Does the GDPR affect your charity?

This a guest post from Clare Deegan of Sytorus 

To mark exactly one year to go before the GDPR becomes enforced, the Irish Data Protection Data Protection Commissioner, Helen Dixon, took the airways of Morning Ireland in May to warn companies who still believe that the GDPR won’t impact their organisation. It has been our experience that charities have felt most impacted by the GDPR yet many charities still believe the GDPR won’t impact them.  Ms Dixon stated that ‘90% of small and medium sized business’ will be impacted by the GDPR and ‘fewer than half of these businesses being aware’; many small companies who believed the GDPR did not impact them sat up and took note. Ms Dixon’s position was clear ‘doing nothing means you are automatically out of compliance’ and ‘it won’t be possible to get ready in a few months’.  If you missed the interview, click here https://www.rte.ie/radio/utils/radioplayer/rteradioweb.html#!rii=b9%5F21178675%5F48%5F25%2D05%2D2017%5F

A number of charities have been in the firing line in recent years, and since charities exist on donations, it has never been more important to gain trust from your donors. The GDPR will impact marketing campaigns, fundraising and volunteers. If you are confident that your organisation is one of the 10% of organisations who are not impacted by the GDPR, then consider the following before you close the door:

  • Cookies: as Ms Dixon called out this example in her interview, it is worthy of being top of the list of your considerations. If your website collects Cookies, then, you are collecting personal information; therefore, you will be impacted by the GDPR.

  • Volunteers are employees: if you have even one employee on your books, then, you are a Data Controller; therefore, you will be impacted by the GDPR. In terms of training and access to personal data as held by the charity, volunteers must be adequately trained to handle and protect personal data. In many organisations, we have found that volunteers are amongst the highest risk, as they have excessive access to personal and sensitive personal data coupled with not having sufficient training on the handling of personal data. It is widely documented that 80% of breaches occur from the ‘intentional, non-malicious actions of a member of staff’. In charities, these actions are likely to be by volunteers. If you have volunteers processing personal data on your behalf, then you are impacted by the GDPR.

  • Service Users: If you are supplying a service such as counselling or house visits, then, you are processing personal information; therefore, you will be impacted by the GDPR. In many cases, this service involves the processing of sensitive personal information such as religious information or information relating to health or even criminal convictions, which requires even tighter control.

  • Financial information: If you are in receipt of donations from individuals through an on-line facility, then, you are processing personal information. Have you thought about the security measures, how easy would it be for an outsider to hack your system? The GDPR calls out for tightened security measures; therefore, you are likely to be impacted by the GDPR.

  • Opt-in versus opt-out: Out of all the new provisions of the GDPR, we have found this provision has caused the most concern amongst charities. Under the current E-Privacy Directive, it is not lawful to automatically opt-in a donor to receive marketing communication electronically. The GDPR reinforces this by stating “silence, pre-ticked boxes or inactivity should not constitute consent”.

  • Profiling: If you are profiling your donors, then, you are collecting personal information and you are obliged to comply with the requirements. Profiling is a conscious process of segmenting or extracting a data sample using automated means. If a decision is being made about an individual (either manually or automatically) then, at minimum, a Fair Processing notice will be required. If a decision is being made using sensitive personal information, then, explicit opt-in is required prior to the process being performed. There are new provisions surrounding consent; therefore, if you are profiling then you are likely to be impacted by the GDPR.

  • Timescales for Subject Access Requests: Under the GDPR, the timescale that an organisation has to respond to a Subject Access Request reduces from 40 days to one month. Emails relating to an individual are within the scope of a Subject Access Request. If a client or an employee has a history spanning years with your charity, then, you need to consider how you will retrieve each piece of information relating to this individual within the new tighter timeframe.

  • Third Party agreements: Most, if not all, organisations will engage third parties at some point. When this engagement involves the third party processing (which includes having the potential to access) personal data as held by the Data Controller, then, a Data Processing Agreement must be in place. However, GDPR places new requirements upon Data Controllers regarding allocating responsibility between the Controller and the Processor. Whilst the GDPR will prompt many organisations into reassessing their Data Processor Agreements, it will also prompt many Data Controllers to put Data Processor Agreements in place where they did not previously exist.  The GDPR will require that certain mandatory clauses are included in all contracts with your third party data processors as previously reported by Sytorus http://www.sytorus.com/Blog/Article/75/suggested-clauses-for-the-data-processor-contract    Some third parties are less obvious than others; have you considered IT Support, CCTV providers, Hosting companies?

  • Consent to process personal data: If you solely rely on consent as a means to process personal data, then, you may be impacted by the GDPR. Whilst consent remains a valid basis for processing data, it will be more difficult to rely on as a sole means to legitimately process data. Under the GDPR, where the Data Controller is collecting personal data, the Data Controller must be able to reference which lawful processing condition (as described in Article 6 for personal data and Article 9 for sensitive personal data) that they are referencing for processing personal data.  

  • The requirement for a DPO: According to Article 37 of the GDPR, it will be mandatory to appoint a DPO if the processing is carried out by a public authority; or if the core activities or the controller or the processor consist of processing operations that involve regular and systemic monitoring of data subjects on a large scale; or if the core activities of the controller or processor consist of processing on a large scale special categories of data as listed in Article 9 of the GDPR. If your charity is based on providing ‘medical services’, then you are processing special categories of data; therefore, you may be impacted by this requirement in the GDPR. It is worthwhile reviewing the data your charity processes and whether it qualifies as ‘large scale’. If so, then your charity is impacted by the GDPR.

Some pitfalls worth noting:

  • Policies in place but…:  The GDPR bases itself on getting companies to produce evidence of compliance.  Many organisations obtain a suite of policies, insert company name and get the staff to sign a training record; however, this is not complete evidence of compliance. Instead, this is the scaffolding that you generate your evidence of compliance from. For these policies to be evidence of compliance, you need to be generating logs or completing forms out of them. You also need to review policies regularly for currency and effectiveness, such review generates further evidence of compliance.

  • Getting company buy-in: Appointing a DPO will be a mandatory requirement for some organisations as described in the GDPR. When the DPO has been appointed, they do not operate in isolation from the company. Just like an organisation may appoint a Safety Rep from each area, so too should a Data Protection Champion be appointed from each area within the organisation. Such individuals take ownership of data protection risks as listed in the company risk profile. This promotes Data Protection as being a company-wide responsibility and not merely just the DPO’s responsibility.

  • Excel spreadsheets: There will be a requirement within the Irish jurisdiction that your logs be in ‘electronic format’ and ‘available for sharing’ with the Commissioner. Excel spreadsheets have limitations and some security risks depending on how they are configured. In particular, there is no audit trail on an entry to an Excel Spreadsheet; it would be too easy for an entry to be accidentally deleted and there is no record of who, what, where, when, why. Your logs should, ideally, have an audit trail for every entry. Even if you only restrict the usage to one single individual, entries could still be deleted by mistake. Secondly, since the GDPR is heavily risk-based, it is ideal if the electronic logs evaluate the risk of your activity, yielding a go/no-go decision.  Furthermore, as you are logging your activity, the user should be able to select which lawful processing condition they are relying on to process the personal data, etc. Whatever electronic format you use, it should either have a risk-assessing capability or prompt the user to calculate the risk manually.

LIKECHARITY and Sytorus have teamed up to help charities comply with the new requirements of the GDPR. If you are concerned that your charity might be impacted by the GDPR, get in touch at (01) 557 24 25 or http://www.likecharity.com/privacyengine/