What is GDPR?
From 25th May 2018 ‘The General Data Protection Regulation’ (GDPR) will apply to all charities and businesses in the UK. GDPR differs from the Data Protection Act and places stricter rules on how data is collected, maintained and processed.
GDPR will also extend the definition of ‘personal data’ to include not only traditional manual records, but new online sources too, such as an IP address, where consent to store and use data is much harder to obtain. Charities will need to ensure that they clearly affirm that consent has been obtained or there is a risk of substantial fines.
How does GDPR impact charities?
Under GDPR, charities will need to provide an ‘opt-in system’ and ensure this system is maintained so when individuals withdraw consent, their data is removed immediately.
The implementation of additional processes is a daunting task for many charities, who already face pressure to regularly maintain and update IT systems on tight budgets. But success has been seen already. The RNLI have seen far more individuals opting-in to communications than they initially predicted. Third Sector have also reported that Cancer Research UK and British Red Cross will be adopting the opt-in system shortly ahead of the implementation of GDPR.
There’s no question that as with many other organisations, data is the backbone for charities and critical to fundraising and marketing efforts. With the introduction of GDPR, there is a risk that if maintenance and updates to data systems do not become ‘business as usual’, charities will be non-compliant and could face huge financial penalties of up to 20 million euros, or 4{7465c2450dcd042996416963879c72771606ba211532680daeb6e67dd6282842} of global annual turnover, whichever is greater.
5 tips to make sure charities are prepared for GDPR
Out of date data is set to be the biggest risk for charities. Not only could you face financial penalties, under the stricter data protection rules if personal data is not handled correctly, there is a risk of damaging a charity’s reputation.
May 2018 is not that far away, so we have provided some practical steps to ensure your charities data processes are up to scratch before GDPR comes into force.
1. Where is your data?
Ensuring you are complying with GDPR will be made much easier if you can easily track where your data is. Document the data you hold across all departments and locations within your organisations, data maps are a great place to start.
2. Who are your users?
No matter where your data is being stored, whether your users access it on desktop, mobile or the cloud, it should be treated with the same data protection compliance. A central database will allow your users to find information easily no matter where they are.
3. Have you got consent?
Under GDPR, consent cannot be inferred and you need to provide evidence that it has be obtained. Do you need to look at replacing those pre-ticked boxes that exist on your website? You need to ensure you provide the right to opt out too. Record how consent has been obtained so you can supply it to your data processor, the data cannot be used before consent has been established.
4. Is your data easy to find?
Individuals have the right to request their personal data at any time. Perform and audit to determine if your systems are ready to comply with these requests and updates will be intuitive and quick.
5. Are you complying with privacy?
For ease of transition to GDPR regulations, check that new systems you develop or adopt, comply with privacy from the outset. This is particularly important with automation or integrated software projects.
For help getting your charity’s data processes and software ready for GDPR talk to us today.