On Tuesday 19 September, Lightful
and Social Misfits Media
hosted an event on General Data Protection Regulation (GDPR).
The event covered, in detail, what GDPR is
and the differences between GDPR and the Data Protection Act (DPA). The role of the ICO
was explained as well as the consequences of falling foul of compliance, with examples given of where charities have already been fined. This was delivered by Susie Perks, Major Projects Lead at Lightful
The event ended with a panel discussion chaired by Haydn Thomas, Head of Services at Lightful, with panel members Stephen Oatley, Head of Events at ABF The Soldier’s Charity,
Andrew Cross, Data and Insights Lead at Lightful,
and Howard Ricklow of Collyer Bristow
The biggest hurdle
Stephen said the biggest hurdle his charity had faced was reviewing the data held on their existing database and implementing the correct processes.
Howard said that any organisation that processes data should register with the ICO
as failure to register can lead to fines. Although it’s probably unlikely that the ICO would fine charities for not registering, there’s really no reason not to do it as it’s free to register. The only exceptions are very small organisations who only process data for things such as payroll. The process to register is simple and straightforward and if you need assistance, look at others who have registered to see what they have said about how they are processing data.
Andrew advised to check whether third parties, such as Facebook
, are registered with the ICO but also said to check that if they are in the US that they are part of the Privacy Shield
or ensuring that there are data-processing agreements in place that are compliant with EU privacy laws.
One of the burning questions from the floor was around 'legitimate interest' and what that really means. Howard advised that while official guidance from the ICO is still a few months away, the DMA
have produced a useful guide
Andrew gave an example of what would constitute a data breach: if you send out an e-mail where you attach an excel of personal data, by accident, this would constitute a breach. You would then need to notify the ICO within 72 hours and explain how it happened, what the risk was for - e.g. were there bank details, high-profile names, physical addresses included, etc., who it affected, what processes you followed and what new processes you put in place to ensure it doesn’t happen again.
Researching prospective donors
Andrew commented that this area is currently quite "grey" and he will publish a blog post about it after conducting some research. However, he acknowledged that there is nothing stopping you from Googling them but the minute you add information about them to your database, you are then processing data about them. It could still be claimed that this relates to 'reasonable expectations' related to their data – the Sunday Times Rich List
being an example.
Many people are simply unaware of just how much information about them is online and how easy it can be to find this information. One attendee made an excellent point that it’s up to individuals to know what information there is about them online and to take steps to remove that information, if necessary.
Three main takeaways
The three takeaways from the workshop were:
Lightful is a social media management platform, built for and with charities and social enterprises. Find out how social media can work for you and help you raise more awareness, support and funds for your cause.
- Start your data review or mapping now if you haven’t already
- Review all your relevant policies, including from a legal perspective
- Put in place training and support for everyone in your organisation