Earlier in the year Community Impact Bucks ran several GDPR training workshops for local not-for-profit groups. This raised some interesting points about what constitutes ‘data’, who is responsible and how to ensure information is kept safe.
For the those new to the term ‘GDPR’, it stands for the General Data Protection Regulations and forms the basis of the UK’s Data Protection Legislation. In its most basic interpretation, GDPR legislation refers to any data you keep about a person that could identify them (such as name, address, phone number) or sensitive information such as gender identity.
Every organisation keeps this data about its service users, its staff, its volunteers – all of which needs protecting. However, the subject can be a minefield of jargon, over-lapping principles and complex legal-speak which can mislead organisations to think that it isn’t relevant to them, with potential serious consequences.
To help you understand GDPR and how it applies to your not-for-profit organisation, this blog highlights seven areas of GPDR that you need to consider and how it is relevant to all organisations, no matter their size.
Understanding the data held by your organisation
Below we have listed the seven principles of data protection and have asked simple questions which every organisation should ask itself:
- Lawfulness, fairness and transparency
Are we keeping data in line with the regulation? Do the people know we are keeping their data and why we are keeping it? Can we provide a person with their data if they ask for it?
- Purpose Limitation
Is the data we are keeping needed to perform our tasks? Are we using it for any purposes other than those we have informed people about? For example, if a service user hasn’t given explicit permission to use their email address for a general mail out, you shouldn’t add them to your mailing list.
- Data minimisations
Do we really need to ask our service users specific questions? Can we reduce the amount of data we collect? Sometimes organisations ask people to fill out generic forms, regardless of the reason, and this means that you are likely to be collecting data you do not really need.
Is our information up-to-date? Every organisation probably has data with old addresses as it can be a very time-intensive process to check details are still correct. You may have noticed that when you call a utility supplier, they often ask you to confirm your contact details; this is to ensure that it is always accurate.
- Storage Limitation
Is the data we have going to be maintained in perpetuity? Or do we a policy to purge it at specific intervals? This reduces the risks for both the individuals and the organisation.
- Integrity and Confidentiality
Is our data kept securely or is it stored on an unlocked computer in a public area? And is the data available to everyone in the organisation, or is it ring-fenced to the people who need it to perform their duties? This is about how you store and access the data; for example, HR will need access to more personal data than Finance.
Who is in charge of our GDPR? Accountability is critical as any breaches, misuse or non-compliance can have significant consequences for the organisation and put individuals at risk.
Why GDPR is relevant to your organisation
Organisations – regardless of size – need to be aware of what data they keep about people, why, how and how long they keep this data, and also how they dispose of it.
One example is that you might need to know a person’s name, address and telephone number so that they can volunteer, but you might not need to know their ethnicity or their sexual preferences for them to fulfil that role. And you probably don’t need to keep it for 10 years after they have stopped volunteering – this includes data sat in email inboxes that will likely go back many years.
You should have a clear understanding of why you need each piece of data, and how long you need it for. An example could be that you might want to keep some information about staff members for a period of years after the end of their employment in the event of a legal action. Alternatively, an organisation providing a one-off service, such as a foodbank, might decide to delete the data as soon as the service is delivered.
How to be GDPR compliant: next steps
The issue of GDPR can seem large and complex but, boiled down to bare principles, it is about our duty of care to protect individuals. We can all look at the data we keep and make sensible decisions about why and how we keep it, and take simple actions such as:
- Have a policy of periodically cleaning email inboxes and contact spreadsheets. You may want to send out a periodic email to individuals that you are engaged with to see if they still wish to be on your mailing list and ask them to check their details for accuracy.
- See if you can minimise your data by being smarter about how you ask for information. For example, a foodbank might ask details about someone’s religious beliefs before handing over a food parcel, which means that they are now keeping sensitive data on that individual. A simpler way is to ask if they have any dietary requirements which can allow them to provide an appropriate service, without collecting unnecessary data.
We can help you become GDPR compliant: have a look at our up-to-date guidance and resources on our GDPR and Data Protection webpage, or join us at our next GDPR workshop on 9th January 2023 (10am-12pm) to get practical advice on what to do next.
By Barry Malki, VCSE and Community Development Officer at Community Impact Bucks/ firstname.lastname@example.org, tel 0300 2369350.Back