Professional Documents
Culture Documents
10 questions not-for-profits
should be able to answer
about General Data Protection
Regulation (GDPR)
10 point checklist to
prepare you for the General
Data Protection Regulation
(GDPR) which will apply
from 25 May 2018.
If you use personal data for fundraising or marketing purposes, you may be
aware that big changes are on the horizon. From 25th May 2018, youll need
to ensure your organisation complies with the General Data Protection
Regulation (GDPR).
1 Does your
organisation
have a formal
action plan
in place?
It may sound glib to say start planning now but significant changes may well
be required and the clock is ticking! When you look closely at the requirements
of GDPR, May 2018 really doesnt seem that far away. To drive action within
your organisation, youre going to need to generate awareness of the
implications and get internal buy-in.
2 Are you
compliant with
current data
protection laws?
If you are already complaint with the Data Protection Act (DPA), you are in
good starting position to deal with the enhancements that GDPR introduces.
However, despite the high expectations on not-for-profit organisations, some
have fallen foul of the regulations in recent times and compliance with existing
legislation should also be reviewed.
The RSPCA and the British Heart Foundation (BHF), for example, were
recently fined 25,000 and 18,000 respectively for serious breaches of the
Data Protection Act. These charities were found to have collected and used
personal information for three activities: data sharing, wealth screening, and
enriching data using other sources. The underlying issues were fairness, clarity
of purpose and having a clear lawful basis in order to use data.
thankQ CRM
You will need to ask yourself if these notices fully inform people about how
their personal information will be used; are they concise, easy to understand
and in clear language? Individuals will also need to be informed that they
have a right to complain to the Information Commissioners Office (ICO) if they
believe their information is being handled incorrectly.
When reviewing your notices, youll need to provide enough detail to explain
the different purposes you will use their information for including activities
that are not typical or which are unlikely to be anticipated.
thankQ CRM
4 Is consent
unambiguous?
If you want to gain the consent of an individual to use their personal data for
fundraising or marketing activities, you will have to ensure that this consent is
freely given, specific, informed and unambiguous. Consent cannot be inferred
from silence, pre-ticked boxes or inactivity.
thankQ CRM
5 Have you
reviewed the
quality of
consent you
hold?
Many not-for-profit organisations will have already populated their CRM
systems with personal data for fundraising and marketing activities. If you
want to use this data after May 2018 however, you will need to demonstrate
that consent for existing data was gained in a manner that is GDPR compliant
and is used for the purpose it was given.
7 Are you
checking
peoples ages?
The new legislation will introduce enhanced protection for childrens personal
data. To lawfully process the personal data of a child, organisations will need to
seek the consent of a parent or guardian.
Organisations will need to put systems in place that can verify the age of the
individuals supplying their personal data. The ICO has indicated that in the UK
a child will likely be defined as anyone under 13 years old.
thankQ CRM
8 Do you have
data breach
procedures
in place?
In the event of a data breach, organisations will need to notify the ICO if an
individual is likely to suffer some form of damage, such as identify theft.
They will also need to inform individuals directly if this breach leaves them
open to financial loss.
Large organisations will also need to have clear policies and procedures in
place for managing data breaches. Failure to comply with these requirements
could result in an organisation facing significant fines.
thankQ CRM
9 Can you
demonstrate
you are taking
data protection
seriously?
Under the GDPR organisations will not just be required to comply with the data
protection principles, but will need to maintain evidence to demonstrate how
they are complying.
10 Where does
responsibility lie?
The ICO recommends that organisations should assign an individual to
take responsibility for data protection and ensure compliance. In some
organisations, such as public authorities, it will also be a legal requirement
to appoint a data protection officer.
These does not mean other individuals are absolved of responsibility when
it comes to data protection, however. The Charity Commission, for instance,
has stated that trustees have overall responsibility for ensuring compliance.
To learn more about GDPR and how you can become compliant read
Access Groups essential guide, Do you know what it takes to become
GDPR compliant?
thankQ CRM
About Access
Access is the number one software solutions supplier to the Not-for-Profit sector. Access helps organisations make the most of their funds by
delivering integrated organisation-wide solutions. Our software enables you to manage your CRM, membership and fundraising, finances, projects
and documents, as well as streamline your HR and recruiting processes.
About Protecture
Protecture is a team of data protection specialists who help organisations ensure data protection compliance in all areas. Protecture have over 12 years
of experience turning the law into practice for charities, schools, local government, corporates and care providers. Protecture work with organisations
of all sizes, supporting them with up to date policies and other template documents that are tailored to suit their needs, backed by on-going support,
training, external audit.
www.theaccessgroup.com
2017 The Access Group