How should charity leaders get ready for GDPR?
The EU’s General Data Protection Regulation comes into force in the UK in May 2018, necessitating major changes in the way most organisations handle the personal data of their users, customers and supporters. The new rules attempt to simplify data protection regulation, but with only months to go before the new regime kicks in, it seems the charity sector is largely uncertain about what’s needed. A recent survey of 300 UK charities by the Institute of Fundraising found that more than a fifth of respondents had not yet taken any steps to get ready for GDPR, with 72% citing a lack of clear guidance as the main obstacle. Our new whitepaper, GDPR and Charity Data, sets out to clarify what’s needed to get GDPR-ready, and provide useful guidance to third sector leaders on where to begin the process.
GDPR: an opportunity to rebuild trust in the third sector
Public trust and confidence in charities is at an all-time low. A perceived lack of good governance, reports of high-pressure fundraising techniques, and fines levied by regulators for the misuse of supporter data have all contributed. GDPR provides charities with an opportunity to counter these negative perceptions and demonstrate that they respect digital rights and freedoms.
GDPR ushers in a new era of user-friendly, plain-spoken and easy-to-understand language around data protection. It takes data protection regulation out of the exclusive clutches of lawyers and makes it accessible. Organisations who lead the way in implementing these beneficial changes will do much to counter the suspicions which currently hang over the third sector.
You shouldn’t think of GDPR-readiness as a mere issue of compliance. It’s a way to build engagement, retention and satisfaction through more open, transparent and consent-based supporter relationships.
What does GDPR mean in practice?
While there has been much scaremongering over the levying of fines and imposition of bans on data processing for those found in breach of GDPR, the reality is likely to be much more mundane, with understaffed regulators taking a reactive approach and working in a constructive, non-adversarial way with organisations.
When GDPR comes into force, it will be an evolution of existing data protection laws, not a dramatic overhaul. Organisations that already comply with the provisions of the Data Protection Act will find themselves well-prepared to deal with the new legislation.
In the whitepaper, we emphasise three key aspects of GDPR. These mark a departure from existing regulations, and help bring data protection regulation into the age of cloud-computing.
GDPR, and the EU’s principles of data protection and privacy in general, all apply to personal data. There is also a special subset of personal data called sensitive personal data, which covers things like health data and political opinions. GDPR’s definition of personal data expands on the definition that’s been in use since 1995, and critically encomapsses ‘online identifiers’.
Understanding what data falls under the various provisions of GDPR is crucial for compliance, and for protecting your users’ digital rights.
Under GDPR, consent is everything. In most circumstances, to collect and process personal data, we must have the consent of the people whose data it is. There are a number of criteria that this consent must meet in order for the data processing to be legal. For example, the consent given must be granular, i.e. we need consent for each specific use of the data. Consent must also be unbundled: creating an account shouldn’t automatically opt you into receiving an email newsletter.
The only exception is when your use of the data is grounded in a legal basis, e.g. it’s necessary for the performance of a contract.
If we were to sum up GDPR in two words it would be: document everything. GDPR is about knowing what you have, what you are doing with it, where it’s stored, who has access to it, and how you’re safeguarding it. You have to know all of this, and you have to document all of this. Some of this documentation will be internal, and some of it, such as your privacy information notices, will be public.
In the event of a privacy concern or a data breach, the Information Commissioner’s Office will ask to see your documentation.
How should charity leaders start getting GDPR-ready?
The first step is making everyone in your organisation aware of the ways the law is changing and how it impacts their work. Not everyone can become an expert on the minutiae of data protection but they should, at least, know what personal data is. They should know what you can and cannot do with it, how they should secure consent, what constitutes a data breach, and what internal reporting mechanisms they should trigger in the event that a breach happens.
Our whitepaper includes a handy list of recommended actions for charity IT leaders – from reviewing consent processes to implementing Privacy by Design – so they can begin their GDPR journey with confidence.