under the GDPR, data needs to be managed in such a way that it is clear how those controls are maintained and that only those that need access have access.
Individuals now have a ‘Right To Be Forgotten’. The organisation must fully justify retention of personal data, and at the request of the individual, they must delete any superfluous, out of date, inaccurate, or unnecessary data. “We might need it for marketing” is now not a justifiable reason to retain data.
What do I need to do now?
The first step should be to audit all the personal data you hold and establish at the very least: what the data is, why it is held, how the data is captured, how it is stored and retained (including back-ups), who has access and how it is being used.
You should assess and fully understand your current practices both from a business process and systems perspective. Legacy systems and procedures may well be non-compliant. If you are in any doubt, seek professional help.
Where can I find out more?
The ICO has produced a really helpful ’Getting ready for the GDPR’ tool kit, which includes an online self-assessment.
I recommend starting now by assessing the size of the task to be completed by May 25th. If you have to make major changes to your systems, that can take considerable time. Don’t leave it to the last minute!
Mike Griffin is a member consultant with Eastside Primetimers and an experienced data protection specialist. If you need help or additional advice on how to get your organisation ready for GDPR, please call now on 0207 250 8334 or email firstname.lastname@example.org