What is Data Portability and why is it important to you?

Data protability in GDPR and Article 20 of the GDPR
Data protability and is your data protable?

We all know that the General Data Protection Regulation (GDPR) will come into force on 25th May 2018. It introduces a new right namely the right to Data Portability (Article 20).

So what is data portability?

Wikipedia states that “Data portability is a concept to protect users from having their data stored in “silos” or “walled gardens” that are incompatible with one another, i.e. closed platforms, thus subjecting them to vendor lock-in. Data portability requires common technical standards to facilitate the transfer from one data controller to another, thus promoting interoperability.”

So – is this what the GDPR is referring to?

Well, not entirely. Wikipedia approaches it from a business / process point of view and GDPR approaches it from a customer / data subject’s point of view.

The ICO’s guidelines on Data Portability states that “The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.”

So – as you can see – it’s not exactly the same thing (similar – but not the same!)

Article 20 of GDPR allows for Data Subjects to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller. The aim of this right is to support user choice, user control and consumer empowerment. It will have a big impact on all Data Controllers but particularly data driven organisations such as banks, cloud storage providers, insurance companies and social networking websites. These organisations may find that customers are encouraged to move suppliers, as they will be armed with much more information than they previously had accessed to. This in turn may lead to an increase in competition driving down prices and improving services.

While this is a utopian view, most companies (including yourself) would already be providing a similar service already.

When does the right to data portability apply?

The right to data portability only applies:

  • to personal data an individual has provided to a controller
  • where the processing is based on the individual’s consent or for the performance of a contract and
  • when processing is carried out by automated means.

Is there a cost involved or can you charge for this service?

No – The information must be provided free of charge and within a month’s time (extendable to two months if the request is complex or you receive a number of requests – but you must inform the data subject of the delay). Furthermore, if the individual requests it, you may be required to transmit the data directly to another organisation if this is technically feasible. However, you are not required to adopt or maintain processing systems that are technically compatible with other organisations.

Remember: If the personal data concerns more than one individual, you must consider whether providing the information would prejudice the rights of any other individual.

Can I not comply with a request?

Yes you can BUT tread very carefully. Where you are not taking action in response to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

 

 

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

Pseudonymisation – what it is, and what it isn’t

Pseudonymisation of data and anonymous data GDPR
Is your data pseudonymous or anonymous?

One of the EU Commission’s stated aims in drafting the General Data Protection Regulation was to update and modernise the EU data protection regime to account for new kinds of potentially identifying information. In today’s digital world, GDPR asks questions about the nature of personal data and whether it can anonymised?

So what is pseudonymisation?

The GDPR defines pseudonymisation as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” To pseudonymise a data set, the “additional information” must be “kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person.” In short, it is a privacy-enhancing technique where directly identifying data is held separately and securely from processed data to ensure non-attribution.

So what is it not?

The GDPR for the first time introduces the concept of “data protection by design” as a legal requirement. Data protection by design means that privacy should be a feature of the development of a product or solution, rather than something that is added on as a feature. The GDPR requires controllers to implement appropriate safeguards “both at the time of the determination of the means for processing and at the time of the processing itself.” One way that controllers can do this is by pseudonymising personal data. Therefore, data controllers can use pseudonymisation to help meet the GDPR’s data security requirements. From a systems perspective, controllers are required to implement risk-based measures for protecting data security.

Pseudonymous data IS NOT ANONYMOUS by default!

Just because data is pseudonymous it does not mean that the data is anonymous. Ira and Woodrow have explained in their research paper that “true anonymization” is a myth at best or very difficult to achieve. If your data can in any shape or form, combined with other data sets, lead to the identification of the individual, then your data is subject to GDPR. To help you address this issue, the GDPR adopts a flexible approach than the traditional black and white stance taken by the ICO and focuses on the risk that data will reveal identifiable individuals. Thus, the key distinction between pseudonymous data, which is regulated by the GDPR, and anonymous data, which is not, is whether the data can be re-identified with reasonable effort.

So, remember, pseudonymised data is not by default anonymous if that data can be used in conjunction with other data sets to identify an individual.

 

 

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

How well does your TECHNOLOGY understand GDPR?

GDPR for technology companies and technology systems
Is your data getting ahead of you?

A recent conversation by PricewaterhouseCoopers (PwC) at the IP EXPO EUROPE suggests that while most companies are preparing fervently for GDPR, there is a mini black hole emerging in the process.

Stewart Room, global lead cyber security and data legal protection services outlined that many companies are overlooking their technology stack which falls squarely on the radar of GDPR. So, to ensure that you are not caught off-guard, here are some things you need to consider.

Is data protection an integral part of your technology landscape?

The data protection principles set out the core compliance goals of the law. They have been at the heart of European data protection regulation from its very beginning in the 1960s. The principles must be delivered in the technology stack and you must take ‘appropriate technical and organisational measures’ to do so. When developing those technical and organisational measures, you must have full regard to the ‘nature, scope, context and purposes of processing’ and ‘the risks of varying likelihood and severity for the rights and freedoms of natural persons’. The obvious implication of this requirement is that risk assessments must be performed in all cases. These risk assessments require a deep understanding of the effect that technology can have on individual rights and freedoms.

If people are to have control over their personal data, they need rights over that data and transparency about what is happening to it. But the exercise of these individual rights is only truly effective if an organisation’s technology stack is fully responsive to them, and has the right functionality embedded in it. The core individual rights are the ‘right of access’, ‘right to rectification’, ‘right to erasure’ (or the ‘right to be forgotten’), ‘right to restriction of processing’, ‘right to data portability’ and ‘right to object’. In a functional sense, these rights require the technology to:

  • Connect individuals to their personal data;
  • Categorise personal data by type and processing purpose;
  • Map or trace the full information lifecycle;
  • Perform search and retrieval;
  • Enable rectification, redaction, erasure and anonymisation;
  • Enable freeze and suppression;
  • Enable the transmission of personal data from one technology stack to another.

All of this must be protected by appropriate security.

What do you need to look out for?

  • Accountability – Does your technology work properly and does it do what it says on the tin?
  • Records of processing activities – Do you know your data life cycle and your information flow processes?
  • DPA by design – Is your system designed and built with DPA in mind?
  • DPIA – Have you completed your privacy impact assessment?
  • Breach notification – Do you have adequate measures in place to prevent a breach? If this fails, you have a process for notification?

Which Articles you need to keep an eye on?

  • Article 15 – Right of access by the data subject
  • Article 16 – Right to rectification
  • Article 17 – Right to erasure (right to be forgotten)
  • Article 18 – Right to restriction of processing
  • Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 20 – Right to data portability
  • Article 21 – Right to object
  • Article 22 – Automated individual decision-making, including profiling
  • Article 25 – Data protection by design and default
  • Article 35 – Data protection impact assessments

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

The KFC of learning

Gamification and Game based Learning

The KFC of learning

On a recent customised training course I ran a session on Gamification in Learning and Game based learning focusing on why the two while intermingled, are not the same. If you are interested in the highlights of why Gamification and Game based learning are different, drop me a line and we’ll talk about it.

Back to the subject at hand, and especially the title of what I want to talk about today, before the session, I was briefed that my audience were training professionals who have been delivering classroom sessions for many years. Having done this for decades (literally), I knew how I should structure my programme and deliver it (as opposed to when I am presenting to senior stakeholders). During the session, my audience were sold on the idea of gamification and the benefits it can bring to both the face-to-face and digital environment but could not see the benefits of game based learning (especially when the process and developmental aspects were touched upon) in a corporate setting.

Cost, time, repetition, adaptability etc. were thrown about like arrows on fire and I simply could not appease the beast within. At the end of the first day, I needed a proverbial “cold one” and some time to reflect on the push back that I got when it came to Game based learning.

This company was already aware of the benefits of simulation based learning and a vast majority of the training was simulation based already. So what was happening here? Why were the trainers – who are in favour of simulation based learning, not so keen on Game based learning? Was it a cultural barrier? Did they see games as time-wasters?

Mulling these things over, I remembered an article I had read regarding client engagement by Ian Brodie in which he talks about the KFC approach (as coined by Andy Maslen of Sunfish digital agency).

No, I’m not talking about the Colonel’s chickens; I am talking about the Know, Feel and Commit approach. In short, the client must commit to you and for them to commit, what they must know and feel to make that commitment.

  • K = Know
  • F = Feel
  • C = Commit

Applying that to my problem at hand, I analysed the day. The trainers knew what was involved (theoretically at least), and from interacting with them, I thought I knew what they felt as well! As the “cold one” was warming up I listed out the facts that were in front of me. The trainers were accustomed to simulation based learning, they used it rather successfully in the past, they were aware of the pedagogical aspects of game based learning – so where was the barrier coming from? Cost was an aspect they talked about – but that was for the business to own – as it surely did not come out of their pockets! So, was it skill-set (or the lack of it) when it came to development? Once again, this was a corporate issue and not something that the trainers would need to worry about (or so I thought). It was then that I had a light bulb moment (or in this case an empty bottle moment)!

I had spent the majority of the time talking, engaging and interacting about game based learning and I had not yet let them “feel” what it was like to participate in a game based learning session. I know a lot of you will be shaking your head thinking, rookie mistake, well, what can I say, I thought as trainers, they would be more interested in the theoretical and pedagogical aspects over the actual game itself! Which brings me back to the KFC approach – in my hurry to get a commitment for Game based learning, I overlooked the “Feel” of Know, Feel and Commit! As trainers, yes they will be interested in the theoretical aspects of Game based learning but for that moment in time, they are all learners and as learners, their learning needed to be reinforced (by experience) and rewarded! They needed to “feel” that there is benefit in Game based learning.

With my new found insight, I headed back the next day and flipped my “keep the best for last” approach on its head. I invited them to play game, gave them guidelines for exploration and allowed them to “roam free” in a loosely controlled environment. I told them to ask questions, engage and interact in the game environment. In other words, I approached them as I would approach a group of learners who knew nothing about what they were learning about.

To cut a long story short, that decision to allow the learner to “feel” that I am addressing their issues and questions, lead to further exploration into Neuro-Linguistic Programming (NLP), scaffolding in learning, consequence management in Game based learning, constructivism and behaviourism to name a few! When the audience felt their issues could be answered by Game based learning, their commitment followed suit1.

1 Fun fact: According to Jonathon Green, a lexicographer, the term ‘to follow suit’ first appeared in 1680 and is an image taken from cards, and originally defined (by the OED) as to play a card of the same suit as the leading card. The meaning has since expanded to mean following someone’s lead or to do something someone else has just done or to follow as expected.

Here’s where we can help:

Totale Learning creates Gamified Learning and Game based Learning that is tailor made to your business. Our experienced consultants will work alongside your learning and development teams and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

GDPR for charities and fundraising organisations (part 6)

GDPR for charities

In the previous part of this series we saw what language you’ll need to use for your privacy notices. Next we’ll look at the conditions for processing the data you have on your data subjects.

Conditions for processing data

There are six main conditions that are available to you when you are processing data. They are:

  • To fulfil a contract
  • Due to a legal obligation
  • the data as part of a vital interest of a party or entity
  • Official, public interest or administration of justice requirement
  • The data is obtained with the appropriate level of consent
  • The data is processed to satisfy a legitimate interest

The list is not a tick box exercise and as a data controller or processor, you need to satisfy at-least one to ensure you don’t fall foul of the GDPR.

Processing data to fulfil a contract:

In fundraising, it is unlikely that there will be any kind of binding contract between the fundraiser and the donor or prospective donor (data subject). You might have something approaching a contract for organised sponsored events (especially ones with health and safety implications), but the only necessary processing would be to make that contract work. You wouldn’t be able to make marketing a requirement of the contract, or assume that you can send marketing because the person signed the contract.

Processing data due to a legal obligation:

Apart from the obvious laws (AML, Terrorism Act etc.), it is unlikely that any there is a law that requires you to do any fundraising or activities associated with fundraising. However if there is a provision in the law which requires you to process data, then you can do so as long as you are able to justify that the data was processed to satisfy a legal obligation.

Processing data to protect vital interests:

No, we are not talking about the vital interest of your charity, we are talking about the vital interest of the data subject or another person. Therefore, if someone is at immediate risk of death (it’s been argued that vital interests might cover serious physical risk, but the GDPR suggests that it applies only to life or death situation).

Processing data for official, public interest or for the administration of justice:

This is a long and rather detailed GDPR condition which is outlined rather well in the GDPR and also the ICO’s guidelines. For this condition to apply, you need to identify a specific law or source of official authority. This does create a problem for organisations like universities (publicly funded) and public bodies as the use of the legitimate interest condition is not allowed for public bodies.

Consent:

The GDPR has a clear definition on consent. GDPR defines consent as “any freely given specific and informed indication of a data subjects’ wishes by which the data subject signifies their agreement to personal data relating to them being processed”.

What does freely given mean? This means that the data subject must be given a free choice in the first place, and they must be able to change their minds at any time. You are not allowed to trick someone into giving consent and when they tell you to stop, you must stop.

What does specific consent mean? It means that the processing that the data subjects are agreeing to must be clear. For example, you must specify what marketing are they going to receive?, who will it be from?, etc. Asking someone to agree for their details to be shared with “carefully selected third parties” isn’t specific. You’ll need to specify (or provide on request) a detailed list of third parties. If you want to conduct wealth screening with consent, asking the data subject to agree to ‘fundraising purposes’ isn’t specific enough.

What does informed mean? In its simplest terms, the data subject should understand how their data is going to be used, if not, the consent is not valid. You have to spell out what they are agreeing to, in language that they understand and targeted to the age you expect them to be at. The last point is not a must but if challenged, you should be able to prove that you have catered to the lowest common denominator of your data subjects’ expected level of cognition. You cannot bury the purpose in terms and conditions that the person might not read. The language should be clear, unambiguous.

The burning question: can consent be opt-out rather than opt-in?

A common question we always get, be it when we are writing training material or when we are consulting is: can my consent be opt-out (as it currently is – or does it need to be opt-in?

Well, there are many people who will argue that opt-out is a perfectly reasonable way of obtaining consent.  Even though the ICO’s current guidelines seems to support this, you must pay attention to what the guidelines actually says.  It says:

GDPR for charities and fundraising organisations
Charities and Fundraising organisations GDPR

 

The most certain way to get consent is a tick box, a box to place a signature, or something else that allows the subject to say ‘yes’. However, as the ICO notes, there are other methods. If a person fills in their name and address in a form clearly designed to send out a brochure, you can reasonably infer consent to send them the brochure.

Remember, there is no “assumed consent” anymore. Similarly, you cannot force consent on a data subject. For example, you can’t say that ‘by doing X, you consent to us doing Y’. X and Y must be inherently linked and clearly outlined to the data subject. Furthermore, post (snail mail) is your friend as sending out an email or any form of digital communication asking for consent is also considered as marketing – even if you are only asking for consent.

Satisfy a legitimate interest:

The alternative to consent is legitimate interests. The full text of the condition is as follows: “The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”. To satisfy this condition, you must have a legitimate interest in processing the data and also be able to prove that there is a legitimate (business or otherwise) interest. As a charity, this is an easy condition to satisfy – however, while it may be tempting to do so, this is not a replacement for consent but rather a way of strengthening your consent condition.

(to be continued)

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

GDPR for charities and fundraising organisations (privacy notices)

 

GDPR for charities and fundraising organisations
Charities and Fundraising organisations GDPR

GDPR for charities

In the previous part of this series we saw how GDPR affects recruiters (and you as you will be one of the biggest volunteer recruiters), in this part we are going to look at “Language” and your privacy statement.

Language:

Language forms the basis of verbal and written communication. Imagine a world where no two people spoke the same language and therefore could not communicate? Kind of like the “Tower of Babel” situation!

Similarly, GDPR expects you to use a certain “type” of language when communicating with your data subjects.

The average privacy policy is long-winded, technical and usually filled with industry specific jargon. The reason for this (more often than not) is because it is written by lawyers and what should be a simple privacy notice is written like a legal contract. In other words, it is trying to ensure that the company (i.e. you), can’t be sued! Banks and financial institutions are one of the worst offenders here. The terms and conditions will make any average privacy notice look like a postcard! The best privacy notices are as short as they can be, written in language that is plain to the point of bluntness, and highlighting the most surprising and unexpected things that you are doing.

Let’s consider the example we used before – our Acme Limited (fictitious company). Acme Limited has a charitable concern called Acme Charities Limited (ACL) (another fictitious company). Now let’s say ACL has a newsletter section and collects the following information:

  • Name
  • Address
  • Date of birth
  • Email address
  • Contact number

On the sign up page, ACL has mentioned that it will only use the email address to send you newsletters and will not share the data with other charities. It also mentions that your information will not be used for marketing purposes. However at the bottom of the sign up page, there are two tick boxes (check boxes) that asks you if you want to allow them to request donations from you.

Pretty standard sign up page so far! Well, you complete your information and being the kind hearted person that you are, tick the box that allows them to contact you for donations. When you tick the box, a further message appears that tells you that you can unsubscribe from this option at any time and you can view their full privacy terms and conditions by clicking a link.

Sounds familiar? That’s because that is most of your sign up pages. The permutations and combinations might vary, but the bottom line is pretty much the same.

Well, getting back to ACL’s sign up page, out of curiosity you click the terms and conditions link and you are presented with a 10 page document. Being the prudent person that you are, you take your time to read it. About halfway through the document there is a section that tells you what they will do with your data.

“In order to ensure that the data we hold about you is accurate and up to date, we may occasionally use information sources that are in the public domain to verify your details, such as address and telephone number.”

Once again, sounds familiar? Yes, most companies are guilty of this and let’s see why under the GDPR, this is no longer acceptable.

In ACL’s example, the privacy statement explicitly mentions that the data will be used to verify your details. So at this point, the data (more often than not), will leave ACL’s control and pass to a third party. Part of ACL’s contract with the third party is to do a wealth screen as well. Now if ACL uses ANY of the data for the wealth screen, they will be in breach of the GDPR principle. “But they have mentioned it in their multipage privacy document!”, I hear you ask. Well, let’s take a closer look.

Think about intention and explanation. Your intention (and for all purposes, the intention of your potential donor) is to receive a newsletter. On selecting the “contact me for donations” section, the data subject (donor) now has to be subjected to additional DPA notices. So the intention has now changed in the context of data protection.

As for the explanation, the disclaimer about the information gathered was succinctly outlined. However, when it came to the opt-in donation section; the data subject was referred to read a multipage saga. While the saga might have been necessary from a legal standpoint (to cover your base), there was no explanation of what the data subject should be aware of before they make that commitment. This also raises an issue of consent! Remember the point about the data subject’s details being passed to a third party to verify? Well, ACL has assumed consent about this point – just because the data subject clicked the “contact me for donations” tick box. Once again, where was the explanation of this change in intent?

The ICO recommends a layered or just-in-time approach. That is, provide layered information as your intention changes. So in ACL’s case, while their first explanation is succinct and to the point, additional information should have been available (similar to the initial explanation) once the data subject’s intention was broadened.

Personally, I would recommend a just-in-time approach as it provides the data subject to constantly make an informed decision on their data.

So how should the privacy notice be written?

When you are writing your privacy notice, make sure it is:

  • concise, transparent, intelligible by your target audience and easily accessible,
  • written in clear and plain language, particularly if addressed to a younger person (minor) and
  • free of charge.

 

“But it won’t look pretty!”, I hear you scream!

Well, let me share with you some of the rather beautifully crafted privacy notices from some of the companies that have already implemented GDPR (or are in the process of implementing it).

AGE UK:

privacy notice example from AGE UK
Age UK privacy notice

https://play.ageuk.org.uk/help/privacy-policy/

 

MICROSOFT

Privacy notice example from Microsoft UK
Microsoft privacy notice

https://privacy.microsoft.com/en-gb/privacystatement

Microsoft have taken it a step further with their privacy subsite.

Privacy and GDPR compliance example Microsoft
Microsoft does it right with a privacy subsite

https://privacy.microsoft.com/en-GB/

 

Further reading:

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/

 

(to be continued)

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

GDPR for recruiters

GDPR for recruitment, charities and volunteer recruitment
Uncover GDPR for recruitment

As part of the GDPR for Charities series – we must touch on “recruitment” as you will undoubtedly be recruiting one of the highest numbers of people from the volunteer and new starters’ talent pool. As this crosses domains, we’ll approach this subject as if you were a recruiter.

So what does GDPR mean for recruitment?

Let me start by saying – irrespective of the size of your organisation, you will need to adhere to the GDPR policies – even more so as you will be holding data that could potentially influence and (or) directly impact on the data subjects’ rights as an individual and their career prospects.

Now allow me to dissect that statement and demonstrate how it will impact you and what you need to do to ensure you are adhering to the GDPR principles.

Doesn’t matter if you are using a Rolodex™, Microsoft Excel™ or a flashy talent management system, you hold sensitive and personal information about a data subject.  In other words, the information you hold on your candidates (data subjects) is your bread and butter and you will need to protect your asset.

You, your candidates (data subjects) and consent

Under GDPR candidates must give consent for their personal data to be collected and used, it needs to be clear to candidates how the data will be used and candidates can ask for their data to be removed. If a recruitment agency does not comply with this there are some very harsh penalties ranging from a fine of €20 million or 4% of the company’s global turnover.

Don’t get caught out by automation

Any automation you use in your recruitment process based on personal information needs to be opt-in. This means, any profiling you carry out can be carried out on candidates who have explicitly given you permission to do so. Yes and before you ask, this also means prospecting and screening.

Let me paint you a picture. Joe Bloggs (not a real name) is a specialist in his field. As a recruiter in that field you notice that Joe Bloggs has been with Acme Limited (not a real company) for 5 years. You research Joe Bloggs and see that he is interested in a change (based on conversations he has had in a public forum) and you approach him. Joe Bloggs is interested in your proposal and you ask him your screening questions. Great! Joe has cleared your initial screen and you ask him to send you his updated resume.

You are impressed with Joe’s resume and ask him to complete an online in-depth screening interview. Joe completes it promptly. Unknown to you, one of the questions (which you would not normally ask a person in a face to face setting) was asked in the EOM form. Your state of the art system has decided based on the information provided to it by Joe Bloggs that he would not be a good match for your company’s culture.

The system has made a recommendation which is now a part of Joe’s profiling data. Nevertheless, you invite Joe for a formal interview. The hiring manager interviews Joe and finds him a bit “shady”. She then refers to his profiling data and she sees the “red-flags” that your system has highlighted which she takes as validation for not wanting to hire Joe.

Joe is informed that he was unsuccessful in the interview and his resume will be held on file for any future roles that might come up.

In this fictitious scenario, can you spot the number of times GDPR principles were breached (knowingly or unknowingly)?

Don’t worry, this is not a trick question – suffice to say that should Joe challenge you under the GDPR, there will be some serious explaining to be done by you (your company).

  • Firstly, you appended data (see data appending if you are unfamiliar with this) without Joe’s consent even if that information was in the public domain.
  • Next you asked for his resume which (at the end of that unsuccessful interview) your system decided it wanted to retain the information. You never offered Joe the chance to make a choice in that matter.
  • Technically, Joe is everything you are looking for – but you profiled him (without his consent). That profiling was automated (which he did not explicitly agree to). Furthermore you asked a sensitive information question (which may not be necessary for the activity that Joe is going to be undertaking).
  • The hiring manager then validated her decision based on the profiling data produced by an automated system – without the chance for clarification or rebuttal from Joe.
  • Lastly, you did not offer Joe the opportunity to delete his data.

By the way, in case you are wondering, Joe got his dates wrong in a previous job about 7 years ago. He was adamant that it was X when your system profiled that the company did not exist at X date (again, information that was automatically obtained from the public domain).

Yes, this is a fictitious scenario and was written to make a point – but the problems highlighted are very real.

Once again it does not matter if you are using a Rolodex™, Microsoft Excel™ or a flashy talent management system, you should at all times adhere to the principles of GDPR.

Remember: If the decision being made is based on sensitive personal data – for example, relating to ethnic origin or sexual orientation you should get explicit consent to use this information.  However, automated processing should not be used to filter out candidates based on protected characteristics under the Equality Act 2010, as that would be unlawful discrimination.

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

GDPR for charities and fundraising organisations (part 4)

GDPR for charities and fundraising organisations
Charities and Fundraising organisations GDPR

 

Well, hope you like the little break that we took from GDPR for charities series by looking at Firefighting and GDPR. In the previous article in this series we looked at the GDPR principles and the Appending of data in GDPR. Now let’s look at how you process the data that you have.

By now you’d have identified what the purpose of the data is and you have the right to that data. Under GDPR, you’ve got to answer three main questions:

  • Is the data processing lawful?
  • Is the data processing fair?
  • Are you able to answer the question “have I met the conditions of GDPR in processing this data”.

Is the data processing lawful?

Unlike other laws like public nuisance or theft, data protection laws are more “subtle” and can be broken without you even realising that you have breached data protection. Since there is no clear-cut “you can do this” or “you can’t do this”, you will need to rely on additional laws that govern your charity. For example, if you are a charity that cares for vulnerable people, Human Rights laws will be applicable to you. You could potentially breach a data protection principle by trying to adhere to a Human Rights Law or conversely by not adhering to it!

Therefore, as part of GDPR, you’ll also need to have an understanding about the other laws that could impact on the data protection principles.

Is the data processing fair?

What is fairness? Theoretically, fairness is the impartial and just treatment or behaviour without any prejudice, favouritism or discrimination. So, what does fairness mean in terms of GDPR? Well, for the purposes of GDPR, we’ll deal with fairness as applicability and transparency.

So what is applicability? Fairness in terms of applicability is when you are able to demonstrate what data you are collecting and if the data subject has the ability to opt out of your collection process. In other words, are you giving your data subjects the actual “right” to their data or are you just informing them of what you will be doing with their data (which leads us to the transparency aspect of fairness in data processing).

In other words, if you put yourself in the data subjects’ shoes and if you are able to answer the question, “if this was me, will I be comfortable with the data I am collecting” then you have pretty much covered the applicability aspect of fairness.

Transparency on the other hand is fairly straightforward. Letting your data subjects know the identity of the controller along with what you are going to do with the data that has been collected and any additional data collection, profiling and research you will be undertaking with the data that has been gathered so far on a data subject. If you are able to confidently answer these questions, you will have covered the fairness principle of data processing.

So how do you put this in action?

Recent ICO enforcements on charities have highlighted certain “areas of weaknesses” that affect most charities. Therefore, your privacy notice should contain information about:

  • Who you are sharing your data with
  • What further processing (or appending) you are going to do on the data collected
  • What profiling, research, screening and additional processing you will be undertaking with the data collected
  • What additional data you are going to get and from where (and to what end you will be using this additional information).

(To be continued….)

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

Are you a firefighter?

GDPR and firefighting
Firefighting in companies with bad management

Firefighting and GDPR

Let’s take a break from our GDPR for Charities series to look at something that I believe is important to talk about but is usually ignored – but not for long as far as the protection of data is concerned.

No, I am not talking about fire engines, fire fighters and health and safety drills. I’m talking about a very familiar scenario that happens in most offices up and down the country. Yes, I am talking about the numerous “fires” that are dealt with on a daily basis.

Ok, analogies aside, let’s see if this is a scenario you are familiar with. You are on your way to the office and have mentally made a list of things you need to do for the day. The first hour goes by uneventfully and you even manage to get a couple of emails out. Then all hell breaks loose! There is some issue that needs your immediate attention. Begrudgingly you address the issue. You know what the problem is and have informed your stakeholders what action needs to be taken to correct the issue. Convinced you’ve done a good job in containing the problem you go back to your work. Before long there is an important report that needs to be produced and needed to go out yesterday. You are tasked with completing the report to keep the client happy when suddenly there is a call from another stakeholder. This time it is another issue that you had dealt with two weeks ago. Since you’ve already sorted the issue out before you know how to contain this new occurrence of the same issue, you sort it out and inform your stakeholder what needs to be done to correct the root cause of the issue. Your stakeholder as always agrees that something must be done but does not allocate any resource to correcting the issue. In the meantime the time available for you to complete that report is running out. You finally sit down to complete that report when the stakeholder who gave you the report now needs an amendment to the data based on a last minute request from their client. Does this sound familiar at all? If not, then consider yourself working in a company that has a good infrastructure. If on the other hand this sounds like your average day, you are working in a company that has a firefighting culture.

“Firefighting is the emergency allocation of resources that is required to deal with an unforeseen problem.

It’s a common misconception that “fires” are unpredictable and that they must be dealt with immediately. However, a too-frequent need for emergency action may reflect poor planning, or a lack or organization, and is likely to tie up resources that are needed elsewhere.

The vast majority of daily interactions between the frontline and their managers revolve around events taking place that day. Anyone who has experienced these interactions can recognize that the intense focus is always on today’s fire with little or no regard given to what will happen tomorrow, next week, next month, or next quarter.

This firefighting mentality can only have one of two outcomes. Either the fire is extinguished or an excuse as to why the fire cannot be extinguished. Either way – the actual cause of the fire is not being dealt with. Most managers can see that this frenzied approach is undesirable, but are often frustrated when their initial attempts to change it fail. Usually the fire-fighting culture has become so ingrained in an organization that only a radical change in behaviour will produce a lasting change.

This is where GDPR comes in. In a post GDPR world, as far as data protection is considered – you are bound to fail (or end up paying hefty fines) if your organisation uses a fire fighting approach. GDPR is unforgiving when it comes to personal data. Not knowing where the source of your fire could prove to be a very expensive gamble.

So, while you won’t put up with a firefighting culture in real life (it simply is not a sustainable business model), why then is it ok to think that you can deal with GDPR like it is another fire. GDPR is not a fire but a firestorm. So to be prepared for it, you’ll need to be in the process of implementing your data protection guidelines now.

Address the root cause and your fires will slowly but surely reduce (if not fully go away).

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

GDPR for charities and fundraising organisations – part 3

GDPR for charities and fundraising organisations
Charities and Fundraising organisations GDPR

GDPR for Charities (Part 3)

In the previous article in this series, we saw what roles different parties played in the GDPR saga and what constitutes as personal data in the GDPR world. In this article we’ll see the principles of data protection (GDPR).

Before we do that, let’s talk about data in the public domain.

Most people who use the internet (and some who don’t) fail to realise the amount of data that is held about them in the public domain. Data protection is not all about deleting personal information or protecting personal information that is available – well, it’s partly about that, but it also is about how that personal data is used. So, for a second, let’s extend this concept to data that is found in the public domain. For example, there is ample amount of data available about an individual that is readily accessible through various sources. However, there is no exemption for data that is held in the public domain. While certain information that is held in the public domain is sensitive in nature and requires a stricter adherence to the data protection principles, especially if that data is then used to make decisions about the data subject.

Principles of data protection

There are two fundamental principles of data protection. In short, the data must be obtained lawfully, should be fair / accurate and you’ll need to justify what the data is being used for. It’s really that simple.

So let’s see what GDPR means by ‘purpose’.

The current data protection act says that personal data shall not be processed in any manner incompatible with the controller’s ‘specified and lawful purposes”. The GDPR expands on this by saying that the data should not be ‘further processed in a manner that is incompatible with those (initially specified) purposes’. The GDPR purposes must be ‘specified, explicit and legal’. Therefore, you must set out your purposes clearly and unambiguously.

In the world of fundraising, you can’t just say ‘the purpose of collecting your data is for fundraising’ as you could potentially use that data for a whole host of things and by doing so, you could fall foul of the GDPR.

Appending data

What about data that is obtained from a third party (or another part of your charitable organisation?

Appending is when you acquire additional data from a third party where it the data not provided by the data subject to you directly. You should tread very carefully if your charity uses this type of data collection method as recent ICO guidelines around this have caused some confusion. Since it is better to be safe than sorry when it comes to GDPR, if you append data to information already possessed by you, then you will either need to return to the data subject and get obtain new consent for the additional information or obtain the additional information directly from them.

We’ve included a recent conference summary on this subject which covers amongst other things the regulatory compliance with relation to fundraising.

Fundraising conference paper – 21st of February 2017 (page 10 for information on data appending).

(To be continued….)

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.