On the 25th May 2018, The EU General Data Protection Regulation (GDPR) comes into force, and will be implemented in the UK via the government’s new Data Protection Bill. Although the key principles of data privacy still hold true, the laws around holding or processing customer data are about to become more stringent, with larger fines attached and a wider definition of customer data. Most importantly, the new legislation gives individuals more rights when it comes to the use of their personal data.
GDPR applies to customer data, but it also applies to employees, business partners and visitors – anyone from whom personal data is obtained at any stage.
The definition of personal data has also now been widened to include any information relating to an identifiable natural person who can be identified directly or indirectly by an identifier – this could include anything from a name and email address, location data, all the way through to posts on social networking websites.
Organisations, including charities, will now need to ensure that they have the right processes, procedures and policies in place to carry out data processing that is compliant with the new GDPR legislation. This will include reviewing how data and permissions are accurately recorded and stored so that you can ensure you only contact those people who have explicitly stated that they want to hear from you.
Whilst this may seem like a lot of work, this is a great opportunity to reorganise your data and procedures to ensure they are fit for purpose. For example, if you have lots of separate databases or a convoluted system that has become more complex as it has evolved, this is a great opportunity to resolve any outstanding issues. This could include removing duplicate or out-of-date records, or deleting any data that’s no longer required.
It may also be worth contacting your existing data bank to check that they do still want to hear from you - provided you have the permissions to contact them under the current legislation. Not only is this a chance to touch base with your existing client bank, but it will also save on resource if you’re no longer contacting customers that aren’t interested in your communications. It means that you can focus on those customers or clients that are actually engaged in the information you’re providing.
As a first port of call, understand your organisation’s current data protection processes, and who is ultimately responsible for making sure your organisation is compliant. It may be worth including your trustees in this initial discussion, as someone will need to take ownership of making sure all new legislation is adhered to, and that processes are kept up to date going forward. Failure to do so may result in fines from the Information Commissioner’s Office (ICO).
Fines for breaches of GDPR are significantly higher than the existing penalties. For a breach, a firm can be fined up to €20,000,000, or up to 4% of the annual worldwide group turnover of the preceding financial year - whichever is greater. In addition, GDPR requires that organisations must report breaches to the Information Commissioner’s Office within 72 hours of becoming aware of the breach.
Unfortunately, with increased usage of the online space and social media, data breaches are becoming increasingly common - so it’s important to consider how you would react rapidly to enable business continuity, and to protect your business against reputational damage.
Once you’ve established who will be responsible for data protection within your organisation, you’ll need to understand what data you currently store, and where it is held. Review your existing data policy, and if you don’t have one, this is a great opportunity to get one in place to make sure your organisation is fully protected.
Find out about all of the various places where you currently capture and store data. This could be anything from mailing lists, to event attendees. Make a note of who has access to different types of data in your organisation, how it is stored, and what it is currently being used for. If you don’t need it, then delete it.
Next up, understand what security is in place for the data you currently hold. Are there processes in place to protect the data should your systems be compromised? How often are the passwords changed, and where are they stored? Who chooses these passwords, or are they automatically generated?
Once you have an idea of how data is stored within your organisation, the person responsible for the data will need to take steps to be compliant with GDPR by the 25th May 2018, which is the final deadline for adhering to GDPR.
Whilst it may seem like a lot of work to make sure your organisation is compliant with GDPR, it’s also a great opportunity to review your existing processes and streamline your organisation in terms of data collection. Your customers and supporters will be grateful to only receive the information that they are interested in, and this can only be achieved by auditing your existing data banks.
Read our disclaimer.