data protection

Does the GDPR affect your charity?

This a guest post from Clare Deegan of Sytorus 

To mark exactly one year to go before the GDPR becomes enforced, the Irish Data Protection Data Protection Commissioner, Helen Dixon, took the airways of Morning Ireland in May to warn companies who still believe that the GDPR won’t impact their organisation. It has been our experience that charities have felt most impacted by the GDPR yet many charities still believe the GDPR won’t impact them.  Ms Dixon stated that ‘90% of small and medium sized business’ will be impacted by the GDPR and ‘fewer than half of these businesses being aware’; many small companies who believed the GDPR did not impact them sat up and took note. Ms Dixon’s position was clear ‘doing nothing means you are automatically out of compliance’ and ‘it won’t be possible to get ready in a few months’.  If you missed the interview, click here https://www.rte.ie/radio/utils/radioplayer/rteradioweb.html#!rii=b9%5F21178675%5F48%5F25%2D05%2D2017%5F

A number of charities have been in the firing line in recent years, and since charities exist on donations, it has never been more important to gain trust from your donors. The GDPR will impact marketing campaigns, fundraising and volunteers. If you are confident that your organisation is one of the 10% of organisations who are not impacted by the GDPR, then consider the following before you close the door:

  • Cookies: as Ms Dixon called out this example in her interview, it is worthy of being top of the list of your considerations. If your website collects Cookies, then, you are collecting personal information; therefore, you will be impacted by the GDPR.

  • Volunteers are employees: if you have even one employee on your books, then, you are a Data Controller; therefore, you will be impacted by the GDPR. In terms of training and access to personal data as held by the charity, volunteers must be adequately trained to handle and protect personal data. In many organisations, we have found that volunteers are amongst the highest risk, as they have excessive access to personal and sensitive personal data coupled with not having sufficient training on the handling of personal data. It is widely documented that 80% of breaches occur from the ‘intentional, non-malicious actions of a member of staff’. In charities, these actions are likely to be by volunteers. If you have volunteers processing personal data on your behalf, then you are impacted by the GDPR.

  • Service Users: If you are supplying a service such as counselling or house visits, then, you are processing personal information; therefore, you will be impacted by the GDPR. In many cases, this service involves the processing of sensitive personal information such as religious information or information relating to health or even criminal convictions, which requires even tighter control.

  • Financial information: If you are in receipt of donations from individuals through an on-line facility, then, you are processing personal information. Have you thought about the security measures, how easy would it be for an outsider to hack your system? The GDPR calls out for tightened security measures; therefore, you are likely to be impacted by the GDPR.

  • Opt-in versus opt-out: Out of all the new provisions of the GDPR, we have found this provision has caused the most concern amongst charities. Under the current E-Privacy Directive, it is not lawful to automatically opt-in a donor to receive marketing communication electronically. The GDPR reinforces this by stating “silence, pre-ticked boxes or inactivity should not constitute consent”.

  • Profiling: If you are profiling your donors, then, you are collecting personal information and you are obliged to comply with the requirements. Profiling is a conscious process of segmenting or extracting a data sample using automated means. If a decision is being made about an individual (either manually or automatically) then, at minimum, a Fair Processing notice will be required. If a decision is being made using sensitive personal information, then, explicit opt-in is required prior to the process being performed. There are new provisions surrounding consent; therefore, if you are profiling then you are likely to be impacted by the GDPR.

  • Timescales for Subject Access Requests: Under the GDPR, the timescale that an organisation has to respond to a Subject Access Request reduces from 40 days to one month. Emails relating to an individual are within the scope of a Subject Access Request. If a client or an employee has a history spanning years with your charity, then, you need to consider how you will retrieve each piece of information relating to this individual within the new tighter timeframe.

  • Third Party agreements: Most, if not all, organisations will engage third parties at some point. When this engagement involves the third party processing (which includes having the potential to access) personal data as held by the Data Controller, then, a Data Processing Agreement must be in place. However, GDPR places new requirements upon Data Controllers regarding allocating responsibility between the Controller and the Processor. Whilst the GDPR will prompt many organisations into reassessing their Data Processor Agreements, it will also prompt many Data Controllers to put Data Processor Agreements in place where they did not previously exist.  The GDPR will require that certain mandatory clauses are included in all contracts with your third party data processors as previously reported by Sytorus http://www.sytorus.com/Blog/Article/75/suggested-clauses-for-the-data-processor-contract    Some third parties are less obvious than others; have you considered IT Support, CCTV providers, Hosting companies?

  • Consent to process personal data: If you solely rely on consent as a means to process personal data, then, you may be impacted by the GDPR. Whilst consent remains a valid basis for processing data, it will be more difficult to rely on as a sole means to legitimately process data. Under the GDPR, where the Data Controller is collecting personal data, the Data Controller must be able to reference which lawful processing condition (as described in Article 6 for personal data and Article 9 for sensitive personal data) that they are referencing for processing personal data.  

  • The requirement for a DPO: According to Article 37 of the GDPR, it will be mandatory to appoint a DPO if the processing is carried out by a public authority; or if the core activities or the controller or the processor consist of processing operations that involve regular and systemic monitoring of data subjects on a large scale; or if the core activities of the controller or processor consist of processing on a large scale special categories of data as listed in Article 9 of the GDPR. If your charity is based on providing ‘medical services’, then you are processing special categories of data; therefore, you may be impacted by this requirement in the GDPR. It is worthwhile reviewing the data your charity processes and whether it qualifies as ‘large scale’. If so, then your charity is impacted by the GDPR.

Some pitfalls worth noting:

  • Policies in place but…:  The GDPR bases itself on getting companies to produce evidence of compliance.  Many organisations obtain a suite of policies, insert company name and get the staff to sign a training record; however, this is not complete evidence of compliance. Instead, this is the scaffolding that you generate your evidence of compliance from. For these policies to be evidence of compliance, you need to be generating logs or completing forms out of them. You also need to review policies regularly for currency and effectiveness, such review generates further evidence of compliance.

  • Getting company buy-in: Appointing a DPO will be a mandatory requirement for some organisations as described in the GDPR. When the DPO has been appointed, they do not operate in isolation from the company. Just like an organisation may appoint a Safety Rep from each area, so too should a Data Protection Champion be appointed from each area within the organisation. Such individuals take ownership of data protection risks as listed in the company risk profile. This promotes Data Protection as being a company-wide responsibility and not merely just the DPO’s responsibility.

  • Excel spreadsheets: There will be a requirement within the Irish jurisdiction that your logs be in ‘electronic format’ and ‘available for sharing’ with the Commissioner. Excel spreadsheets have limitations and some security risks depending on how they are configured. In particular, there is no audit trail on an entry to an Excel Spreadsheet; it would be too easy for an entry to be accidentally deleted and there is no record of who, what, where, when, why. Your logs should, ideally, have an audit trail for every entry. Even if you only restrict the usage to one single individual, entries could still be deleted by mistake. Secondly, since the GDPR is heavily risk-based, it is ideal if the electronic logs evaluate the risk of your activity, yielding a go/no-go decision.  Furthermore, as you are logging your activity, the user should be able to select which lawful processing condition they are relying on to process the personal data, etc. Whatever electronic format you use, it should either have a risk-assessing capability or prompt the user to calculate the risk manually.

LIKECHARITY and Sytorus have teamed up to help charities comply with the new requirements of the GDPR. If you are concerned that your charity might be impacted by the GDPR, get in touch at (01) 557 24 25 or http://www.likecharity.com/privacyengine/

What to Know About Data Protection

We all are somewhat afraid of the commissioner knocking on the door of non-profits and asking to see how the organisation is keeping donors’ sensitive personal data ethically protected which is why LIKECHARITY have teamed up with SYTORUS to help you with the overwhelming task of becoming a GDPR compliant.

First we have to talk about what the GDPR is; it stands for the General Data Protection Regulation, it is a document that will enforce data protection policies on organisations all over the EU. The GDPR will be implemented on the 25th of May 2018 by the EU parliament. Here are some of the key changes that will occur:

1. Increased Territorial Scope: Regardless of the location or what kind of company you run, if you process any kind of personal data through your organisaiton, the GDPR applies to you. If you provide goods and services to EU citizens then you are required by law to implement this regulation in your organisation..

2. Penalties: If there is a breach of GDPR your organisation can be fined up to 4% of annual global turnover or €20 Million. For example potential actions classed by the commissioners as an serious infringement for non-profits is not getting the proper consent from a potential donor to use their personal data in analysis, in tracking trends, or to transfer their personal data to other organisations.

3. Consent: you will no longer be allowed to use long ambiguous terms and conditions, now your organisation are only allowed to give a coherent and accessible form of terms and conditions so that your donors have the proper agency to consent. Your terms and conditions should be transparent and in language that can be easily understood.

4. Breach Notification: When there is a data breach in your charity it is required that donors and controllers be notified within 72 hours of the breach.

5. Right to Access: Completely changes the manner of transparency between the donor and charity. The donor can request access to their personal information to discover the charity’s intentions and purpose for holding personal data. While also providing transparency of where the data is being stored or used.

6. Right to be Forgotten: the right of the donor’s personal information to be erased from the database of the charity and to halt the distribution of this information publicly. This right can be enacted when the information is not relevant anymore or that the consent of the customer is withdrawn.

7. Data Probability: this is the right of the client to receive personal data about them from the charity transfer another charity of the client’s choosing.

8. Privacy by design: all systems and protocols call for data protection. Everything the company does with any kind of data needs to include a formula for data protection, not just an added service.

Given all of these changes, charities have to be prepared to enforce them in order to avoid fines and remain compliant.

To be a GDPR guru, it’s important that you understand the regulation rhetoric used in the document. Here are some policy jargon that may come up:

  • Processing: to complete operations involving data through the means of computers, letters, to classify information

  • Restriction of processing: limits what a data controller can do with personal data.

  • Profiling: automated processing of personal data, that helps analyse and predict, behaviors, interests, work conduct, and economic situations.

  • Pseudonymisation: a form of processing of personal information that doesn’t allow the connection between the data and the data subject without additional information from them.

  • Filing system: personal data can be accessed only with specific criteria,on a functional or geographical basis.

  • Genetic data: personal data related to heredity, genetic characteristics, unique information about their physiological state, and health status.

  • Biometric Data: specific technical processing of physical, physiological, and natural behavior of a person. ie. Facial images.

  • Cross-Border Processing: processing of personal data specifically of activities of a member of state in a controller establishment or a processor establishment, while being in either in a single or multiple enterprise(s).

  • Main Establishment: for a controller in enterprises in more than one members of state, the central establishment is considered the main establishment, until another the controller has made the decision of making another establishment the main one. For a processor in establishments in more than one member of state, the central administration is considered the main establishment, unless there is no central administration, then wherever the data is being processed is considered the main establishment while they are also subject to specific obligations are under this regulation.

  • Representative: a person that is designated by the controller or processor to represent the establishment with their various obligations under the regulations.

  • Binding Corporate Rules: personal data protection policies when personal data is transferred between a controller and a processor or transferred between controller and third party or processor and third party or transferred between groups that are engaged in joint economic activity.

  • Supervisory Authority: independent public authority

LIKECHARITY and Sytorus had come together to offer LIKECHARITY Privacy Engine, which is a new data protection engine that will prepare for the GDPR that will be implemented next year. It provides data protection support, guidance, and training all in one. This allows your charity to thrive while being conscious of how your data is protected. If you would like to learn more about LIKECHARITY Privacy Engine, please click here .

 

References:

http://www.eugdpr.org/eugdpr.org.html

http://www.eugdpr.org/the-regulation.html

http://www.lewik.org/term/13563/restriction-of-processing-definitions-gdpr/

http://www.lewik.org/tree/?node=13582

https://www.flickr.com/photos/134794750@N07/32457814122/in/photolist-4vhGkq-QdjpYm-RsbMjS

Upcoming LIKECHARITY Training Workshops

Last week LIKECHARITY ran two very successful days of training for charities; covering fundraising and Data Protection.

On Tuesday the 11th of April, Hannah and Deirdre ran another text-to-donate fundraising workshop. They gave advice and training on how best to use the text-to-donate platform. They covered ComReg compliance, how to pick the best keyword, text-to-donate on social media, case studies and how to build a successful text-to-donate campaign. It was a relaxed but productive morning with plenty of discussion, we’re already looking forward our next workshop in May!

The following day, LIKECHARITY were joined by John Ghent of Sytorus to speak about charities and the GDPR. Sytorus is a recognised leader in pragmatic Data Protection deployment with their services and products, including assessments, implementation, training and support and are experts on the GDPR. Sytorus and LIKECHARITY are partnering together to help charities to be compliant with the GDPR. While The GPDR is receiving lots of coverage in the media, there still remains a lot of confusion around what it means for the charity sector in Ireland. It comes into effect next year and, will bring the most significant and far-reaching changes to how charities approach the protection of citizen’s data in recent history, with the burden of proof now on charities to show how they manage their data. John lead us through a practical charity centred presentation on what the GDPR is, how it will affect charities and what they need to do to prepare for it. He explained the rapid change in data in recent times, how much much different data charities have, from addresses of donors to medical records of service users. He brought us through the new role of Data Protection Officer that most charities will need to bring in and practical solutions to implement the GDPR. Many of the charities commented afterwards they had a much clearer idea of what the GDPR means to our sector and what they need to do get get ready for it. As charities found it so helpful we’re running another two sessions next week.


Here’s a link to our next Data Protection Session and if you’d like information on upcoming LIKECHARITY training events please contact deirdre.mullen@likecharity.com  

The Benefits of DRTV

Would your charity benefit from an innovative product that can spread your message to millions of passive television viewers? And help increase national recognition whilst being cost efficient? Your company could not only increase profits, but also gain brand recognition, maximize savings, and elevate the interest of new and already established supporters of your charity’s cause.

DRTV stands for Direct Response Television; this allows the immediate contact between the audience and your organisation to create a special relationship that cannot be guaranteed by other means of media. Sure, there are many other ways that your organisation can get your message or name out in the public sphere, but there is nothing quite like DRTV and here are some reasons why:

1. It’s cost effective: A savvy media manager’s dream is to save money for their organisation, and by using DRTV a company can save 20%-30% of the total cost of media advertising. Compared to the pricing of standard commercials and ads on television, newspapers, magazines, etc. DRTV is reasonably priced and offers more value for your money. This allows companies to be in the public view and stay within their price range. In LIKECHARITY’s case, we provide an affordable platform for charities to generate regular monthly donations and significantly increase public awareness using DRTV. 

2. It’s reliable: DRTV allows direct and instantaneous feedback via text message responses from tv viewers; If a charity’s content is struggling to receive any text donations, then the subject matter can be quickly revised and iterated at no extra cost until results improve; Thus creating a reliable and transparent relationship with donors and your organisation . LIKECHARITY provides live tracking and analysis of all text messages responses and processes all donations in a safe and secure way via direct debit or credit card.

To learn more about LIKECHARITY’s data protection services please click here.

3. It highlights a simple story that evokes emotional responses: LIKECHARITY creates and produces videos that elicit an emotional response, which is important when discussing individual charities. The immediate reaction to the content compels the viewer with the urgency to turn their reaction into action (donating) by igniting the interest of passive TV audience members who truly care about the cause and giving them the tools to support the organisation.

4. It complements other forms of media: DRTV is complementary to other styles of media such as direct mail and door to door because it enhances the information by giving context in easily digestible adverts. By using DRTV and other kinds of media your organisation can reach out to many different demographics; A typical LIKECHARITY DRTV campaign, over the course  of three months, is seen by around six million Irish viewers - allowing a charity’s message to be amplified nationwide.

5. It creates brand recognition: Many charities have found that following their DRTV campaign they received a 20% increase in brand recognition.  DRTV adverts are usually aired on primetime shows allowing your cause to be seen nationwide; meaning a passive audience can pick up the brands name and logo if the advert appeals to them. This is an opportunity for your brand to gain recognition and a following, while also increasing sales. 

To learn more about DRTV and to learn more about LIKECHARITY, please click on following video

 

 

 

 

 

References:

http://adage.com/article/news/costs-ad-prices-tv-mobile-billboards/297928/

http://www.campaignlive.co.uk/article/telemarketing-deliver-drtv-campaign-companies-use-drtv-reliable-contact-centre-success/80699

http://www.directresponseacademy.com/artcl.MsrngPrftblty.html

http://www.hawthornedirect.com/drtv_101/FAQs.htm

http://www.dmnews.com/direct-response/direct-response-is-still-an-effective-way-to-build-brands/article/343558/

https://www.entrepreneurship.org/articles/2007/01/using-branding-to-increase-sales