Data Protection – are you doing it right?
So you know GDPR stands for General Data Protection Regulation (or maybe you don’t), but what does it mean?
As of May 2018, any Business (including charitable organisations) in the EU will need to be GDPR Compliant. Even now you should be complaint with the UK’s Data Protections Act 2003.
As a small organisation the thought of understanding the complex world of Data Protection can seem daunting but you cannot ignore it, its importance, the processes and training you should have in place and importantly the protections you have to safeguard the data you collect.
Some Basics…
· Data Protection regulations are about Safeguarding INDIVIDUALS Personal Data.
· You should ensure you have a policy on how you store all personal data
· Your staff and volunteers should be trained on the basics of the data you keep and know who to report a breach.
· Someone in your organisation needs to know how to report any data breaches to the ICO (Information Commissioner’s Office)
· The ICO don’t go after charities but if someone is reported you may be investigated
· Barnet Council take Data Protection very seriously, if you are working with them you will need to show you are compliant with the relevant legislation.
· Only keep personal data that is relevant – you need to be transparent. It is suggested you have a Privacy Notice, available to the public on how you keep their data, why you keep their data and what you intend to do with it.
· You need to be able to justify why you are keeping personal data.
· Personal Data is not just name and address. Includes (but not limited to) IP Addresses, photo’s, opinions, sexual life, religious beliefs, membership of trade unions, financial information.
· Personal Data should be kept up to date – and you must have a method to update it. It is not your responsibility to keep it updated, it is the individuals, but if you are informed of updates you must be able to process the updates.
· Personal Data shall not be transferred outside the European Economic Area - Therefore be very careful when using US and other online platforms – although all the large ones, such as mailchimp have policies in place that are compliant.
· People must OPT IN to receiving information from you. You need to be able to show this if investigated.
· If you share personal data with external organisations do you have the necessary legal agreements and informed the individuals that you do this.
· Think, when sending emails is there any personal info included (especially further down long emails threads)
· Try not to print documents containing personal information, if you do have a secure method to destroy.
Subject Access Requests
An individual has the right to request from your organisation all personal data you hold on them.
You must respond within 40 days.
You must provide everything you hold – including ALL emails.
If you know of a Breach.
These two links will be very helpful…
Review ICO guidance on the steps you should take and here to determine if you should report it
Information Asset Register
As part of your internal Data Protection policy you should have an Information Asset register.
Listing:
· What data does your organsiation collect
· Why does your organsiation need it
· How does your organsaiton use it.
· Who in our organsaiton has access.
The new YBF website will have a resource area shortly with some of the useful links and information.
If you have no one in your organisation with good Data Protection Knowledge we highly recommend that you attend one of the courses that are being put on across the borough or London at the moment. Keep an eye on the Small Charities Collation website, which lists lots of great low cost and free training courses. Also keep an eye on our social media feeds as we highlight regularly lots of great training.
I would like to thank Groundworks and Barnet Homes who recently ran a free training session on Data Protection.
Pete, Operations Manager.