Philip Anthony, Director at CoopSys, details what charities need to do in order to comply with the much talked about General Data Protection Regulation (GDPR) – and outlines why charities need to start working now if they are to be compliant in time for the May 2018 deadline
Much has been written and said about the new General Data Protection Regulation (GDPR) and what it means for charities – and rightly so given its potential impact.
GDPR is an important step forward when it comes to privacy and data security, and will build upon the original data protection act when it comes into force in May 2018. That original act was relatively easy to comply with in as much as many organisations said, ‘here’s our data protection officer, and we’ve checked compliance,’ and left it at that. GDPR really ups the ante and makes data security much more serious. It strengthens and unifies data protection and aims to give control of data back to citizens. Privacy and compliance are business essentials and GDPR is your opportunity to give your customers what they demand.
There’s a lot of talk about GDPR out there, but what do charities actually need to do about it? Of course, it depends on the size of your organisation, but it can be complex.
CoopSys offers a GDPR consultancy service where we’ll work charities through the stages required to be GDPR ready – a process that involves:
GDPR Readiness Assessment
An initial readiness assessment will be conducted with the manager responsible for data compliance.
This assessment will investigate the organisations current compliance level, management awareness of GDPR and identify any particular data risks.
A communication will be sent to all senior managers explaining the basis and impact of the GDPR regulations aimed at raising awareness and preparing the team for involvement in the proposed data audit.
A detailed audit will be completed investigating all categories of personal data maintained by the organisation. In addition, existing systems and processes for managing that data will be reviewed.
The audit will include managers from all departments responsible for the management of personal data (e.g. HR, Marketing, Finance). Stages include:
GDPR Compliance Action Plan
- Review what data is necessary for the operation of the business and how long it should be kept
- Identify legal basis for each data category
- Review privacy notices for each data category
- Compile register of data processors and ensure Data Protection Agreements are in place for each
- Review/create Subject Acccess Request (SAR) Process and ensure compliance with new code
- Define a procedure for notification of data breach to regulatory authorities
- Compile a Privacy Impact Assessment for any high-risk activities
The findings of the data audit will be compiled into a GDPR compliance action plan.
A review will be conducted to evaluate progress made in completing compliance actions.
The challenge to the sector, based on our experience, will be finding the time and resources to keep it going. In many ways, although it can be time-consuming, the setup is the easy bit – maintaining ongoing compliance will be the tricky part – and the need is clearly there given penalties for non-compliance will be severe. It’s a serious issue and a substantial drain on time and resources – especially when you consider every donor has the right to request information.
As an idea, charities will end up with the following documentation, which needs to be managed by the data protection officer:
GDPR key documentation
- A complete set of mandatory and supporting documentation templates that are easy to use, customisable and ensure compliance with the GDPR
- Data protection policy
- Training policy
- Information security policy
- Data protection impact assessment (DPIA) procedure
- Retention of records procedure
- Subject access request form and procedure
- Privacy procedure
- International data transfer procedure
- Data portability procedure
- Data protection officer (DPO) job description
- Complaints procedure
- Audit checklist for compliance
- Privacy notice
- Pseudonymisation, minimisation and encryption guidance
- Guidance on selected toolkit items
That will hit certain charities hard – and some more than others. A good example are charities that deal with homelessness. They’ve traditionally shared information, partly to protect staff and partly to protect the wider community. Under GDPR they shouldn’t really be doing this, so rigorous procedures need to be put into place.
Another area to be aware of is the use of algorithms for donor profiling – something charities are increasingly doing. People will have the right to challenge these algorithms and disagree with their results. It can be a minefield and, in certain instances, it could add 10 to 20% to an admin function. And let’s face it, documentation is boring – people start with good intentions but then it can often slip, so GDPR needs to be constantly revisited. Products such as Office 365, which provide data encryption when documents are at rest, will help, but it’s going to be a huge job for charities and it’s one that needs to start now!
A free helping hand
To help charities prepare themselves for GDPR compliance, CoopSys is offering a free GDPR snapshot session – including a two hour or thereabouts site visit that will help to provide a feel for the scope of the task. An introductory outline will also be provided following the visit.
To take advantage of this offer – and to find out how CoopSys can help you with GDPR compliance – email email@example.com.