In the first of a series looking at GDPR and what it means for charities, Andrew Cross, Data and Insights Lead at Lightful, one of the only GDPR Certified Practitioners in the beyond profit sector, explores the basics of the new regulations.
If you’ve not heard of the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, then where have you been hiding? OK, so maybe you’ve heard of it but not actually done anything about it yet. Don’t worry, it isn’t too late to read up and start on the road to compliance.
GDPR is a replacement to the Data Protection Act (DPA, 1998). It aims to standardise the way Personally Identifiable Information (PII) is dealt with in terms of Data Controllers (i.e. organisations that collect personal data) and Data Processors (i.e. a third party you share data with) and that exist within the EU or countries operating outside of the EU that process data on EU nationals. If you are processing personal data within the UK, we advise that you register with the ICO as soon as possible.
Ultimately it gives back control and ownership of data to the individual. In terms of compliance, this should be what you adhere to now; however, it does not come into enforcement until the 25 May 2018.
Data controllers vs processors
Let’s take Charity A as an example. This charity will generally be considered a Data Controller, collecting the data of supporters in order to engage and communicate with them in a variety of ways. One of these ways may be to send out direct mail via a fulfilment house (which would take on the role of a Data Processor). The vast majority of charities will fit into the Data Controller category and will be ‘processing’ some data even if it that means just ‘storing’ the information. And it isn’t just supporter data; it also applies to staff data, service user data, trustee data etc.
I hate to break it to you but…
GDPR doesn’t just affect the charity sector. It’s sector-wide. It affects every organisation- no matter your size or whether or not you have a ‘data person’, so decide now who is going to lead on GDPR compliance in your organisation. And… if you fall foul of the law, you will face consequences, which could include a fine from the ICO, enforcement notices, audits and even possible prosecution. Read more about the action the ICO could take.
To read the full Charity Digital News Article click here.