GDPR For Charities
The General Data Protection (GDPR) will take affect from 25th May 2018. There has been a lot of information provided in the media regarding the new regulations, but this guide aims to help those who need to consider what it means for charities.
Due to the advances in technology and how data is now handled, the existing EU data protection legislation has been revised and updated to increase protection for consumers. Organisations will now need to show that they comply with these new rules or rick facing fines, sanctions and damage to your reputation.
All organisation operating within the EEA will need to implement new measures which show that you have considered and integrated new policies to take into account the recent privacy changes in terms of your data processing.
So, what do you need to do?
Raise awareness
- Everyone within an organisation must be aware of the new regulations and all staff will need at least some basic training on simple security measures. Senior managers will need to develop a plan for the implementation of changes and monitor the progress.
- Be aware that all areas of the business will need to be considered regarding the upcoming changes. HR will need to review employment contracts and application process. Marketing will need to gain consent in writing for communications and to gain data. Also, any third party processers or cloud providers will need to be reviewed.
- A Data protection officer may need to be appointed for some organisations to manage and assess compliance. This person must have the appropriate resources, independence and seniority.
Review any personal data held
- Organisations need to carry out a “Privacy Impact Assessment”. Part of this will be a review of the personal data held. Organisations need to state what data is held, what is done with the data, how long is held, where is it held and who has access to it.
- You will also need to review who else holds your data, considering cloud software or outsourced work and ensure that they are also GDPR compliant.
Draft Data protection policies
- To show “accountability” organisations must draft and document data protection policies. These should include policies that deal with the data subjects increased rights, reporting areas of responsibility and procedures for what to do in the case of a breach.
- Privacy notices must be written to include all changes and must be made available for all customers, employees and suppliers.
Review security measures and plan procedures
- It is best practise to know where there may be a weak area for a breach within your organisation and to plan in case of the worst. A great way to do this is to plot the journey of the data you receive and process and eventually where it is stored. Would there be anywhere along that journey that may be at risk.
- Once you know where the risks are you can make changes to eliminate or lesson the risk and what you would do if a breach occurred.
- In doing this you protect yourself if anything does go wrong, as you will have proof of your efforts to follow the new regulations, which the ICO will take into consideration.
Stay Informed
- As with any new policies, there are likely to be developments and minor changes as time goes on, so always be sure to keep checking for the latest information from the ICO or seek advice from an adviser or ourselves at ER Grove for further information.