GDPR for Charities (Part 3)
In the previous article in this series, we saw what roles different parties played in the GDPR saga and what constitutes as personal data in the GDPR world. In this article we’ll see the principles of data protection (GDPR).
Before we do that, let’s talk about data in the public domain.
Most people who use the internet (and some who don’t) fail to realise the amount of data that is held about them in the public domain. Data protection is not all about deleting personal information or protecting personal information that is available – well, it’s partly about that, but it also is about how that personal data is used. So, for a second, let’s extend this concept to data that is found in the public domain. For example, there is ample amount of data available about an individual that is readily accessible through various sources. However, there is no exemption for data that is held in the public domain. While certain information that is held in the public domain is sensitive in nature and requires a stricter adherence to the data protection principles, especially if that data is then used to make decisions about the data subject.
Principles of data protection
There are two fundamental principles of data protection. In short, the data must be obtained lawfully, should be fair / accurate and you’ll need to justify what the data is being used for. It’s really that simple.
So let’s see what GDPR means by ‘purpose’.
The current data protection act says that personal data shall not be processed in any manner incompatible with the controller’s ‘specified and lawful purposes”. The GDPR expands on this by saying that the data should not be ‘further processed in a manner that is incompatible with those (initially specified) purposes’. The GDPR purposes must be ‘specified, explicit and legal’. Therefore, you must set out your purposes clearly and unambiguously.
In the world of fundraising, you can’t just say ‘the purpose of collecting your data is for fundraising’ as you could potentially use that data for a whole host of things and by doing so, you could fall foul of the GDPR.
What about data that is obtained from a third party (or another part of your charitable organisation?
Appending is when you acquire additional data from a third party where it the data not provided by the data subject to you directly. You should tread very carefully if your charity uses this type of data collection method as recent ICO guidelines around this have caused some confusion. Since it is better to be safe than sorry when it comes to GDPR, if you append data to information already possessed by you, then you will either need to return to the data subject and get obtain new consent for the additional information or obtain the additional information directly from them.
We’ve included a recent conference summary on this subject which covers amongst other things the regulatory compliance with relation to fundraising.
Fundraising conference paper – 21st of February 2017 (page 10 for information on data appending).
(To be continued….)
Here’s where we can help:
Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at firstname.lastname@example.org or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.