Well, hope you like the little break that we took from GDPR for charities series by looking at Firefighting and GDPR. In the previous article in this series we looked at the GDPR principles and the Appending of data in GDPR. Now let’s look at how you process the data that you have.
By now you’d have identified what the purpose of the data is and you have the right to that data. Under GDPR, you’ve got to answer three main questions:
- Is the data processing lawful?
- Is the data processing fair?
- Are you able to answer the question “have I met the conditions of GDPR in processing this data”.
Is the data processing lawful?
Unlike other laws like public nuisance or theft, data protection laws are more “subtle” and can be broken without you even realising that you have breached data protection. Since there is no clear-cut “you can do this” or “you can’t do this”, you will need to rely on additional laws that govern your charity. For example, if you are a charity that cares for vulnerable people, Human Rights laws will be applicable to you. You could potentially breach a data protection principle by trying to adhere to a Human Rights Law or conversely by not adhering to it!
Therefore, as part of GDPR, you’ll also need to have an understanding about the other laws that could impact on the data protection principles.
Is the data processing fair?
What is fairness? Theoretically, fairness is the impartial and just treatment or behaviour without any prejudice, favouritism or discrimination. So, what does fairness mean in terms of GDPR? Well, for the purposes of GDPR, we’ll deal with fairness as applicability and transparency.
So what is applicability? Fairness in terms of applicability is when you are able to demonstrate what data you are collecting and if the data subject has the ability to opt out of your collection process. In other words, are you giving your data subjects the actual “right” to their data or are you just informing them of what you will be doing with their data (which leads us to the transparency aspect of fairness in data processing).
In other words, if you put yourself in the data subjects’ shoes and if you are able to answer the question, “if this was me, will I be comfortable with the data I am collecting” then you have pretty much covered the applicability aspect of fairness.
Transparency on the other hand is fairly straightforward. Letting your data subjects know the identity of the controller along with what you are going to do with the data that has been collected and any additional data collection, profiling and research you will be undertaking with the data that has been gathered so far on a data subject. If you are able to confidently answer these questions, you will have covered the fairness principle of data processing.
So how do you put this in action?
Recent ICO enforcements on charities have highlighted certain “areas of weaknesses” that affect most charities. Therefore, your privacy notice should contain information about:
- Who you are sharing your data with
- What further processing (or appending) you are going to do on the data collected
- What profiling, research, screening and additional processing you will be undertaking with the data collected
- What additional data you are going to get and from where (and to what end you will be using this additional information).
(To be continued….)
Here’s where we can help:
Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at firstname.lastname@example.org or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.