GDPR compliance and what it means for you
New Data Protection Regulations and what it means
As a charity, compliance should be top of the list – the money we receive is given in good faith by supporters, funders, government, to use to benefit others.
Alas, with so many conflicting priorities and targets to meet, it can often be forgotten. Data protection in particular is a complicated area that many small organisations either overlook, or are simply misinformed about.
You’ll probably know by now that the current data protection regulations are being replaced and upgraded by the General Data Protection Regulations (GDPR). This new legislation is already in place, but the deadline for being compliant is 25 May 2018. It’s got many people worried and confused about what their organisation should be doing to protect data.
Questions that groups may be asking themselves include:
• What counts as personal data?
• What is ‘sensitive’ personal data?
• Where has the data we hold come from?
• What do we need to do if someone asks to be ‘forgotten’?
• Will it cost us a lot of money?
This is a new piece of legislation, which means it hasn’t been tested in the courts, and the interpretation can vary, resulting in conflicting information. Training can be expensive; and whilst guidance is available everywhere, it’s hard to know what is relevant to your organisation, both as a non-profit and in your particular area of work.
There is hope though. The GDPR rules are largely common sense – as long as you remember to consider, at all points, that a person’s data is theirs, not yours! This is the main shift – a much stronger emphasis on a person’s ownership and control over what data organisations hold about them, for what purpose, and for how long. In fact, it’s possible to see the new legislation as an opportunity, to re-engage with your supporters and followers, find out what their interest is and update your records.
It’s key to think about any points where you gather data, and who you might hold information about – remember that your own staff or volunteer details count under GDPR as well.
- What are you doing with that data?
- Is it relevant and up to date?
- Do you have permission to hold it under the existing data protection law?
- What third parties might you be using to process data?
Think about hosted databases, pension or payroll companies, or referrals between organisations.
With a bit of consideration, it’s possible to use the new regulations as a way of creating better engagement and transparency with service users, stakeholders and beyond, as well as more effective and streamlined systems.
Need to find out more? Then VAL has training coming up shortly. Details below: