Tackling Data Protection: shortcuts to compliance

You’d be forgiven for thinking that Data Protection was fairly new. Until 2017 few organisations had thought about the issue of personal information and how to protect it. Then the General Data Protection Regulation (GDPR) became law and many were panicked into producing policies and spent time and precious resource attempting to be ‘Compliant’ with this new law.

Unfortunately, much of what you may have been told was probably misinformation or at best patchy and incomplete. The issue isn’t so much the policies themselves although these vary considerable in their effectiveness. It’s more about the implementation of those policies, procedures and process. Fundamentally, this is about a genuine change in behaviour and not just a change of language.

To prove the point, you need look no further that Article 5 (2) of the GDPR. It says that every organisation that processes the data of individuals must be able to demonstrate it is responsible (accountability Principle) for the processing. The Information Commissioner Elizabeth Denham herself has recently said that organisations are not doing this, and that this is not an option but a mandatory requirement. Yet, most organisations remain unaware of this and their other obligations. Challenges such as this are not tackled overnight. But what is of paramount importance is to have a plan. Here are three recommendations that may help you comply with the law which are cost effective and might quickly make all the difference.

1. Your online Privacy Notice

If you process the data of service users, supporters and volunteers you should have a notice that has been published and is in the public domain. Typically, this will be on your website. This will ensure that everyone understands your intentions concerning their data. Article 13 of the GDPR tells you what you should include in this notice. Make sure you have covered all of the requirements. These include identifying yourself as a Data Controller, explaining the Data Subject’s rights and how you might uphold them and explaining how long you may keep data. See full details.

2. Keeping yourself informed – Appointing a Data Protection Officer (DPO)

Appointing a DPO is crucial to some organisation’s compliance. If ‘Special Category’ (Health, Religious Belief, Sexual Orientation amongst others) data is processed it is almost certainly a legal requirement. But the appointment should also have a very positive effect concerning compliance. It demonstrates commitment and means there is a constant and on-going effort to be lawful. It also means that you have absolute transparency in your processing because the DPO is essentially in place to represent the interests of the data subjects and therefore ensure lawfulness. One option for appointing this support is Hope and May. They are one of the most experienced firms in this field and work alongside the DSC, the NCVO and the IoF. www.hope-may.com

3. Increase staff awareness

Your data compliance relies mostly on your staff’s awareness. There are many ways to increase awareness. You could remind people regularly about their commitment to your policy and data security. Send out a monthly/quarterly bulletin about it choosing one particular aspect of the law at a time. For example, personal electronic devices and how to work safely when travelling. Data subject rights and what they mean. Consent, what it is and when to use it. Make someone the GDPR Champion; the point of reference for day to day data protection queries. All of these will ensure a steady trickle of reminders are created to urge staff to be vigilant and to take care when processing the data of your audience. Staff training must be the best example of how to create better awareness. Current, up to date and geared to the third sector must be best. The DSC assist you by running regular cost-effective training solutions on a range of such subjects.

Upcoming training course:

Managing Data Protection – a Masterclass for Charities (14 November)

Every organisation that processes data must comply with the law. This course is relevant to all types of data processing including when the charity is fundraising, dealing with volunteers and delivering services to beneficiaries.