GDPR – your checklist
Charities will need to be fully compliant for GDPR by the 25th May 2018. This regulation is so much more than simply updating policies, procedures and processes. It is an organisation-wide responsibility with accountability and the individual’s privacy at the centre of sweeping changes in data regulations. If you haven’t yet started, now is the time to put your GDPR readiness plan into action. To help, we’ve created this checklist to guide you. To enable you to tick off those actions you’ve completed. To show that you’re making progress. Click here to download your copy of the GDPR checklist.
• What information is affected?
GDPR applies to any personal information on private citizens. This could be a name, an address, an email address, bank details, social network posts – even a photograph… just to name some of the more obvious types. Organisations will be responsible for keeping that data secure, for recording what use is made of it, and crucially, for ensuring that the individual’s consent has been given to hold and use that data.
Furthermore, it will be necessary to give individuals the ability to edit their own consent settings, and to exercise the ‘right to be forgotten’, should they so wish.
• Do your existing systems come up to scratch?
GDPR will introduce significant new requirements. For example:
- Can your existing system demonstrate that an individual has given consent?
- Does it draw together all the data held on a single individual in one place?
- Can that person review what consents have been given, and alter or withdraw them as desired?
- Will your system implement such changes in a reasonable time scale?
- Are your privacy policies legible, understandable and accessible?
• What do I need to be thinking about?
A coherent and integrated approach to preparing for GDPR can pay short-term dividends in terms of time and resource – and deliver a fit-for-purpose framework for storing and working with personal data for years to come. Here are some key issues to consider for starters:
- Senior accountability: if an organisation is ‘regularly and systematically’ monitoring data subjects on a large scale, a Data Protection Officer needs to be in place.
- Data security: confidentiality, anonymity, protection in the event of unforeseen events and failures, stress-testing…
- Supplier checks: GDPR requires the full data chain to be secured – as well as keeping their own house in order, it’s every organisation’s responsibility to ensure that suppliers are doing what they need to do to achieve compliance.
- Consent: ensure that it’s been given; that it’s been recorded; that it is easy for individuals to review and amend or withdraw their preferences – and that all this can be demonstrated.
- Plain English: translate privacy and data policies into terms that everyone can understand – and put them where they can be found!
- Response times: more people will query their data in the future – systems need to be put in place to ensure that these enquiries are dealt with quickly and efficiently.
• GDPR – The Background Context
Two key driving forces in the charity sector are coalescing to change how we will need to manage supporters’ relationship with charities. Both are linked to the use and collection of personal data.
First – falling consumer trust in brands is changing the relationship:
- People avoiding companies that do not protect their privacy (Source: Truste / Ipsos MORI – 2015) 89%
- Lack of trust in how personal information is used – will charities only make contact where permission has been given? (Source: NCVO Working Group Recommendations – Sept 2016) 36%
- People agree that data sharing is part of the modern economy (Source: DMA – 2015) 72%
- People say they want more control over their data (Source: DMA – 2015) 90%
Secondly, GDPR is driving organisational change. Organisations will need certainty over:
- What data has been collected?
- Why is the data being collected and its purpose?
- Who is using the data?
- When was the permission granted (date)?
- Where was the permission granted (source)?
Supporters will have new rights in their interactions with organisations:
- Access to their personal data
- Ability to change their preferences continually
- Amend and delete their data
- Request deletion from previously agreed third party systems
- Expect organisations to hold data securely and encrypted