Mark Chynoweth advises on how charities can ensure GDPR compliance without negative impact on core activities
GDPR Day has come and gone and for many the email bombardment surrounding the 25 May 2018 is almost forgotten. In the run up though, did you or your staff spend hours preparing – writing privacy notices, amending policies and procedures, conducting a data audit? And, what about since then?
Have you had time to monitor if your processes are working? Are you a bit you worried you didn’t quite get the job finished - or even started?
In the six weeks following the introduction of GDPR, the Information Commissioner's Office (ICO) received double the number of complaints compared with the same period last year. It seems the regulation is leading to a significant rise in the number of individuals making complaints about misuse of their personal data.
At Really Good Data Protection, we provide data protection advice and Data Protection Officers (DPO) to organisations and businesses that have chosen to outsource their data protection requirements in response to GDPR. Our own evidence supports the findings of the ICO, with the number of subject rights requests being received by our customers and the number of personal data breaches they are recording and reporting bearing these figures out.
We have also been struck by the amount of staff time, effort and associated financial and opportunity costs that GDPR is causing as staff are double-hatted or diverted away from their core business to deal with GDPR compliance.
For the not-for-profit sector, where a huge number of small organisations are operating with very limited resource, compliance can be particularly challenging, especially when considering that many will be holding and processing information that is classed as special category data, for instance relating to an individuals’ health, race, religion or sexual orientation. This data is considered particularly sensitive by GDPR and requires a lawful basis for it to be held and processed, as well as additional safeguards such as the appointment of a DPO in some instances.
An additional risk for small charities is that they are less likely to successfully weather the potentially significant financial penalties and reputational damage caused by a breach.
However, the reality is that GDPR and other related legislation such as the Data Protection Act (2018) and the Privacy Electronic Communication Regulations, which will be replaced by an ePrivacy Directive, are not going to go away, even when the UK leaves the EU. With reputation being such a crucial factor in the not-for-profit sector, the consequences of a significant personal data breach could be very damaging and pre-emptive preventative action to address shortfalls in compliance is strongly recommended.
When the appointment of a full time Data Protection Officer or allocation of the role to an existing staff member is neither possible nor appropriate, outsourcing can be the ideal solution. A high quality specialist provider can deliver a DPO with the necessary skill-set and degree of independence, who will remain up to date with the latest regulatory requirements and best practices. The charity can buy in as much or as little support as its budget allows, while continuing to focus on core activity.
Whether it’s large amounts of personal data relating to donors and supporters, staff data for payroll purposes, or sensitive data relating to service users, your data subjects are likely at the heart of what you do, and protecting their information should be a priority. Seeking out expert flexible support to safeguard this when necessary is a responsible course of action, demonstrating commitment to upholding the rights and privacy of your supporters whilst also avoiding the unwelcome consequences of non-compliance.
Mark Chynoweth is general manager of Really Good Data Protection (RGDP)