We know, you’ve heard nothing but those four letters since May; GDPR. Well with the new data protection regulation that came into force on 25 May impacting the way charities process their supporter data, we sat down with Shah Zaman Baig, Virgin Money’s Data Protection Officer, to demystify GDPR and share his expertise on keeping things simple.
How do I make sure my charity manages supporter data well?
The benefit of GDPR in processing personal data
Transparency is a key quality for charities big or small and the new regulation helps provide a good template to document and process people’s information well.
Step 1: Mapping your charity data flow with a data audit
It’s really important to identify how supporter data flows through your organisation and conducting a data audit is a good way to do this. The simplest way to do this is to create a spreadsheet with five columns;
- List all the processes in your charity that use or contain personal data.
- Add the name of the person or team who owns that process within your charity
- List the names of who, if anyone, you share this information with. (This should include anybody within the organisation, say the finance team.)
- Describe the mode of transmission, e.g. email, and if that mode is secure.
- Indicate whether you have encryption on that data and how you maintain that information.
You now know the scope of the data you are processing end to end, from collection to secure deletion. And anything that happens between.
You can find more information on how to document your processing activities here and we’ve added an example of an “information flow” here too.
Step 2: Telling your supporters how you will manage their data
With your data audit done, the process of being a hundred percent transparent with your supporters becomes an easy one. When you collect supporter data, tell them how their personal data will be collected and used; who you’re going to share it with, how long you’ll store it for and how securely – plus don’t forget to remind them that they can withdraw their consent later if they so wish! GDPR has specific criteria for informing individuals regarding processing of their personal data – you can find out more about this via article 13 and article 14.
If you’re collecting data for marketing purposes, which supporters need to clearly opt into, you should also state the type of marketing they’re likely to receive from you. Ensure you have clear opt-out boxes on all your email newsletters etc and you’re good to go!
You may also send postal marketing based on your charity’s legitimate interest. The key is to conduct a ‘legitimate interest balancing test’ and to substantiate the marketing activity and its risk exposure so that well informed decisions can be made – if in doubt, consult your organisation’s Data Protection Officer.
Who needs to know about the new data protection laws?
Whether full-time, part-time or volunteering, anybody who deals with your charity supporter data needs to handle it in a compliant manner.
Will GDPR impact contacting supporters?
In a word, no! What GDPR does do is ensure we handle people’s personal information responsibly. When someone creates a fundraising page on Virgin Money Giving for example, we make it clear the type of communication to expect from us and from the charity. As part of the sign up process, fundraisers and their supporters are also given the option to hear from Virgin Money Giving and their charity for marketing purposes.
Can I continue to send newsletters to lists I had before the new rules came in?
Ask yourself “How did we obtain consent from those people?” There is no expiry period on a consent so as long as you made it clear what people were signing up for at the time and had a valid lawful basis for all the information you collected – then you’re absolutely fine. Transparency is key so ensure consent boxes are un-ticked so that people have to actively opt-in and make sure the language used for obtaining consent is crisp and clear.
Have a look at the consent model you used and if it doesn’t tick the boxes we’ve discussed, it’s a good idea to ask for consent again.
Security and technology remains as important as ever
When collecting information, charities are accepting responsibility to make sure all that information is safe. It is about taking a common sense approach to ensure that you have a controlled environment. For example, making sure that nobody outside of the charity has access to people’s information.
If there is a shared computer in your office, ensure everyone has a separate account that only they can access. Make sure that you have passwords on all your machines as well as on any documents that contain data and I know you’ve heard it a million times, but make sure your passwords meets good security requirements – no pets’ names, ‘1234’ or ‘password’. And of course, ensure everyone with access to your data is aware of your compliance requirements. All of that is good information security.
You should always seek the relevant legal guidance to make sure your charity is GDPR compliant. For more advice, the ICO website is a good place to start, with some great information for charities. Article 29 Working Party is also a very good source and the IAPP, International Association of Privacy Professionals, is a world renowned organisation.