GDPR – Five easy steps toward achieving better more lawful processes when handling data
The General data protection regulation (GDPR) will become law on the 25th May 2018. It is the first major overhaul of data protection in the UK for 20 years. The purpose is to give data subjects more rights, to have more transparency and to ensure that any organisation that collects, handles or shares personal data does so with a clear and lawful purpose.
You may not have been fully informed about the rules under the current Data Protection Act 1998 (DPA), you may have been breaking the regulations without realising it. If so you may find the GDPR more difficult to embrace because you will need to change more aspects of your organisation’s procedures around data. You may even have to change the way you communicate with your audience. Regardless of this here are five easy steps toward achieving better more lawful processes when handling the data of your customers, supporters or members.
There are some really good things about the GDPR, things that will help you reinforce the links with your audience, things that will help you save money. We really believe that ultimately you will have a much better more transparent relationship with everybody you wish to communicate with because they will trust you to keep their data. But there are other aspects you may find very difficult to comply with.
The Privacy and Electronic Communications Regulation (PECR) governs the use of electronic channels for communication such as Email. It says that you cannot email people marketing messages without clear and freely given Consent. Consent must be demonstrable should anyone wish to check you have actually got it. If you rely upon electronic channels for any income and you don’t have Consent or a version of it, you will have to stop this method of marketing straightaway. Lots of organisations have recently been fined by the Information Commissioners Office (ICO) who enforce data Protection in the UK for emailing people to ask if that can email them in the future. This is strictly forbidden under the PECR. So it’s a mixed bag of good and bad, but you will have to comply no matter how big or small your organisation may be.
1. Identify the right people – The GDPR would like you to identify a framework of people responsible for data protection. In a small organisation this probably won’t be too difficult. You mostly need a Data Controller. This is the person who takes responsibility for data on a daily basis. Make the identity of this person known to your data subjects whenever you communicate with them, post it on your website too.
2. Data Processors and third party contractors – If you’re sharing data with anyone you will need a written processor contract between the organisations. The GDPR says that if you share data with another organisation so that they might perform a task on your behalf, they too but be GDPR data compliant. So for example, you are printing a batch of letters and need a local printer to help. You will need a clear agreement with them before you can send your data base over. The agreement will make it clear that they too should handle the data with care, restrict access to it, keep it secure and only use it for the purpose you have agreed. 70% of data breaches occur when a processor is involved. You will be responsible for their mistakes should there be a problem, so think carefully about who you will be working with in the future.
3. Have a clear reason for sending communications – The GDPR states that there are six conditions for processing data. Effectively, a condition is a reason or a purpose. We think there are three charities may be able to use in the future. You only need to apply one at any time to be lawful.
Consent – Must to unambiguous, freely given, clear and demonstrable. It must be all of these things or it isn’t GDPR Consent. This is clearly the best condition as it enables you too send any kind of message your privacy notice explained and by any channel you may have asked to use. The period Consent is valid for depends on your interpretation of the rules. The Fundraising Regulator has suggested it might need refreshing every two years.
Legitimate Interest – You need to write down and demonstrate what your Interest is, make a case for it. Nearly always it will be your Aims and Objectives as an organisation, to pursue these you will need to raise money or sell something to someone. Justifying your interest will be a key part of establishing a way to communicate with your audience. You can use your Legitimate Interest in printed communications but not in electronic channels. Your data subjects rights and freedoms must always be considered and their right to object and Opt-Out of this form of marketing is very clear and must be strictly upheld.
Necessary for a Contract – If you sell products or services then you may use this condition to service that sale. For example, if you sell tickets to an event you will have created a contract between the buyer and seller. The buyer has the right of recourse against you if you don’t supply the said purchase or for example if they are dissatisfied. Therefore, you will need to communicate with them, could be about the date or the the arrangements made for the event, it may even be about other similar events in the future. It can’t be a marketing message about a completely different subject. These communicates can be send by email if you collected the address at point of sale.
4. Privacy Notices – The GDPR wants you to be very clear about why you are collecting data, it’s all about giving people clear choice. Gone are the long never-read notices written in a language only a lawyer could understand. The new way will be short, easily understood ‘Just in time’ notices that are relevant, transparent and unambiguous. it will be a challenge but we’ll all be better off for this approach. So break down your information, avoid ‘catch all’ statements and go with separate statements for each request you make.
5. A policy and procedure framework – The GDPR wants you to start writing a series of policies that demonstrate your understanding of the regulation. You should start by deciding which policies you will need. You’ll need a DP policy statement for sure, you’ll also need a data retention policy, Processor policy, a policy for when you are deleting data or disposing of hardware data may have been kept on. You’ll need an Internal data breach log for when minor mistakes have occurred but not reported. You will also need a plan that will guide you if you ever have to report a breach to the ICO. How will you decide it should be reported? Who will do this, how will you inform data subjects?