As a charity you are probably under the impression that GDPR does not affect you all that much – you would be surprised!
The ICO state that charities are not exempt from GDPR and will be treated – and have to meet the same criteria – as every other business. This means, fines will be handed out for breaches, even if it is a “last resort”.
There has been talk that as a charity you don’t have to meet as many guidelines as every other business – With the common explanation being “As long as you can prove there is no risk”, however, To prove no risk is essentially impossible which means you should treat GDPR the same as everyone else.
So now we have established that as a charity you are not exempt from GDPR it is important you understand the goal of GDPR along with how GDPR and charities go together.
The main goal of GDPR is to give individuals more control over their personal data – If they want it stored and how it is used.
So what counts as personal data? – Personal data is any information held about a person that can be used to identify them.
It is important that you give people a clear and concise reason for storing their data and only using the data in the way you outline to them and seeking further confirmation for other uses.
If you don’t need their data, DON’T store it! – Always ask yourself “what is the need for storing this data and do I have permission?” Then you can’t go far wrong.
Always ensure you can easily remove any data if asked or if it has been held longer than you outlined to the owner of the data – emails hold a lot of personal information and it is important you can look up and delete that email address as easy as any other information you store on people.
To elaborate on this point – If someone asks you to remove their email address, then their email address must be removed within reason, to the best of your ability, from all locations it is stored, this means – but not limited to:
Your mailing lists
Your email client address book
Your smartphone email address book
Any website/file backups that you have
Any other location it could be stored, whether digitally or on paper.
Working with many companies on GDPR it has become very apparent that as long as you followed the old rules as close as you can you are not far off from the new rules – The key is to make it very clear that you have permission and purpose to process the data.
As long as you ensure you have the correct documents completed which show you understand risk and have taken a reasonable amount of precaution to tackle the risk you will be very close to complying.
GDPR has been blown up to be this set of scary new rules but in reality, you don’t need to worry as long as you stick to the following tips –
1. Make sure people know exactly what your charity is doing with their data. Don’t use big words to confuse or trick people as this is against the new rules.
Break down every use you have for their data and why you are using it, letting them positively opt-in for the use you outline.
(The best example of positive opt-in is ticking a box, on your website, to accept the outlined uses, not ticking to say you disagree.)
You don’t have to worry about marketing to people as long you have gained their permission to do so and are marketing using only the information you have been given permission to hold.
2. Ensure every member of your team that handles data within your organisation has be given a course on the GDPR rules, not just GDPR for charities but the fuller bigger picture on GDPR – it is important you don’t just do this for current staff, but any new staff as well.
Some suggest that the current data protection training is enough, however, the training courses are a minimal cost compared to the fines which you will receive if you are deemed to of not taken correct precautions. It’s always best to be on the right sid eof the law so understanding data protection and data protection for charities is key.
It is important you also provided refresher courses regularly to ensure your staff continue to practice GDPR to the best of their ability – the frequency of this is up to you, but you must do what you deem reasonable. (Cost Vs Risk Vs Size of Organisation)
3. Passwords must be kept as secure as possible – use a mix of capitals and lowercase letters, numbers and special characters. Make it at least 8 characters long.
One client of mine used to keep a spreadsheet full of all their passwords. This had to be dealt with straight away!!
Imagine your laptop gets compromised… every single account you have is now also compromised – That is grossly negligent!
It is important that if you have lots of passwords you use a secure encrypted service to keep them safe.
This also applies to passwords kept in notebooks – offline – which I know many people do. GDPR does not just apply to digital media, but any form of storage including paper.
If you choose to note passwords down in this form and your notebook is stolen, you have compromised all your accounts.
4. All devices used by members of your organisation that are used in relation to the work you do must be properly secured.
This includes phones, USB’s, laptops and any other form of digital storage.
The best way to do this is to encrypt the devices.
Encryption comes in various strengths of security, however, the stronger the encryption the more it will cost. You must select the encryption which matched your level of risk and your affordability.
As mentioned before this does not just apply to electronic, but also paper records.
Any record stored on paper should be stored in a safe location, being locked where appropriate.
REMEMBER – Delete doesn’t mean the data has gone! Just because you have deleted something from a memory stick does not mean it has gone because, in fact, it can remain on the device for a period of time until something replaces it. Seek technical support to learn how to safely discard data.
The same applies to paper – destroy it using professional shredding services, especially where data is highly sensitive.
In my opinion, the most important thing to secure and encrypt is emails. Emails store lots of personal data and are normally the first place you could be compromised.
5. The final point I have mentioned throughout – Do you need to store the information?
As soon as data is no longer relevant you should delete it. Agree within the organisation how long you will hold data once it is no longer required, making sure to let the peoples whose data you hold aware of this retention period.
By getting rid of the data you are avoiding using the data without permission and putting the person whose data it is at risk.
If you do handle highly sensitive data you should take the maximum amount of precaution, seeking explicit permission to be handling it and only handling it in a legitimate way. You may also require a Data Protection Officer.
Highly sensitive data or special category data as it is known include:
• ethnic origin;
• trade union membership;
• biometrics (where used for ID purposes);
• sex life; or
• sexual orientation.
If you have concerns about the risks to your data (including donations and your donation process) and how to sufficiently handle it, you should seek advice from a professional who will guide you in understanding the rules further and ensure that you meet the requirements to the best of your organisation’s ability – contacting a professional also shows you have taken a reasonable level of precaution
Being a charity or non-profit will mean you aren’t overly pleased with the cost these new rules may create so I would urge that you use as many free resources online as possible, doing what you can before you see professional support. You don’t want to pay someone to do the silly things you could do yourself.
A great starting point is ico.org.uk
Do what you can and don’t be afraid to ask questions!
Our friends across a number of charities highlighted GDPR as an area that they are not completely up to speed with – with a small minority not even heard of it.
Below is a small Q&A to the most popular questions that we received.
Q: When you say deleting data – What does this mean exactly in relation to backups etc?
A: In very simple terms, delete means delete. From every device, every address book, CRM or mailing list. To the best of your ability the information must be completely removed.
Q: Once deleted, can that person ever be contacted again?
A: Sneaky…. But no, you can’t – How can you if you have deleted all their information?
Q: Do I need to revalidate my list?
A: If you feel the data has been collected in a compliance then probably not. However, if you collected the data in an unfair way such as asking your visitor to opt-out via tick box when you collected the data, then you would need to revalidate.
Q: How do I revalidate my list?
A: A lot of the big companies are doing this at the moment. They are sending out simple emails asking their list if they would like to hear from them after 1st May 2018 or not. There are 2 clear options a Yes and No… If your user selects no, then you must remove all their data and not contact them again.
Should you have any questions about GDPR for charities, then simply contact Jordan on 0121 663 0202
A special thank you to Jordan Cable who is our qualified GDPR expert.