‘A Mix of Junk and Important Stuff’: How We Sorted Out Our Charity Data for GDPR

‘A Mix of Junk and Important Stuff’: How We Sorted Out Our Charity Data for GDPR

Preparing for the new EU data protection regulation is a huge headache for an organisation like ours. Here’s how we tackled it.

Dealing with the European Union’s tough new data protection law General Data Protection Regulation (GDPR) feels like moving house and confronting the piles of boxes in the attic. They’re full of stuff you haven’t touched in years. You know you have to clear them out, but you also know they contain a mixture of junk and important stuff. You’re going to have to read every last scrap of paper and do a mega sort-out.

The European Union’s new stronger, unified data protection laws, the General Data Protection Regulation (GDPR), will come into force on 25 May 2018, after more than six years in the making.

GDPR will replace the current patchwork of national data protection laws, give data regulators greater powers to fine, make it easier for companies with a “one-stop-shop” for operating across the whole of the EU, and create a new pan-European data regulator called the European Data Protection Board.

The new laws govern the processing and storage of EU citizens’ data, both that given to and observed by companies about people, whether or not the company has operations in the EU. They state that data protection should be both by design and default in any operation.

GDPR will refine and enshrine the “right to be forgotten” laws as the “right to erasure”, and give EU citizens the right to data portability, meaning they can take data from one organisation and give it to another. It will also bolster the requirement for explicit and informed consent before data is processed, and ensure that it can be withdrawn at any time.

To ensure companies comply, GDPR also gives data regulators the power to fine up to €20m or 4% of annual global turnover, which is several orders of magnitude larger than previous possible fines. Data breaches must be reported within 72 hours to a data regulator, and affected individuals must be notified unless the data stolen is unreadable, ie strongly encrypted.

On top of the day job, dealing with the General Data Protection Regulation (GDPR) is a massive piece of work. Ahead of the compliance deadline on 25 May our team at the School for Social Entrepreneurs (SSE) has had to sort through 21 years of personal data about the social entrepreneurs and charity leaders we support across an international network of 11 schools. That includes email addresses, marketing preferences, phone numbers, financial information about other organisations, sensitive data – the works.

Source:  Information Commissioners Office

Other Posts

Leave a Reply

Your email address will not be published. Required fields are marked *