GDPR for charities and fundraising organisations – part 2

GDPR for charities and fundraising organisations
Charities and Fundraising organisations GDPR

GDPR for Charities (Part 2)

In the previous post, we saw what GDPR means to you as a charitable organisation. In this section we’ll see what the fundamentals of general data protection regulation (GDPR) are.

As a charity, you are heavily reliant on data, especially in the form of donor information or member information. So to ensure that you are compliant under the GDPR, you need to know what data you hold about people. In other words, you’ll need to start at the very beginning of your data flow process.

So that you are not caught out, start by justifying what data you hold about your data subjects, how was it acquired and what ongoing consent procedures you have in place for retaining that data. Did you notice that we used the word ‘ongoing consent’ and not just ‘consent’?

What’s the big difference?

A person (data subject) making a donation in the past does not mean you have the right to retain that person’s information and approach them repeatedly. Furthermore, under the GDPR, you’ll need to obtain infallible consent for collecting and retaining data about your data subjects. Ongoing consent means that you’ll need to ensure that the data subject still consents to your use of their data.

For example, if you are a charitable helpline for service dogs and you run a promotional event and a data subject (donor) calls you (let’s call him Jim). Jim mentions to you that he would love to contribute to your cause and makes a healthy donation. You fail to inform Jim that you will be storing and using his data as part of your “donor list”. Everything goes swimmingly and Jim is happy with his donation. Two years go by and you’ve decided to run another event. You promptly remember Jim’s healthy donation and give him a call. Jim’s son answers the phone and is not as generous as his father. He is not happy that Jim is giving out money to charities especially that Jim has been diagnosed with dementia. As a person who has power of attorney over his father’s finances he wants to know why you called him. Remember at this point you’ve not obtained Jim’s consent for storing his information. His son also wants to know how much was donated the last time around. As you can see you are now entering a minefield of legal and ethical issues and should Jim’s son make a complaint about your charitable organisation, you’ll have a lot of explaining to do to the ICO.

So, in summary, ensure you have the right type of consent and that your consent is valid as far as the data subject is concerned.

So, where do you start?

As the famous song from the ‘Sound of Music’ goes, “Let’s start at the very beginning, it’s a very good place to start…”

Let’s see what roles people (and companies) play in the world of GDPR.

Similar to the current DPA guidelines, there are three groups of people that you’ll need to be aware of:

  1. The data subject
  2. The data controller
  3. The data processor

The data subject is a person or individual about whom you hold any or many personally identifiable pieces of information.

The data controller is the person or organisation that determines the purpose of the data – i.e. what is done with the data that is their possession.

The data processor is a person, organisation or organisation acting on behalf of another organisation. If the data processor supplies data, then they themselves will become data controllers (for their data pipeline) and a processor for your data.

So what is personal or personally identifiable information?

Personal and personally identifiable information is nothing but information with which and by which you can identify a specific individual. The information must allow you to identify a person (either by itself or when used in combination with other pieces of information). A good example would be to use our friend Jim. Let’s assume you know a donor whose date of birth was the 13th of August 1945 is not sufficient to be classed as personally identifiable information. Let’s expand this further by adding another piece of data to this equation and let’s say you know there is a Jim whose data of birth is the 13th of August 1945. This is now personally identifiable information as you could now identify Jim from a group of people using the two pieces of information (Name and date of birth).

If you are unsure of what constitutes as personally identifiable information, the ICO have put out a great resource which you can download from the link below:

The ICO’s guidelines on what is personal data.

(To be continued….)

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

GDPR for charities and fundraising organisations

GDPR for charities and fundraising organisations
Charities and Fundraising organisations GDPR

GDPR for Charities (Part 1)

Charities are an essential part of life for many vulnerable groups of people. Data (in the form of donor lists, fundraising leads etc.) is one of the key assets of a charity. The data protection principles have not changed since 1998. Electronic marketing rules have not changed since 2003, and some elements (like the Telephone Preference Service) were in place before that. Various parties have issued misleading interpretations of the ICO’s relatively consistent advice to charities by those with an interest in doing so.

There are numerous examples of charities getting into trouble for not having adequate data protection measures in place or for flouting the rules. GDPR is no different. If your current data protection policies are not up to the mark, get ready to put some elbow grease into implementing GDPR. On the other hand, if your data protection policies are already robust to begin with, implementing GDPR should be relatively easy.

So, as a charity, what should you differently as opposed to a private company?

Nothing! You should not do anything differently to any other organisation. Data Protection treats charities in pretty much the same way as private companies. Asking people for donations, assessing whether a person is a likely donor, or maintaining records of supporters are seen as no different to marketing a product or service, profiling a customer, or maintaining a customer database. There is a single exemption for not – for – profit organisations, covering the technical area of sending a Data Protection notification to the Information Commissioner. There are no exemptions covering marketing, fairness, security, enforcement or the use of volunteers.

However, your need for a more stringent data protection implementation is higher due to the nature of data you’ll come across.

So what should I look out for?

  • Don’t assume the ends justify the means. Consent is consent – either you have it or not. So ensure you get your users consent to use their data.
  • You cannot assume consent. Failure to opt-out is not consent. Silence is not consent. Previous support is not consent. A donation made is not consent!
  • If a donor or individual does not understand what you are doing with their personal data, the practical effect is that you can’t do it, whatever it is.
  • Volunteers are no different to employees; they must be trained and equipped to protect data. There is no volunteer exemption. Using volunteers is a choice you have made, and you are responsible for ensuring that you manage the risks adequately.
  • If you contract out any work to an agency or contractor, you are wholly responsible for what they do, unless they steal your personal data or otherwise use it for their own purposes.
  • Personal data available in the public domain is still personal data and Data Protection still applies to it.
  • There are specific rules for consent over the method of communicating fundraising and other direct marketing communications.

(To be continued….)

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

 

GDPR for small businesses

Small business GDPR compliance

Small businesses and GDPR

Many small business owners like yourself will know that the 25th of May 2018 is an important day as it is the date when the European General Data Protection Regulation (GDPR) comes into force. It is likely that you will have the same question as the others: what does GDPR mean for my business and me?

In a nutshell – A LOT!

Any company, big or small, will have to comply with the new regulations as far as secure collection, storage and usage of personal information is concerned. Just to make matters worse violations will be met with fines (and a whole lot of it!).

The good news is that the GDPR recognises that smaller businesses require different treatment to large or public enterprises. So, Article 30 of the regulation declares that organisations with fewer than 250 employees will not be bound by GDPR – although there are several conditions attached to it which means that it will be beneficial in the long run to be GDPR compliant.

So what exactly does GDPR mean for me?

  • GDPR gives its citizens and residents back control of their personal data and
  • GDPR simplifies the regulatory environment for international business by unifying the regulation within the EU.

If you’re unsure of whether or not GDPR applies to you, consider how regularly you deal with personal data. This includes employees (present and past), customers, suppliers and anybody who interacts with your business.

If it’s a fairly regular event, then you should consider implementing all the regulations outlined by the GDPR. The ICO has also stated that any businesses affected by the DPA will also fall under the GDPR. But the key difference between the DPA and the GPDR is that the latter will be far stricter in what is defined as personal data.

You’ll also need to be prepared for Subject Access Requests (SARs) – a request under the DPA used by individuals who want to see a copy of the information that you hold about them. The ’right to be forgotten’ (which is a new requirement), will require you to identify and erase all of an individual’s data.

Preparation is key, but GDPR compliance will be an ongoing task that will require careful monitoring. Being aware of the new regulations and what they mean for your business is vital. So don’t stick your head in the sand and wait for it to pass. After all, once the GDPR arrives, it’s here to stay.

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

GDPR for small businesses

Hey HR, what are you doing about GDPR?

GDPR for HR

If the customer is the heart of an organisation, surely its employees are the soul! So, who is protecting your employees’ data? Under GDPR, your employees fall squarely within your remit of data protection and you have a duty of care to protect their data – just as you would with your customers.

Here are a few things you can do to spearhead GDPR compliance in HR.

Data is your friend – so why not make it your best friend:

As a HR professional, you are already familiar with the major tenets of data protection and can use this as an opportunity to showcase your expertise in data issues. You can lead by example with employee data help the other areas of the business deal with customer data. You can help the business identify the issues, and then help solve existing problems and anticipate those that will arise later.

You have the power – use it:

As a function, you are used to writing policies to secure compliance by the workforce. Use your knowledge and experience in not only drafting policies but training staff to understand and adhere to policies, you will greatly assist your business to be ready for GDPR.

Hello Risk our old friend, (We’ve come to talk with you again):

You are usually at the forefront of dealing with risks posed by employees and use of their data. Many managers will rely heavily upon your expertise and understanding of data protection. It will be of vital importance to document and demonstrate that the business has complied with its GDPR obligations in order to avoid any fines – so here’s where you come in. Help the business mitigate risk by identifying areas of risk within the organisation.

Agile is your middle name:

In an ever changing workplace, you are one of the most agile teams (in adapting to new regulations) – so use that to your benefit. You should also use your understanding of the organisation to help design solutions for teams that will be impacted by GDPR the most. You can propose new ways of working to avoid or minimise risk and to consider the wider current and future implications of GDPR. GDPR requires your organisation to have a clear and well-defined path for data flow – so who best to control this but you?

Training is the name of the game:

So, you’re involved, invested and rearing to go; now just one last thing – training! As a HR function, you would already be dealing with a number of compliance, regulatory and mandatory training for your employees. GDPR is no different. You’ll need to get your employees trained on the implications of GDPR. Don’t just stop there – have an ongoing training programme for your employees so that they are and remain compliant at all times.

Here’s where we can help:

Totale Learning create bespoke elearning content and GDPR solutions (including consultation) that is tailor made to your business. We’ll use specific content to your sector, industry and company. If you prefer, we also have generic courses which can be deployed out of the box for your organisation. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.

What’s your biggest GDPR challange

In May, 2018, GDPR will come into force in the United Kingdom. While there is a lot of “do this” or “do that” being thrown about and it is easy to get caught up in a check box culture. While most large corporates have increased their data security budgets to cater to the upcoming changes, what about the 5.5 million small and medium sized companies?  Catering to about 47% of the private sector turnover in the UK, the Small and Medium Enterprises also have to adopt GDPR and be compliant.

So, what is your biggest GDPR challenge? Is it information security, data governance or the road to compliance? GDPR is not all that complicated – but can give you a real bad headache if you fall foul of its regulation. Let’s break down the three main concerns businesses have around GDPR.

Information security

In today’s connected world, information is King. Just like every kingdom needs good security, a robust information security policy is needed for your kingdom as well. The role of the information security (IS) professionals is to protect all of the organisations information assets. More often than not, data protection (which covers personal and sensitive information) is usually a sub section along with proprietary information, business procedures etc. and does not sit high up on the “protect at all costs” list.

GDPR explicitly underpins the data subjects’ rights to everything a company does.  So instead of trying to force your “data” down an existing business process, take a step back and see how you can make your business process and data work harmoniously.

Data governance

You’ve been invited to a wedding. Governance and Privacy are getting married and GDPR is the officiator. The implementation of the General Data Protection Regulation (GDPR) is intrinsically linked to a company’s data governance program. A successful long-term marriage is based on strong foundations and mutual effort.

The GDPR regulation is very clear on what needs to be done to protect the data subjects’ rights, but the open question most companies are facing is how to comply with the regulation and/or go beyond the minimum and make GDPR work for them.

Most companies will implement either a top down or bottom up governance approach. I believe that the two are not mutually exclusive and that a successful implementation of GDPR must be based on a combination of these complementary approaches.

In a top down approach, the GDPR team will reach out to the business to get a clear understanding of all business (data) processes that involve personal data in one way or another. This is not a one-time effort. Once all process related to personal data are identified and categorized, they will need to be maintained as the organization, and its infrastructure and processes evolve over time.

The bottom up approach is more technical in nature. Companies that have already established data management tools can use these solutions to identify personally identifiable information (PII) and attempt to categorize these data elements and assign the relevant attributes for GDPR. This approach quickly hits a bottleneck as the same data can be used for several business purposes and hence cannot be easily classified for GDPR.

The road to compliance

The grace time for GDPR adoption ends in 8 months’ time. By now you should have understood the impact of GDPR on your business and conducted adequate gap analyses to find the gaps in your data protection framework. The next step would be for you to educate your workforce about the impending changes. Rather than a select few being responsible for the data protection in your organisation, it is recommended that all your employees have a “data protection mindset”. In doing so, implementing GDPR would be a very easy task.

Not being compliant could cost you up to 4% of your annual turnover for the previous year or up to 20,000,000 Euros; so can you really afford to be non-compliant?

So, how can we help?

At Totale Learning, we create bespoke elearning content and GDPR solutions (including consultation) that is tailor made to your business. We’ll use specific content to your sector, industry and company. If you prefer, we also have generic courses which can be deployed out of the box for your organisation. Get in touch with us at hello@totalelearning.com or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.