GDPR: Don’t press the delete button just yet

Tracey Gyateng is the data science manager at DataKind UK. She leads on working with charities to use data to support decision making through the use of data science. She also manages strategic projects – with a current focus on data governance and ethics.

With the General Data Protection Regulation (GDPR) set to go into effect this month, I’ve noticed a worrying refrain emerging from some charities. As part of GDPR compliance, the requirement to minimise data collection is leading some to conclude that demographics which do not affect direct service provision should no longer be collected. This is not a good idea. Let me explain why.

Your data is critical for improving outcomes

It is understandable why some charities are considering deleting personal data that is not used for service delivery. Why is it necessary to know the age or ethnicity of a person participating in a creative art programme or receiving a free meal? The service will be provided whether the person is 18 or 82 and regardless of their ethnic background. Perhaps you need to check that a given service user is an adult, but nothing further, and as GDPR expressly sets out that data must be ‘limited to what is necessary’, it appears logical to stop collecting those fields.

However, this assumes that the only purpose for collecting personal data from service users is for service delivery. This data is critical for organisations to ask bigger questions and understand its impact. How will a charity know whether they are providing services across the whole of their target population if they do not know age or ethnic background? How will a charity analyse whether certain users tend to do better than others in their services if they don’t collect key demographic information? Removing data that is not used for direct service delivery ignores the importance of collecting personal data for organisational performance, analysis and accountability reasons. It limits the charity’s ability to undertake research and evaluation in order to learn and improve service delivery, say trying to understand what is working or not for the types of people the charity works with?

At DataKind UK, we have seen the power of demographic information in our work supporting voluntary sector organisations to understand their beneficiaries and the impact of their service. For example Llamu, Wales’ leading homeless charity, was able to see that their female beneficiaries had better outcomes than males, and are using this finding to increase the support offered to men. If particular user groups are not experiencing the expected benefits from a charity’s programme, then the demographic data collected can be vital in identifying problems and measuring progress towards solutions.

Consider the implications before you hit delete

GDPR is not easy. There isn’t a one-size-fits-all guide to implementation and, until real cases start to come out after it goes into effect on 25 May, there will still be uncertainty about how it is being applied within organisations. Voluntary sector organisations are having to balance the importance of respecting privacy and minimising data collection with a wider need to understand the reach, fairness and effectiveness of their services, which requires rich multidimensional data.

It may be tempting to err on the side of caution and press the delete button on demographic data, but it’s important to take a moment to pause and reflect before this happens. When making decisions about when and where not to collect personal data, organisations shouldn’t only consider service delivery, but the wider organisational uses for that information, such as the organisation’s theory of change and mission, and how to measure effectiveness.

For those implementing GDPR in their organisations, speak with a variety of staff about how and why they use data. Achieving compliance is a demanding task, but it is also a good opportunity to consider how the data you collect can improve outcomes for your beneficiaries. This should ultimately be the driving force for implementing GDPR.

 


For more information and resources to help your organisation with GDPR compliance, visit NCVO’s data protection page.

 

This entry was posted in Practical support and tagged , . Bookmark the permalink.

Comments are closed.