GDPR for Charities (Part 2)
In the previous post, we saw what GDPR means to you as a charitable organisation. In this section we’ll see what the fundamentals of general data protection regulation (GDPR) are.
As a charity, you are heavily reliant on data, especially in the form of donor information or member information. So to ensure that you are compliant under the GDPR, you need to know what data you hold about people. In other words, you’ll need to start at the very beginning of your data flow process.
So that you are not caught out, start by justifying what data you hold about your data subjects, how was it acquired and what ongoing consent procedures you have in place for retaining that data. Did you notice that we used the word ‘ongoing consent’ and not just ‘consent’?
What’s the big difference?
A person (data subject) making a donation in the past does not mean you have the right to retain that person’s information and approach them repeatedly. Furthermore, under the GDPR, you’ll need to obtain infallible consent for collecting and retaining data about your data subjects. Ongoing consent means that you’ll need to ensure that the data subject still consents to your use of their data.
For example, if you are a charitable helpline for service dogs and you run a promotional event and a data subject (donor) calls you (let’s call him Jim). Jim mentions to you that he would love to contribute to your cause and makes a healthy donation. You fail to inform Jim that you will be storing and using his data as part of your “donor list”. Everything goes swimmingly and Jim is happy with his donation. Two years go by and you’ve decided to run another event. You promptly remember Jim’s healthy donation and give him a call. Jim’s son answers the phone and is not as generous as his father. He is not happy that Jim is giving out money to charities especially that Jim has been diagnosed with dementia. As a person who has power of attorney over his father’s finances he wants to know why you called him. Remember at this point you’ve not obtained Jim’s consent for storing his information. His son also wants to know how much was donated the last time around. As you can see you are now entering a minefield of legal and ethical issues and should Jim’s son make a complaint about your charitable organisation, you’ll have a lot of explaining to do to the ICO.
So, in summary, ensure you have the right type of consent and that your consent is valid as far as the data subject is concerned.
So, where do you start?
As the famous song from the ‘Sound of Music’ goes, “Let’s start at the very beginning, it’s a very good place to start…”
Let’s see what roles people (and companies) play in the world of GDPR.
Similar to the current DPA guidelines, there are three groups of people that you’ll need to be aware of:
- The data subject
- The data controller
- The data processor
The data subject is a person or individual about whom you hold any or many personally identifiable pieces of information.
The data controller is the person or organisation that determines the purpose of the data – i.e. what is done with the data that is their possession.
The data processor is a person, organisation or organisation acting on behalf of another organisation. If the data processor supplies data, then they themselves will become data controllers (for their data pipeline) and a processor for your data.
So what is personal or personally identifiable information?
Personal and personally identifiable information is nothing but information with which and by which you can identify a specific individual. The information must allow you to identify a person (either by itself or when used in combination with other pieces of information). A good example would be to use our friend Jim. Let’s assume you know a donor whose date of birth was the 13th of August 1945 is not sufficient to be classed as personally identifiable information. Let’s expand this further by adding another piece of data to this equation and let’s say you know there is a Jim whose data of birth is the 13th of August 1945. This is now personally identifiable information as you could now identify Jim from a group of people using the two pieces of information (Name and date of birth).
If you are unsure of what constitutes as personally identifiable information, the ICO have put out a great resource which you can download from the link below:
(To be continued….)
Here’s where we can help:
Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at firstname.lastname@example.org or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.