G.D.P.R. Four letters that have sent a collective shiver down the spine of the charity sector lately. Standing for the rather less awe-inspiring ‘General Data Protection Regulation’, the GDPR updates and replaces the current UK Data Protection Act.
Many articles seem to forewarn of this as an impending apocalypse—which is due May 2018. The four horsemen paving the wave are seen as the Information Commissioners Office (ICO); the Fundraising Preference Service; the 13 charities fined; and the as yet uncompleted GDPR guidance.
All this gloom-mongering is understandable. Under GDPR, the ICO can issue fines of up to £17m compared to the current £500,000. But the negativity obscures a real opportunity to review and protect the personal data of staff, volunteers, service users and donors. We’re a sector that’s all about protecting people’s rights. Shouldn’t we be welcoming changes to legislation that strengthens the rights of individuals with regards to their data, and that puts more onus on data collectors and users to treat this data carefully?
Much discussion of GDPR has focused on the impact it will have on charity fundraising. Yet we are missing the big picture if that is the focus of GDPR compliance. We should be looking at the impact of GDPR on all of the personal data that we hold—whether that’s on staff and volunteers, or service users and donors.
If your organisation is already up to speed with the Data Protection Act, then you will find GDPR enhances the existing standards. But if data protection has been at the end of your large to-do list then you will have further to travel. And it can be confusing: the ICO has not yet provided all the guidance on how to implement GDPR, while there appears to be a GDPR industry of private firms willing to advise for a fee.
So where to start? Here are my top tips:
- Recognise that GDPR encompasses all of your data processes. GDPR will cover everything on how a charity collects, stores, analyses and deletes personal data on staff, volunteers and service users. It really is important, and should be discussed by senior management and boards.
- Get familiar with the ICO and what it can offer. This includes: a hotline for small organisations to prepare for GDPR; guidance on the 12 steps that organisations should take to prepare for GDPR; and further information and updates are available here.
- Consult previously written guidance on the Data Protection Act, much of which remains current under GDPR, and can be a helpful guide in bringing data protection to life. Ours is here.
- Seek out experts. It’s important to work out what this will all mean for you and your work. So ask around. For example, I am particularly interested in how GDPR will affect data for research and evaluation. So I have made contact and checked out guidance from universities, joined in on webinars (Lasa was particularly helpful) and attended free training seminars. I would also recommend looking at information provided by VCSE councils: NCVO, WCVA, NICVA, SCVO where training, webinars and work on data awareness is taking place. And don’t forget about the legal support that is out there: see Small Charities Coalition’s list of legal resources, many of which are free, such as LawWorks.
- Speak to peers. I liked this idea from DataKind UK on starting a GDPR book club.
Another good opportunity to talk to peers comes at our free upcoming event. GDPR has raised debate on where charities should sit on making use of personal data. Should they be seeking all opportunities to provide the best service as possible, justifying personal data usage as legitimate interest? Should they take a consent-led approach, which gives more control to the data subject? Or is it somewhere in between? Come and discuss this with us on Wednesday 8 November.