We’re finally in the year of GDPR. As organisations of all sizes may feel bombarded with advice and scaremongering, spare a thought for charitable organisations that are having to get their head around the Data Protection Act update.
So let’s assume you already have a basic understanding of what the General Data Protection Regulation (GDPR) is. If not, or if you would like to brush up on your knowledge, you can take a look at some of the various GDPR resources ISMS.online has put together.
Although there is currently no charity specific guidance being published by the Information Commissioner‘s Office, you can use the general educational guides that the ICO has produced. The ICO is the organisation responsible for regulating the Data Protection Act and the subsequent updates from the GDPR.
Now we are going to take a look at some of the frequently asked questions that charities have been asking the ICO.
A tailored hands-on session based on your needs and goals
Like many aspects of the GDPR and any regulation for that matter, there are a number of factors which will determine whether or not your charity should appoint a Data Protection Officer.
Just like any organisation, you will be required by law to have a DPO if:
We talked a little bit about special category data in an earlier blog article on Information Commissioner’s Office updates. These are categories which are considered particularly sensitive, and if the security of that data is compromised, there could be a “more significant risks to a person’s fundamental rights and freedoms.”
It is likely that as a charity, you will be processing special category data and this can be handled (at time of writing) in a similar way to Section 3 of the Data Protection Act 1998, Sensitive Personal Data.
For reference, those categories are Race, Ethnic origin, Politics, Religion, Trade union membership, Genetics, Biometrics – where data is used for ID purposes, Health, Sex life and Sexual orientation.
But just because you might not be required under the GDPR to appoint a DPO, you can still choose to do so. Additionally, it is acceptable to employ a single Data Protection Officer to oversee a group of companies, as long as it is realistic that they would be able to manage them all.
The ICO has made this easy by breaking down into four sections, the information you need to consider when writing a privacy notice; What, Where, When and How.
To do this you should figure out what kind of personal data your charity holds. You need to know what is being done with the data or what you plan to do with it. Then you should ensure you are only collecting and storing information that you need. The ICO also suggests that your charity should decide “whether you are creating new personal information and whether there are multiple data controllers”.
The consent to share personal information should include a positive opt-in – this means that the checkbox must not be pre-filled. Explain how you will use the information, how long you will keep it for and allow options to “agree to different types of processing”.
You could also include information on how the data links to other types of data, what you won’t use their information for and explain any genuine consequences of not giving you their information.
The ICO has given examples of this:
Give privacy information:
Consider a layered approach:
The language you use should be clear and straightforward, and be in the same style as your audience.
If you have different audiences, you should provide separate notices for each. It is also important to be able to update the notice when required.
Once written, it is useful to test the privacy notice with members of staff or real users of your services. This ensures they understand the consent they are giving.
The ICO has written a checklist for obtaining consent for data processing with GDPR. The list sets out ways to help you identify any gaps you may have in your current processing. It may be that the consent you have obtained under the current Data Protection Act is sufficient, but it may also uncover circumstances where consent will need to be requested again, in order to comply with GDPR.
In addition to GDPR, if your charity markets to individuals by phone, email or text message, you will need to comply with the Privacy and Electronic Communication Regulation (PECR).
There is a lot to take in, but one of the many positives of GDPR is that once the work is done and maintained, you will be marketing to potential fundraisers and donors that are genuinely interested in the work your charity is doing.
If you are looking for a tool to help you describe, demonstrate and continually manage your GDPR responsibilities, get in touch with the team and book your demo.
100% of our users achieve ISO 27001 certification first time