What is Data Portability and why is it important to you?

Data protability in GDPR and Article 20 of the GDPR
Data protability and is your data protable?

We all know that the General Data Protection Regulation (GDPR) will come into force on 25th May 2018. It introduces a new right namely the right to Data Portability (Article 20).

So what is data portability?

Wikipedia states that “Data portability is a concept to protect users from having their data stored in “silos” or “walled gardens” that are incompatible with one another, i.e. closed platforms, thus subjecting them to vendor lock-in. Data portability requires common technical standards to facilitate the transfer from one data controller to another, thus promoting interoperability.”

So – is this what the GDPR is referring to?

Well, not entirely. Wikipedia approaches it from a business / process point of view and GDPR approaches it from a customer / data subject’s point of view.

The ICO’s guidelines on Data Portability states that “The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.”

So – as you can see – it’s not exactly the same thing (similar – but not the same!)

Article 20 of GDPR allows for Data Subjects to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller. The aim of this right is to support user choice, user control and consumer empowerment. It will have a big impact on all Data Controllers but particularly data driven organisations such as banks, cloud storage providers, insurance companies and social networking websites. These organisations may find that customers are encouraged to move suppliers, as they will be armed with much more information than they previously had accessed to. This in turn may lead to an increase in competition driving down prices and improving services.

While this is a utopian view, most companies (including yourself) would already be providing a similar service already.

When does the right to data portability apply?

The right to data portability only applies:

  • to personal data an individual has provided to a controller
  • where the processing is based on the individual’s consent or for the performance of a contract and
  • when processing is carried out by automated means.

Is there a cost involved or can you charge for this service?

No – The information must be provided free of charge and within a month’s time (extendable to two months if the request is complex or you receive a number of requests – but you must inform the data subject of the delay). Furthermore, if the individual requests it, you may be required to transmit the data directly to another organisation if this is technically feasible. However, you are not required to adopt or maintain processing systems that are technically compatible with other organisations.

Remember: If the personal data concerns more than one individual, you must consider whether providing the information would prejudice the rights of any other individual.

Can I not comply with a request?

Yes you can BUT tread very carefully. Where you are not taking action in response to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

 

 

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

Pseudonymisation – what it is, and what it isn’t

Pseudonymisation of data and anonymous data GDPR
Is your data pseudonymous or anonymous?

One of the EU Commission’s stated aims in drafting the General Data Protection Regulation was to update and modernise the EU data protection regime to account for new kinds of potentially identifying information. In today’s digital world, GDPR asks questions about the nature of personal data and whether it can anonymised?

So what is pseudonymisation?

The GDPR defines pseudonymisation as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” To pseudonymise a data set, the “additional information” must be “kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person.” In short, it is a privacy-enhancing technique where directly identifying data is held separately and securely from processed data to ensure non-attribution.

So what is it not?

The GDPR for the first time introduces the concept of “data protection by design” as a legal requirement. Data protection by design means that privacy should be a feature of the development of a product or solution, rather than something that is added on as a feature. The GDPR requires controllers to implement appropriate safeguards “both at the time of the determination of the means for processing and at the time of the processing itself.” One way that controllers can do this is by pseudonymising personal data. Therefore, data controllers can use pseudonymisation to help meet the GDPR’s data security requirements. From a systems perspective, controllers are required to implement risk-based measures for protecting data security.

Pseudonymous data IS NOT ANONYMOUS by default!

Just because data is pseudonymous it does not mean that the data is anonymous. Ira and Woodrow have explained in their research paper that “true anonymization” is a myth at best or very difficult to achieve. If your data can in any shape or form, combined with other data sets, lead to the identification of the individual, then your data is subject to GDPR. To help you address this issue, the GDPR adopts a flexible approach than the traditional black and white stance taken by the ICO and focuses on the risk that data will reveal identifiable individuals. Thus, the key distinction between pseudonymous data, which is regulated by the GDPR, and anonymous data, which is not, is whether the data can be re-identified with reasonable effort.

So, remember, pseudonymised data is not by default anonymous if that data can be used in conjunction with other data sets to identify an individual.

 

 

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

How well does your TECHNOLOGY understand GDPR?

GDPR for technology companies and technology systems
Is your data getting ahead of you?

A recent conversation by PricewaterhouseCoopers (PwC) at the IP EXPO EUROPE suggests that while most companies are preparing fervently for GDPR, there is a mini black hole emerging in the process.

Stewart Room, global lead cyber security and data legal protection services outlined that many companies are overlooking their technology stack which falls squarely on the radar of GDPR. So, to ensure that you are not caught off-guard, here are some things you need to consider.

Is data protection an integral part of your technology landscape?

The data protection principles set out the core compliance goals of the law. They have been at the heart of European data protection regulation from its very beginning in the 1960s. The principles must be delivered in the technology stack and you must take ‘appropriate technical and organisational measures’ to do so. When developing those technical and organisational measures, you must have full regard to the ‘nature, scope, context and purposes of processing’ and ‘the risks of varying likelihood and severity for the rights and freedoms of natural persons’. The obvious implication of this requirement is that risk assessments must be performed in all cases. These risk assessments require a deep understanding of the effect that technology can have on individual rights and freedoms.

If people are to have control over their personal data, they need rights over that data and transparency about what is happening to it. But the exercise of these individual rights is only truly effective if an organisation’s technology stack is fully responsive to them, and has the right functionality embedded in it. The core individual rights are the ‘right of access’, ‘right to rectification’, ‘right to erasure’ (or the ‘right to be forgotten’), ‘right to restriction of processing’, ‘right to data portability’ and ‘right to object’. In a functional sense, these rights require the technology to:

  • Connect individuals to their personal data;
  • Categorise personal data by type and processing purpose;
  • Map or trace the full information lifecycle;
  • Perform search and retrieval;
  • Enable rectification, redaction, erasure and anonymisation;
  • Enable freeze and suppression;
  • Enable the transmission of personal data from one technology stack to another.

All of this must be protected by appropriate security.

What do you need to look out for?

  • Accountability – Does your technology work properly and does it do what it says on the tin?
  • Records of processing activities – Do you know your data life cycle and your information flow processes?
  • DPA by design – Is your system designed and built with DPA in mind?
  • DPIA – Have you completed your privacy impact assessment?
  • Breach notification – Do you have adequate measures in place to prevent a breach? If this fails, you have a process for notification?

Which Articles you need to keep an eye on?

  • Article 15 – Right of access by the data subject
  • Article 16 – Right to rectification
  • Article 17 – Right to erasure (right to be forgotten)
  • Article 18 – Right to restriction of processing
  • Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 20 – Right to data portability
  • Article 21 – Right to object
  • Article 22 – Automated individual decision-making, including profiling
  • Article 25 – Data protection by design and default
  • Article 35 – Data protection impact assessments

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

GDPR for charities and fundraising organisations (privacy notices)

 

GDPR for charities and fundraising organisations
Charities and Fundraising organisations GDPR

GDPR for charities

In the previous part of this series we saw how GDPR affects recruiters (and you as you will be one of the biggest volunteer recruiters), in this part we are going to look at “Language” and your privacy statement.

Language:

Language forms the basis of verbal and written communication. Imagine a world where no two people spoke the same language and therefore could not communicate? Kind of like the “Tower of Babel” situation!

Similarly, GDPR expects you to use a certain “type” of language when communicating with your data subjects.

The average privacy policy is long-winded, technical and usually filled with industry specific jargon. The reason for this (more often than not) is because it is written by lawyers and what should be a simple privacy notice is written like a legal contract. In other words, it is trying to ensure that the company (i.e. you), can’t be sued! Banks and financial institutions are one of the worst offenders here. The terms and conditions will make any average privacy notice look like a postcard! The best privacy notices are as short as they can be, written in language that is plain to the point of bluntness, and highlighting the most surprising and unexpected things that you are doing.

Let’s consider the example we used before – our Acme Limited (fictitious company). Acme Limited has a charitable concern called Acme Charities Limited (ACL) (another fictitious company). Now let’s say ACL has a newsletter section and collects the following information:

  • Name
  • Address
  • Date of birth
  • Email address
  • Contact number

On the sign up page, ACL has mentioned that it will only use the email address to send you newsletters and will not share the data with other charities. It also mentions that your information will not be used for marketing purposes. However at the bottom of the sign up page, there are two tick boxes (check boxes) that asks you if you want to allow them to request donations from you.

Pretty standard sign up page so far! Well, you complete your information and being the kind hearted person that you are, tick the box that allows them to contact you for donations. When you tick the box, a further message appears that tells you that you can unsubscribe from this option at any time and you can view their full privacy terms and conditions by clicking a link.

Sounds familiar? That’s because that is most of your sign up pages. The permutations and combinations might vary, but the bottom line is pretty much the same.

Well, getting back to ACL’s sign up page, out of curiosity you click the terms and conditions link and you are presented with a 10 page document. Being the prudent person that you are, you take your time to read it. About halfway through the document there is a section that tells you what they will do with your data.

“In order to ensure that the data we hold about you is accurate and up to date, we may occasionally use information sources that are in the public domain to verify your details, such as address and telephone number.”

Once again, sounds familiar? Yes, most companies are guilty of this and let’s see why under the GDPR, this is no longer acceptable.

In ACL’s example, the privacy statement explicitly mentions that the data will be used to verify your details. So at this point, the data (more often than not), will leave ACL’s control and pass to a third party. Part of ACL’s contract with the third party is to do a wealth screen as well. Now if ACL uses ANY of the data for the wealth screen, they will be in breach of the GDPR principle. “But they have mentioned it in their multipage privacy document!”, I hear you ask. Well, let’s take a closer look.

Think about intention and explanation. Your intention (and for all purposes, the intention of your potential donor) is to receive a newsletter. On selecting the “contact me for donations” section, the data subject (donor) now has to be subjected to additional DPA notices. So the intention has now changed in the context of data protection.

As for the explanation, the disclaimer about the information gathered was succinctly outlined. However, when it came to the opt-in donation section; the data subject was referred to read a multipage saga. While the saga might have been necessary from a legal standpoint (to cover your base), there was no explanation of what the data subject should be aware of before they make that commitment. This also raises an issue of consent! Remember the point about the data subject’s details being passed to a third party to verify? Well, ACL has assumed consent about this point – just because the data subject clicked the “contact me for donations” tick box. Once again, where was the explanation of this change in intent?

The ICO recommends a layered or just-in-time approach. That is, provide layered information as your intention changes. So in ACL’s case, while their first explanation is succinct and to the point, additional information should have been available (similar to the initial explanation) once the data subject’s intention was broadened.

Personally, I would recommend a just-in-time approach as it provides the data subject to constantly make an informed decision on their data.

So how should the privacy notice be written?

When you are writing your privacy notice, make sure it is:

  • concise, transparent, intelligible by your target audience and easily accessible,
  • written in clear and plain language, particularly if addressed to a younger person (minor) and
  • free of charge.

 

“But it won’t look pretty!”, I hear you scream!

Well, let me share with you some of the rather beautifully crafted privacy notices from some of the companies that have already implemented GDPR (or are in the process of implementing it).

AGE UK:

privacy notice example from AGE UK
Age UK privacy notice

https://play.ageuk.org.uk/help/privacy-policy/

 

MICROSOFT

Privacy notice example from Microsoft UK
Microsoft privacy notice

https://privacy.microsoft.com/en-gb/privacystatement

Microsoft have taken it a step further with their privacy subsite.

Privacy and GDPR compliance example Microsoft
Microsoft does it right with a privacy subsite

https://privacy.microsoft.com/en-GB/

 

Further reading:

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/

 

(to be continued)

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

GDPR for recruiters

GDPR for recruitment, charities and volunteer recruitment
Uncover GDPR for recruitment

As part of the GDPR for Charities series – we must touch on “recruitment” as you will undoubtedly be recruiting one of the highest numbers of people from the volunteer and new starters’ talent pool. As this crosses domains, we’ll approach this subject as if you were a recruiter.

So what does GDPR mean for recruitment?

Let me start by saying – irrespective of the size of your organisation, you will need to adhere to the GDPR policies – even more so as you will be holding data that could potentially influence and (or) directly impact on the data subjects’ rights as an individual and their career prospects.

Now allow me to dissect that statement and demonstrate how it will impact you and what you need to do to ensure you are adhering to the GDPR principles.

Doesn’t matter if you are using a Rolodex™, Microsoft Excel™ or a flashy talent management system, you hold sensitive and personal information about a data subject.  In other words, the information you hold on your candidates (data subjects) is your bread and butter and you will need to protect your asset.

You, your candidates (data subjects) and consent

Under GDPR candidates must give consent for their personal data to be collected and used, it needs to be clear to candidates how the data will be used and candidates can ask for their data to be removed. If a recruitment agency does not comply with this there are some very harsh penalties ranging from a fine of €20 million or 4% of the company’s global turnover.

Don’t get caught out by automation

Any automation you use in your recruitment process based on personal information needs to be opt-in. This means, any profiling you carry out can be carried out on candidates who have explicitly given you permission to do so. Yes and before you ask, this also means prospecting and screening.

Let me paint you a picture. Joe Bloggs (not a real name) is a specialist in his field. As a recruiter in that field you notice that Joe Bloggs has been with Acme Limited (not a real company) for 5 years. You research Joe Bloggs and see that he is interested in a change (based on conversations he has had in a public forum) and you approach him. Joe Bloggs is interested in your proposal and you ask him your screening questions. Great! Joe has cleared your initial screen and you ask him to send you his updated resume.

You are impressed with Joe’s resume and ask him to complete an online in-depth screening interview. Joe completes it promptly. Unknown to you, one of the questions (which you would not normally ask a person in a face to face setting) was asked in the EOM form. Your state of the art system has decided based on the information provided to it by Joe Bloggs that he would not be a good match for your company’s culture.

The system has made a recommendation which is now a part of Joe’s profiling data. Nevertheless, you invite Joe for a formal interview. The hiring manager interviews Joe and finds him a bit “shady”. She then refers to his profiling data and she sees the “red-flags” that your system has highlighted which she takes as validation for not wanting to hire Joe.

Joe is informed that he was unsuccessful in the interview and his resume will be held on file for any future roles that might come up.

In this fictitious scenario, can you spot the number of times GDPR principles were breached (knowingly or unknowingly)?

Don’t worry, this is not a trick question – suffice to say that should Joe challenge you under the GDPR, there will be some serious explaining to be done by you (your company).

  • Firstly, you appended data (see data appending if you are unfamiliar with this) without Joe’s consent even if that information was in the public domain.
  • Next you asked for his resume which (at the end of that unsuccessful interview) your system decided it wanted to retain the information. You never offered Joe the chance to make a choice in that matter.
  • Technically, Joe is everything you are looking for – but you profiled him (without his consent). That profiling was automated (which he did not explicitly agree to). Furthermore you asked a sensitive information question (which may not be necessary for the activity that Joe is going to be undertaking).
  • The hiring manager then validated her decision based on the profiling data produced by an automated system – without the chance for clarification or rebuttal from Joe.
  • Lastly, you did not offer Joe the opportunity to delete his data.

By the way, in case you are wondering, Joe got his dates wrong in a previous job about 7 years ago. He was adamant that it was X when your system profiled that the company did not exist at X date (again, information that was automatically obtained from the public domain).

Yes, this is a fictitious scenario and was written to make a point – but the problems highlighted are very real.

Once again it does not matter if you are using a Rolodex™, Microsoft Excel™ or a flashy talent management system, you should at all times adhere to the principles of GDPR.

Remember: If the decision being made is based on sensitive personal data – for example, relating to ethnic origin or sexual orientation you should get explicit consent to use this information.  However, automated processing should not be used to filter out candidates based on protected characteristics under the Equality Act 2010, as that would be unlawful discrimination.

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

GDPR for charities and fundraising organisations (part 4)

GDPR for charities and fundraising organisations
Charities and Fundraising organisations GDPR

 

Well, hope you like the little break that we took from GDPR for charities series by looking at Firefighting and GDPR. In the previous article in this series we looked at the GDPR principles and the Appending of data in GDPR. Now let’s look at how you process the data that you have.

By now you’d have identified what the purpose of the data is and you have the right to that data. Under GDPR, you’ve got to answer three main questions:

  • Is the data processing lawful?
  • Is the data processing fair?
  • Are you able to answer the question “have I met the conditions of GDPR in processing this data”.

Is the data processing lawful?

Unlike other laws like public nuisance or theft, data protection laws are more “subtle” and can be broken without you even realising that you have breached data protection. Since there is no clear-cut “you can do this” or “you can’t do this”, you will need to rely on additional laws that govern your charity. For example, if you are a charity that cares for vulnerable people, Human Rights laws will be applicable to you. You could potentially breach a data protection principle by trying to adhere to a Human Rights Law or conversely by not adhering to it!

Therefore, as part of GDPR, you’ll also need to have an understanding about the other laws that could impact on the data protection principles.

Is the data processing fair?

What is fairness? Theoretically, fairness is the impartial and just treatment or behaviour without any prejudice, favouritism or discrimination. So, what does fairness mean in terms of GDPR? Well, for the purposes of GDPR, we’ll deal with fairness as applicability and transparency.

So what is applicability? Fairness in terms of applicability is when you are able to demonstrate what data you are collecting and if the data subject has the ability to opt out of your collection process. In other words, are you giving your data subjects the actual “right” to their data or are you just informing them of what you will be doing with their data (which leads us to the transparency aspect of fairness in data processing).

In other words, if you put yourself in the data subjects’ shoes and if you are able to answer the question, “if this was me, will I be comfortable with the data I am collecting” then you have pretty much covered the applicability aspect of fairness.

Transparency on the other hand is fairly straightforward. Letting your data subjects know the identity of the controller along with what you are going to do with the data that has been collected and any additional data collection, profiling and research you will be undertaking with the data that has been gathered so far on a data subject. If you are able to confidently answer these questions, you will have covered the fairness principle of data processing.

So how do you put this in action?

Recent ICO enforcements on charities have highlighted certain “areas of weaknesses” that affect most charities. Therefore, your privacy notice should contain information about:

  • Who you are sharing your data with
  • What further processing (or appending) you are going to do on the data collected
  • What profiling, research, screening and additional processing you will be undertaking with the data collected
  • What additional data you are going to get and from where (and to what end you will be using this additional information).

(To be continued….)

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

Are you a firefighter?

GDPR and firefighting
Firefighting in companies with bad management

Firefighting and GDPR

Let’s take a break from our GDPR for Charities series to look at something that I believe is important to talk about but is usually ignored – but not for long as far as the protection of data is concerned.

No, I am not talking about fire engines, fire fighters and health and safety drills. I’m talking about a very familiar scenario that happens in most offices up and down the country. Yes, I am talking about the numerous “fires” that are dealt with on a daily basis.

Ok, analogies aside, let’s see if this is a scenario you are familiar with. You are on your way to the office and have mentally made a list of things you need to do for the day. The first hour goes by uneventfully and you even manage to get a couple of emails out. Then all hell breaks loose! There is some issue that needs your immediate attention. Begrudgingly you address the issue. You know what the problem is and have informed your stakeholders what action needs to be taken to correct the issue. Convinced you’ve done a good job in containing the problem you go back to your work. Before long there is an important report that needs to be produced and needed to go out yesterday. You are tasked with completing the report to keep the client happy when suddenly there is a call from another stakeholder. This time it is another issue that you had dealt with two weeks ago. Since you’ve already sorted the issue out before you know how to contain this new occurrence of the same issue, you sort it out and inform your stakeholder what needs to be done to correct the root cause of the issue. Your stakeholder as always agrees that something must be done but does not allocate any resource to correcting the issue. In the meantime the time available for you to complete that report is running out. You finally sit down to complete that report when the stakeholder who gave you the report now needs an amendment to the data based on a last minute request from their client. Does this sound familiar at all? If not, then consider yourself working in a company that has a good infrastructure. If on the other hand this sounds like your average day, you are working in a company that has a firefighting culture.

“Firefighting is the emergency allocation of resources that is required to deal with an unforeseen problem.

It’s a common misconception that “fires” are unpredictable and that they must be dealt with immediately. However, a too-frequent need for emergency action may reflect poor planning, or a lack or organization, and is likely to tie up resources that are needed elsewhere.

The vast majority of daily interactions between the frontline and their managers revolve around events taking place that day. Anyone who has experienced these interactions can recognize that the intense focus is always on today’s fire with little or no regard given to what will happen tomorrow, next week, next month, or next quarter.

This firefighting mentality can only have one of two outcomes. Either the fire is extinguished or an excuse as to why the fire cannot be extinguished. Either way – the actual cause of the fire is not being dealt with. Most managers can see that this frenzied approach is undesirable, but are often frustrated when their initial attempts to change it fail. Usually the fire-fighting culture has become so ingrained in an organization that only a radical change in behaviour will produce a lasting change.

This is where GDPR comes in. In a post GDPR world, as far as data protection is considered – you are bound to fail (or end up paying hefty fines) if your organisation uses a fire fighting approach. GDPR is unforgiving when it comes to personal data. Not knowing where the source of your fire could prove to be a very expensive gamble.

So, while you won’t put up with a firefighting culture in real life (it simply is not a sustainable business model), why then is it ok to think that you can deal with GDPR like it is another fire. GDPR is not a fire but a firestorm. So to be prepared for it, you’ll need to be in the process of implementing your data protection guidelines now.

Address the root cause and your fires will slowly but surely reduce (if not fully go away).

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

GDPR for charities and fundraising organisations – part 3

GDPR for charities and fundraising organisations
Charities and Fundraising organisations GDPR

GDPR for Charities (Part 3)

In the previous article in this series, we saw what roles different parties played in the GDPR saga and what constitutes as personal data in the GDPR world. In this article we’ll see the principles of data protection (GDPR).

Before we do that, let’s talk about data in the public domain.

Most people who use the internet (and some who don’t) fail to realise the amount of data that is held about them in the public domain. Data protection is not all about deleting personal information or protecting personal information that is available – well, it’s partly about that, but it also is about how that personal data is used. So, for a second, let’s extend this concept to data that is found in the public domain. For example, there is ample amount of data available about an individual that is readily accessible through various sources. However, there is no exemption for data that is held in the public domain. While certain information that is held in the public domain is sensitive in nature and requires a stricter adherence to the data protection principles, especially if that data is then used to make decisions about the data subject.

Principles of data protection

There are two fundamental principles of data protection. In short, the data must be obtained lawfully, should be fair / accurate and you’ll need to justify what the data is being used for. It’s really that simple.

So let’s see what GDPR means by ‘purpose’.

The current data protection act says that personal data shall not be processed in any manner incompatible with the controller’s ‘specified and lawful purposes”. The GDPR expands on this by saying that the data should not be ‘further processed in a manner that is incompatible with those (initially specified) purposes’. The GDPR purposes must be ‘specified, explicit and legal’. Therefore, you must set out your purposes clearly and unambiguously.

In the world of fundraising, you can’t just say ‘the purpose of collecting your data is for fundraising’ as you could potentially use that data for a whole host of things and by doing so, you could fall foul of the GDPR.

Appending data

What about data that is obtained from a third party (or another part of your charitable organisation?

Appending is when you acquire additional data from a third party where it the data not provided by the data subject to you directly. You should tread very carefully if your charity uses this type of data collection method as recent ICO guidelines around this have caused some confusion. Since it is better to be safe than sorry when it comes to GDPR, if you append data to information already possessed by you, then you will either need to return to the data subject and get obtain new consent for the additional information or obtain the additional information directly from them.

We’ve included a recent conference summary on this subject which covers amongst other things the regulatory compliance with relation to fundraising.

Fundraising conference paper – 21st of February 2017 (page 10 for information on data appending).

(To be continued….)

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

GDPR for charities and fundraising organisations – part 2

GDPR for charities and fundraising organisations
Charities and Fundraising organisations GDPR

GDPR for Charities (Part 2)

In the previous post, we saw what GDPR means to you as a charitable organisation. In this section we’ll see what the fundamentals of general data protection regulation (GDPR) are.

As a charity, you are heavily reliant on data, especially in the form of donor information or member information. So to ensure that you are compliant under the GDPR, you need to know what data you hold about people. In other words, you’ll need to start at the very beginning of your data flow process.

So that you are not caught out, start by justifying what data you hold about your data subjects, how was it acquired and what ongoing consent procedures you have in place for retaining that data. Did you notice that we used the word ‘ongoing consent’ and not just ‘consent’?

What’s the big difference?

A person (data subject) making a donation in the past does not mean you have the right to retain that person’s information and approach them repeatedly. Furthermore, under the GDPR, you’ll need to obtain infallible consent for collecting and retaining data about your data subjects. Ongoing consent means that you’ll need to ensure that the data subject still consents to your use of their data.

For example, if you are a charitable helpline for service dogs and you run a promotional event and a data subject (donor) calls you (let’s call him Jim). Jim mentions to you that he would love to contribute to your cause and makes a healthy donation. You fail to inform Jim that you will be storing and using his data as part of your “donor list”. Everything goes swimmingly and Jim is happy with his donation. Two years go by and you’ve decided to run another event. You promptly remember Jim’s healthy donation and give him a call. Jim’s son answers the phone and is not as generous as his father. He is not happy that Jim is giving out money to charities especially that Jim has been diagnosed with dementia. As a person who has power of attorney over his father’s finances he wants to know why you called him. Remember at this point you’ve not obtained Jim’s consent for storing his information. His son also wants to know how much was donated the last time around. As you can see you are now entering a minefield of legal and ethical issues and should Jim’s son make a complaint about your charitable organisation, you’ll have a lot of explaining to do to the ICO.

So, in summary, ensure you have the right type of consent and that your consent is valid as far as the data subject is concerned.

So, where do you start?

As the famous song from the ‘Sound of Music’ goes, “Let’s start at the very beginning, it’s a very good place to start…”

Let’s see what roles people (and companies) play in the world of GDPR.

Similar to the current DPA guidelines, there are three groups of people that you’ll need to be aware of:

  1. The data subject
  2. The data controller
  3. The data processor

The data subject is a person or individual about whom you hold any or many personally identifiable pieces of information.

The data controller is the person or organisation that determines the purpose of the data – i.e. what is done with the data that is their possession.

The data processor is a person, organisation or organisation acting on behalf of another organisation. If the data processor supplies data, then they themselves will become data controllers (for their data pipeline) and a processor for your data.

So what is personal or personally identifiable information?

Personal and personally identifiable information is nothing but information with which and by which you can identify a specific individual. The information must allow you to identify a person (either by itself or when used in combination with other pieces of information). A good example would be to use our friend Jim. Let’s assume you know a donor whose date of birth was the 13th of August 1945 is not sufficient to be classed as personally identifiable information. Let’s expand this further by adding another piece of data to this equation and let’s say you know there is a Jim whose data of birth is the 13th of August 1945. This is now personally identifiable information as you could now identify Jim from a group of people using the two pieces of information (Name and date of birth).

If you are unsure of what constitutes as personally identifiable information, the ICO have put out a great resource which you can download from the link below:

The ICO’s guidelines on what is personal data.

(To be continued….)

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

GDPR for charities and fundraising organisations

GDPR for charities and fundraising organisations
Charities and Fundraising organisations GDPR

GDPR for Charities (Part 1)

Charities are an essential part of life for many vulnerable groups of people. Data (in the form of donor lists, fundraising leads etc.) is one of the key assets of a charity. The data protection principles have not changed since 1998. Electronic marketing rules have not changed since 2003, and some elements (like the Telephone Preference Service) were in place before that. Various parties have issued misleading interpretations of the ICO’s relatively consistent advice to charities by those with an interest in doing so.

There are numerous examples of charities getting into trouble for not having adequate data protection measures in place or for flouting the rules. GDPR is no different. If your current data protection policies are not up to the mark, get ready to put some elbow grease into implementing GDPR. On the other hand, if your data protection policies are already robust to begin with, implementing GDPR should be relatively easy.

So, as a charity, what should you differently as opposed to a private company?

Nothing! You should not do anything differently to any other organisation. Data Protection treats charities in pretty much the same way as private companies. Asking people for donations, assessing whether a person is a likely donor, or maintaining records of supporters are seen as no different to marketing a product or service, profiling a customer, or maintaining a customer database. There is a single exemption for not – for – profit organisations, covering the technical area of sending a Data Protection notification to the Information Commissioner. There are no exemptions covering marketing, fairness, security, enforcement or the use of volunteers.

However, your need for a more stringent data protection implementation is higher due to the nature of data you’ll come across.

So what should I look out for?

  • Don’t assume the ends justify the means. Consent is consent – either you have it or not. So ensure you get your users consent to use their data.
  • You cannot assume consent. Failure to opt-out is not consent. Silence is not consent. Previous support is not consent. A donation made is not consent!
  • If a donor or individual does not understand what you are doing with their personal data, the practical effect is that you can’t do it, whatever it is.
  • Volunteers are no different to employees; they must be trained and equipped to protect data. There is no volunteer exemption. Using volunteers is a choice you have made, and you are responsible for ensuring that you manage the risks adequately.
  • If you contract out any work to an agency or contractor, you are wholly responsible for what they do, unless they steal your personal data or otherwise use it for their own purposes.
  • Personal data available in the public domain is still personal data and Data Protection still applies to it.
  • There are specific rules for consent over the method of communicating fundraising and other direct marketing communications.

(To be continued….)

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.