On the 25th May 2018, The EU General Data Protection Regulation (GDPR) comes into force, and will be implemented in the UK via the government’s new Data Protection Bill. Although the key principles of data privacy still hold true, the laws around holding or processing customer data are about to become more stringent, with larger fines attached and a wider definition of customer data. Most importantly, the new legislation gives individuals more rights when it comes to the use of their personal data.
GDPR applies to customer data, but it also applies to employees, business partners and visitors – anyone from whom personal data is obtained at any stage.
The definition of personal data has also now been widened to include any information relating to an identifiable natural person who can be identified directly or indirectly by an identifier – this could include anything from a name and email address, location data, all the way through to posts on social networking websites.
Organisations, including charities, will now need to ensure that they have the right processes, procedures and policies in place to carry out data processing that is compliant with the new GDPR legislation. This will include reviewing how data and permissions are accurately recorded and stored so that you can ensure you only contact those people who have explicitly stated that they want to hear from you.
Whilst this may seem like a lot of work, this is a great opportunity to reorganise your data and procedures to ensure they are fit for purpose. For example, if you have lots of separate databases or a convoluted system that has become more complex as it has evolved, this is a great opportunity to resolve any outstanding issues. This could include removing duplicate or out-of-date records, or deleting any data that’s no longer required.
It may also be worth contacting your existing data bank to check that they do still want to hear from you - provided you have the permissions to contact them under the current legislation. Not only is this a chance to touch base with your existing client bank, but it will also save on resource if you’re no longer contacting customers that aren’t interested in your communications. It means that you can focus on those customers or clients that are actually engaged in the information you’re providing.
As a first port of call, understand your organisation’s current data protection processes, and who is ultimately responsible for making sure your organisation is compliant. It may be worth including your trustees in this initial discussion, as someone will need to take ownership of making sure all new legislation is adhered to, and that processes are kept up to date going forward. Failure to do so may result in fines from the Information Commissioner’s Office (ICO).
Fines for breaches of GDPR are significantly higher than the existing penalties. For a breach, a firm can be fined up to €20,000,000, or up to 4% of the annual worldwide group turnover of the preceding financial year - whichever is greater. In addition, GDPR requires that organisations must report breaches to the Information Commissioner’s Office within 72 hours of becoming aware of the breach.
Unfortunately, with increased usage of the online space and social media, data breaches are becoming increasingly common - so it’s important to consider how you would react rapidly to enable business continuity, and to protect your business against reputational damage.
Once you’ve established who will be responsible for data protection within your organisation, you’ll need to understand what data you currently store, and where it is held. Review your existing data policy, and if you don’t have one, this is a great opportunity to get one in place to make sure your organisation is fully protected.
Find out about all of the various places where you currently capture and store data. This could be anything from mailing lists, to event attendees. Make a note of who has access to different types of data in your organisation, how it is stored, and what it is currently being used for. If you don’t need it, then delete it.
Next up, understand what security is in place for the data you currently hold. Are there processes in place to protect the data should your systems be compromised? How often are the passwords changed, and where are they stored? Who chooses these passwords, or are they automatically generated?
Once you have an idea of how data is stored within your organisation, the person responsible for the data will need to take steps to be compliant with GDPR by the 25th May 2018, which is the final deadline for adhering to GDPR.
Whilst it may seem like a lot of work to make sure your organisation is compliant with GDPR, it’s also a great opportunity to review your existing processes and streamline your organisation in terms of data collection. Your customers and supporters will be grateful to only receive the information that they are interested in, and this can only be achieved by auditing your existing data banks.
Read our disclaimer.
With fraud costing UK charities up to £2 billion a year, it’s becoming increasingly important for charities to protect themselves against both internal and external risks.
Most people know that computers need regular maintenance to stay in good working order, but our phones generally get no such devoted care and attention. Here are a few tips to keep your phone in good working order.
With technology at our fingertips it’s no surprise that social networks have become part of our everyday lives, but do you know how to stay safe on them?
Everyone is at risk from identity fraud. In fact, young adults are the fastest growing age group targeted. Find out how to prevent fraudsters.
Nowadays we use cyberspace heavily for work and play. In the physical world a degree of common sense about personal security comes naturally. In cyberspace "common sense" is unintuitive, but without it bad things can (and do) happen. It is wise to invest time acquiring cyberspace "common sense" with these guidelines from Prof. Keith Martin at Royal Holloway, University of London.