Whether your preparations are already underway, warming up or non-existent, it’s important that your organisation is ready before the new requirements for data management kick in on May 25th 2018.
The goal of GDPR (General Data Protection Regulation) is to empower data subjects (you and me) and give them control over the information organisations collect and hold on them. For charities or social enterprises, this could include contact details of donors, newsletter subscribers, employees, volunteers or organisations with whom you share data.
For a full and detailed account of what the GDPR is about we’d strongly recommend consulting the Information Commissioners Office recommendations which, at the time of writing, is the sacred text on all things GDPR-related.
“Every charity and social enterprise, no matter how large or small, should be thinking about how they collect, use and store people’s personal information. The key is to get on the road to GDPR compliance now.”
Carla Whalen, Russell-Cooke solicitors
The actions you may need to do to prepare for GDPR will be specific to you since no two charities and social enterprises are the same. However, here are some general tips to consider before you put your plan in place.
Obtain buy-in from your leadership team
The first step is to get the key decision makers on board. We informed our Chief Executive and persuaded them to ‘sponsor’ our GDPR preparations (the significant penalty for noncompliance proved convincing enough!). With support from the top it will be easier to push the change necessary with the least resistance.
Know the terminology
Learning the lingo is crucial for GDPR. For instance, understanding the nuances between the ‘data controller’ – the person in charge of the data and the ‘data processor’ – the agent which acts on their behalf, can be tricky. Especially if your organisation is anything like us and sometimes fill both roles.
It’s also important to get a grip on the personal data you hold, especially if it would be classed as special category personal data (e.g. records of disability, ethnicity or sexual orientation).
Audit and review
We decided to break it down by each team and spread the weight among designated ‘experts’ across the organisation. The audit involves us asking questions about each team’s data processes; ‘Why are we holding the data?’, ‘What format is the data in?’, ‘How long are we holding the data for?’ etc.
Privacy notices and policies
You should be able to prove to an auditor that you have processes in place if a customer/supporter requests their information (a ‘subject access request’) or a data breach occurs.
This sounds like a lot of work…what’s the good news?
GDPR is ultimately about accountability and transparency. It should be looked as an opportunity to better connect you with your supporters and a ‘spring cleaning’ exercise for those organisations that haven’t prioritised data protection in the past.
Whatever action you take to implement your own GDPR plan don’t feel too overwhelmed. There are various resources and people you can turn to.
- ICO’s guidance. They have a ‘12 steps to take now’ guide, a checklist and a dedicated telephone advice helpline to help you figure out what’s best for you.
- External review. You may choose to use a data specialist to examine and report on your current data protection practices and procedures, or to review your own internal audit. While there may be a cost involved, you will be guaranteed a thorough review.
- Webinars and seminars. Many of these are free and interactive allowing you to pose questions to experts.
- Advice from Charity specialists and events aimed at the charity and social enterprise sector can also be found on CAN and NCVO. Charity solicitors such as Russell-Cooke can also help you review and update your data protection policies and privacy notices.