GDPR – What you need to know…
This blogpost was originally commissioned by Good CRM from Kate Fitzgerald
Sharing data helps make life easier, more convenient and connected. Almost every transaction and interaction you have with an individual involves the sharing of personal data. Data is also shared any time someone visits a website, searches for or buy something online, uses social media, or sends an email.
As an organisation, it is important that you keep track of your data, collect only what you need, use it in a way that would be reasonably expected, and ensure that it stays safe. Data protection laws makes sure that everyone’s data is used properly and legally.
Why should you care about data privacy and protection?
Aside from the fact that you are legally obliged comply with data protection laws, getting data privacy and protection right can help to build confidence and trust with your stakeholders. The question that should always be at the forefront of your mind is how would I like my data to be treated? Or the data of anyone you care about for that matter, be they a parent, a child, or a friend. Wouldn’t you want your data to be used properly, stored securely and not shared unnecessarily?
Now back to the data protection laws – there is not just one set you need to comply with. The mains ones you need to consider are the UK GDPR, DPA 2018, EU GDPR, and the Privacy and Electronic Communications Regulations (PECR). Data Privacy and Protection should be included in any organisation’s ‘Risk Register’ because by not complying, you run the very real risk of monetary penalties, enforcement notices, or, in the worst-case scenario, legal action. Any of which could cause significant reputational damage.
What are the absolute basics?
- Tell people what you are going to do with their data
- Do exactly that and nothing else
- Stop it when they ask you to
Is it really that simple?
No, you first need to understand what data you have. Some key questions to ask yourself are:
- What data you are processing and why?
- What legal basis are you are using to process the data?
- How are you storing the data?
- Are you sharing the data with any third parties?
- How long will you keep the data and why?
- What will you do once the retention period has passed?
You can help demonstrate compliance by having supporting documentation that evidences that you have done due diligence, have relevant contracts / agreements where appropriate, and the necessary data protection policies in place.
The following is not an exhaustive list, but it is a good start:
Does exactly what it says on the tin. It is an audit document, usually a spreadsheet, that clearly lists all the data you are processing. A Data Audit is essential if you are to produce an accurate Privacy Notice. At a minimum, you should document the following for each instance of processing activity: the data owner, record type, category and types of data, the purpose of the processing, the legal basis, how it is stored, whether the data is shared (internally or externally) and the retention period.
If you are processing personal data, you will need a privacy notice. It is important to explain what you are doing with people’s data and make sure they know about it in advance because being clear helps build trust, avoids confusion, and lets everyone know what to expect.
If you need to share a data with a third party, you should always have a Data Processing Agreement (DPA) or Data Sharing Agreement (DSA) in place before any data changes hands. If you are ever involved in a reportable data breach, either directly or via a third party, the Information Commissioner’s Office (ICO) is likely to ask to see any contracts in place around the data sharing, so they are vitally important. Instances of data sharing should also be reflected in your Privacy Notice.
Data Protection Impact Assessment (DPIA)
If you plan to undertake a new type of processing that involves either large amounts of data, sensitive data, or a new system, you should undertake a Data Protection Impact Assessment (DPIA) to help you identify and assess any risks associated with the processing.
Legitimate Interests Assessment (LIA)
If you are using the legal basis Legitimate Interests for an activity, you should think about completing a Legitimate Interests Assessment (LIA). This balancing test is a series of questions that will allow you to accurately assess whether you can rely on this legal basis.
Data Breach Policy, Process and Log
It is important to know what you would do in the event of a data breach. Not every data breach is reportable, but you have 72 hours from becoming aware of a breach to report to the ICO, so you must be agile. A Data Breach Policy outlines what steps someone should take should they become aware of a breach, as well as what steps you need to take if one is reported. You will also need an accompanying process that allows you to assess whether the breach is reportable or not. All data breaches, no matter how big or small, should be logged internally so that you can record what happened, when it happened and what action was taken.
Subject Access Request and Right to be Forgotten Request Policy and Process
Under UK GDPR, individuals have the ‘right of access,’ commonly known as making a Subject Access Request (SAR). They can ask organisations whether they are using or storing their personal data. They can also request copies of that data, which could include anything from contact details to file notes.
Individuals also have the ‘right to erasure’ – often referred to as the Right to be Forgotten. You will need a policy and process in place to deal with both instances. Your Data Audit will also help you manage any requests as it clearly lists where all data is stored.
Remember, you cannot shroud yourself in documentation – it is important to do what you say you are going to do – to maintain compliance.
What steps can I take to help with compliance?
Create a data culture that will help support you with compliance. This means involving everyone. Compliance cannot be the responsibility of one person – everyone needs to play their part.
Ensure staff understand the importance of data privacy and protection, and where it sits in terms of risk to your organisation. Make it part of the induction process and provide training to give staff data confidence. Keep it a topic of conversation – have it as a standing agenda item at appropriate meetings and make it a key consideration of any new projects.
Regroup and re-familiarise yourself with your obligations and existing policies. If some need revisiting, make sure you set aside the time to review and amend them. And if you are missing any of the suggested documentation, start putting them into place.
Finally, remember, the ICO has a wealth of information and many templates available. You do not need to reinvent the wheel.
Blogpost originally commissioned by Good CRM. GoodCRM is a CRM for the Arts, Heritage & Charities. They help their clients to build capacity in their organisations through automation and process efficiency. See more here: