What does GDPR mean for your not-for-profit organisation? Know your data requirements.

5 December 2022

Earlier in the year Community Impact Bucks ran several GDPR training workshops for local not-for-profit groups. This raised some interesting points about what constitutes ‘data’, who is responsible and how to ensure information is kept safe.

For the those new to the term ‘GDPR’, it stands for the General Data Protection Regulations and forms the basis of the UK’s Data Protection Legislation. In its most basic interpretation, GDPR legislation refers to any data you keep about a person that could identify them (such as name, address, phone number) or sensitive information such as gender identity.

Every organisation keeps this data about its service users, its staff, its volunteers – all of which needs protecting. However, the subject can be a minefield of jargon, over-lapping principles and complex legal-speak which can mislead organisations to think that it isn’t relevant to them, with potential serious consequences.

To help you understand GDPR and how it applies to your not-for-profit organisation, this blog highlights seven areas of GPDR that you need to consider and how it is relevant to all organisations, no matter their size.

Understanding the data held by your organisation

Below we have listed the seven principles of data protection and have asked simple questions which every organisation should ask itself:

Lawfulness, fairness and transparency

Are we keeping data in line with the regulation? Do the people know we are keeping their data and why we are keeping it? Can we provide a person with their data if they ask for it?

Purpose Limitation

Is the data we are keeping needed to perform our tasks? Are we using it for any purposes other than those we have informed people about? For example, if a service user hasn’t given explicit permission to use their email address for a general mail out, you shouldn’t add them to your mailing list.

Data minimisations

Do we really need to ask our service users specific questions? Can we reduce the amount of data we collect? Sometimes organisations ask people to fill out generic forms, regardless of the reason, and this means that you are likely to be collecting data you do not really need.

Accuracy

Is our information up-to-date? Every organisation probably has data with old addresses as it can be a very time-intensive process to check details are still correct. You may have noticed that when you call a utility supplier, they often ask you to confirm your contact details; this is to ensure that it is always accurate.

Storage Limitation

Is the data we have going to be maintained in perpetuity? Or do we a policy to purge it at specific intervals? This reduces the risks for both the individuals and the organisation.

Integrity and Confidentiality

Is our data kept securely or is it stored on an unlocked computer in a public area? And is the data available to everyone in the organisation, or is it ring-fenced to the people who need it to perform their duties? This is about how you store and access the data; for example, HR will need access to more personal data than Finance.

Accountability

Who is in charge of our GDPR? Accountability is critical as any breaches, misuse or non-compliance can have significant consequences for the organisation and put individuals at risk.

Why GDPR is relevant to your organisation

Organisations – regardless of size – need to be aware of what data they keep about people, why, how and how long they keep this data, and also how they dispose of it.

One example is that you might need to know a person’s name, address and telephone number so that they can volunteer, but you might not need to know their ethnicity or their sexual preferences for them to fulfil that role. And you probably don’t need to keep it for 10 years after they have stopped volunteering – this includes data sat in email inboxes that will likely go back many years.

You should have a clear understanding of why you need each piece of data, and how long you need it for. An example could be that you might want to keep some information about staff members for a period of years after the end of their employment in the event of a legal action. Alternatively, an organisation providing a one-off service, such as a foodbank, might decide to delete the data as soon as the service is delivered.

How to be GDPR compliant: next steps

The issue of GDPR can seem large and complex but, boiled down to bare principles, it is about our duty of care to protect individuals. We can all look at the data we keep and make sensible decisions about why and how we keep it, and take simple actions such as:

Have a policy of periodically cleaning email inboxes and contact spreadsheets. You may want to send out a periodic email to individuals that you are engaged with to see if they still wish to be on your mailing list and ask them to check their details for accuracy.
See if you can minimise your data by being smarter about how you ask for information. For example, a foodbank might ask details about someone’s religious beliefs before handing over a food parcel, which means that they are now keeping sensitive data on that individual. A simpler way is to ask if they have any dietary requirements which can allow them to provide an appropriate service, without collecting unnecessary data.

We can help you become GDPR compliant: have a look at our up-to-date guidance and resources on our GDPR and Data Protection webpage, or join us at our next GDPR workshop on 9th January 2023 (10am-12pm) to get practical advice on what to do next.

By Barry Malki, VCSE and Community Development Officer at Community Impact Bucks/ info@communityimpactbucks.org.uk, tel 0300 2369350.

Back

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA-17527993-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gat_UA-61319948-14	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	No description available.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description available.
CONSENT	16 years 5 months 16 days 13 hours 4 minutes	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
uvc	1 year 1 month	The cookie is set by addthis.com to determine the usage of Addthis.com service.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
loc	1 year 1 month	This cookie is set by Addthis. This is a geolocation cookie to understand where the users sharing the information are located.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
at-rand	never	No description available.
m	2 years	No description available.
x-cdn		No description available.
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.