We all are somewhat afraid of the commissioner knocking on the door of non-profits and asking to see how the organisation is keeping donors’ sensitive personal data ethically protected which is why LIKECHARITY have teamed up with SYTORUS to help you with the overwhelming task of becoming a GDPR compliant.
First we have to talk about what the GDPR is; it stands for the General Data Protection Regulation, it is a document that will enforce data protection policies on organisations all over the EU. The GDPR will be implemented on the 25th of May 2018 by the EU parliament. Here are some of the key changes that will occur:
1. Increased Territorial Scope: Regardless of the location or what kind of company you run, if you process any kind of personal data through your organisaiton, the GDPR applies to you. If you provide goods and services to EU citizens then you are required by law to implement this regulation in your organisation..
2. Penalties: If there is a breach of GDPR your organisation can be fined up to 4% of annual global turnover or €20 Million. For example potential actions classed by the commissioners as an serious infringement for non-profits is not getting the proper consent from a potential donor to use their personal data in analysis, in tracking trends, or to transfer their personal data to other organisations.
3. Consent: you will no longer be allowed to use long ambiguous terms and conditions, now your organisation are only allowed to give a coherent and accessible form of terms and conditions so that your donors have the proper agency to consent. Your terms and conditions should be transparent and in language that can be easily understood.
4. Breach Notification: When there is a data breach in your charity it is required that donors and controllers be notified within 72 hours of the breach.
5. Right to Access: Completely changes the manner of transparency between the donor and charity. The donor can request access to their personal information to discover the charity’s intentions and purpose for holding personal data. While also providing transparency of where the data is being stored or used.
6. Right to be Forgotten: the right of the donor’s personal information to be erased from the database of the charity and to halt the distribution of this information publicly. This right can be enacted when the information is not relevant anymore or that the consent of the customer is withdrawn.
7. Data Probability: this is the right of the client to receive personal data about them from the charity transfer another charity of the client’s choosing.
8. Privacy by design: all systems and protocols call for data protection. Everything the company does with any kind of data needs to include a formula for data protection, not just an added service.
Given all of these changes, charities have to be prepared to enforce them in order to avoid fines and remain compliant.
To be a GDPR guru, it’s important that you understand the regulation rhetoric used in the document. Here are some policy jargon that may come up:
Processing: to complete operations involving data through the means of computers, letters, to classify information
Restriction of processing: limits what a data controller can do with personal data.
Profiling: automated processing of personal data, that helps analyse and predict, behaviors, interests, work conduct, and economic situations.
Pseudonymisation: a form of processing of personal information that doesn’t allow the connection between the data and the data subject without additional information from them.
Filing system: personal data can be accessed only with specific criteria,on a functional or geographical basis.
Genetic data: personal data related to heredity, genetic characteristics, unique information about their physiological state, and health status.
Biometric Data: specific technical processing of physical, physiological, and natural behavior of a person. ie. Facial images.
Cross-Border Processing: processing of personal data specifically of activities of a member of state in a controller establishment or a processor establishment, while being in either in a single or multiple enterprise(s).
Main Establishment: for a controller in enterprises in more than one members of state, the central establishment is considered the main establishment, until another the controller has made the decision of making another establishment the main one. For a processor in establishments in more than one member of state, the central administration is considered the main establishment, unless there is no central administration, then wherever the data is being processed is considered the main establishment while they are also subject to specific obligations are under this regulation.
Representative: a person that is designated by the controller or processor to represent the establishment with their various obligations under the regulations.
Binding Corporate Rules: personal data protection policies when personal data is transferred between a controller and a processor or transferred between controller and third party or processor and third party or transferred between groups that are engaged in joint economic activity.
Supervisory Authority: independent public authority
LIKECHARITY and Sytorus had come together to offer LIKECHARITY Privacy Engine, which is a new data protection engine that will prepare for the GDPR that will be implemented next year. It provides data protection support, guidance, and training all in one. This allows your charity to thrive while being conscious of how your data is protected. If you would like to learn more about LIKECHARITY Privacy Engine, please click here .