After outlining what GDPR means for charities in the first of a series of posts, Andrew Cross, Data and Insights Lead at Lightful,
delves specifically into data retention and subject access requests, how rules around these will alter under GDPR, and how best to prepare for it
Data Retention is defined by the ICO as: “Data kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals”.
In plain English, data retention means that if data is no longer in use or required to be kept for a specific purpose then you should either delete it altogether, or anonymise all parts of the information that would give away the identity of the individual. By dealing with data in this way you are adhering to the organisational and technical safeguards stipulated by the GDPR.
What does this mean for my charity?
Non-profits are usually in possession of personal data that they gained when they were founded (which could be many years ago) and most of this pertains to historical donations or engagements with the organisation. However, if the supporter has not interacted with the charity within a reasonable time frame, then we can assume their information is probably not needed for analysis purposes and it should therefore be discarded or altered as explained above.
Unfortunately, most organisations lack clear retention polices and their CRM
systems often do not have the functionality to perform these deletions or anonymisations adequately through the front end or administrative areas. Technical workarounds are an option but that either requires having the skilled staff in-house or hiring expensive consultants.
What can we do now?
Well, you could start in the first instance by mapping any data flows from sources, using paid-for tools like Microsoft Visio or Lucidchart. Even Microsoft Excel and Word would suffice. It’s good to know where your data came from in order to review the Fair Processing Notices (Data Protection clause) to determine what you can or cannot do with the personal data from these sources.
Once you know where your data came from, you can start querying your database on what interactions those individuals have had with your charity. Did they donate to a cause, take part in a fundraising event or simply sign up to your newsletter, for example? Once this has been determined, start making business decisions on which records should be retained. Of course, some things you are required by law to keep - such as Gift Aid records. However, anything else should be dealt with by drafting a retention policy - and then sticking to it.!
Subject Access Requests
Subject access requests are where the individual uses their right to obtain all the personal data that your organisation holds on them. This request has to be done in writing and with proof of identification. Also, at present a small fee might be charged (£10). This fee will disappear under the GDPR
; however, for “excessive” cases there is some justification to make a charge.
What does this mean for my charity?
If your charity is targeted with one of these requests, the current time frame to conform is 40 calendar days. However, this will reduce to 30 under the GDPR. As most organisations have data stored across multiple systems in multiple locations, compiling a full audit log of how data has been processed – in addition to representing this clearly - will take a fair proportion of time. Not to mention ensuring that the data of other individuals is not exposed and is redacted properly. It is therefore essential to give yourself adequate time to prepare for this change.
It is a lot to digest, but there are lots of resources that can help you and your organisation in this time for May 2018. If you are currently compliant with the DPA and PECR you have a little bit less work to do than those that are not. GDPR is a good thing!
Stay tuned for the next post in the GDPR series, where I’ll take you through everything you need to know about data governance and the role of Data Protection Officers.