As of 25th May 2018, every organisation that holds personal client data must become compliant with the new GDPR regulations. We know that understanding how these new regulations will effect your organisation’s processes can be difficult, but NCVO have helpfully compiled a ’12 Point Plan’ (based on the ICO guidance) to assist you in adopting these new regulations into practice.
1 – Make sure the right people in your organisation know this is coming
Your trustee board and senior staff should be aware that the law is changing. They need to know enough to make good decisions about what you need to do to implement GDPR. They need to be aware that implementation may take considerable time and effort and add data protection to your risk register if you have one.
2- Identify what data you hold and where that data came from
If you don’t know what personal data you hold and where it came from you will need to organise an audit of your different systems and departments to find out. This means all personal data including employees and volunteers, service users, members, donors and supporters and more. You should document your findings as GDPR means you must keep records of your processing activities. You should also record if you share data with any third parties.
3 – Update your privacy notices
You must always tell people in a concise, easy to understand way how you intend to use their data. Privacy notices are the most common way to do this. You may well already have privacy notices on your website for example but they will all need to be updated. Under GDPR privacy notices must give additional information such as how long you will keep data for and what lawful basis you have to process data. The ICO has guidance on GDPR compliant privacy notices.
4 – Check your processes meet individuals’ new rights
GDPR will give people more rights over their data. For example GDPR gives someone the right to have their personal data deleted. Would you be able to find the relevant data and who would be responsible for making sure that happened? Get to know the eight rights and have the systems in place to be able to deliver on each of them.
5 – Know how you will deal with ‘subject access requests’
Individuals have the right to know what data you hold on them, why the data is being processed and whether it will be given to any third party. They have the right to be given this information in a permanent form (hard copy). This is known as a subject access request. Your organisation needs to be able to identify a subject access request, find all the relevant data and comply within one month of receipt of the request. The ICO gives guidance on handling subject access requests.
To read the full article from NCVO please click here.