How to remain GDPR compliant in 2019 (and beyond)

Matt Morrison is a Data Protection Lead at Protecture and has been working in data protection for 12 years, primarily in the higher education sector. Since joining Protecture in 2018, he has been supporting organisations mainly within the charitable and voluntary sector in creating and implementing effective data protection programmes.

Protecture, specialises in providing charities and not-for-profit organisations with independent, specialist advice on GDPR and the Data Protection Act 2018. As a trusted supplier Protecture can assist your organisation with ensuring that you have the necessary data protection policies in place and support you to achieve ongoing compliance.

Is your organisation GDPR ‘compliant’?

There is currently no standard (in the UK) that organisations can compare themselves against to see if they are ‘compliant’. As such, data protection work should always be considered a continuous risk management project rather than something that can be complied with by a set date and then forgotten about.

Technology, organisational priorities and external context will always change in a way that means you need to react to how you are managing your risks. For charities and voluntary organisations, reputational risks in particular are a key consideration as there is a greater expectation that charities should behave responsibly in all areas of their work.

One year on

Data protection legislation is not going away and, with a new ePrivacy Regulation on the horizon, organisations must maintain their data protection frameworks and ensure that there are active and ongoing risk management processes for the use of personal data.

You must understand your organisation’s risks in relation to the personal data you hold and make sensible decisions that align with the seven GDPR data protection principles. Charities also have a number of sector-specific issues to think about and competing priorities to balance – fundraising, volunteers, service provision, special category data, budgetary pressures, public expectations. These can often make it more difficult to prioritise data protection work, especially where you may not have the dedicated resources.

In terms of the practical steps you can take within your organisation, the below should help you create and maintain a robust data protection framework:

Create an accountability structure
You must have a clear accountability and risk ownership structure within your organisation to ensure that data protection is well managed at both the strategic (board) and operational (day to day) levels. This should involve the relevant senior members of staff and/or trustees who are well placed to make strategic decisions and support those with an operational role.

Training and awareness
It is absolutely vital to make sure there is an ongoing programme of data protection training and awareness within your organisation. Staff must be aware of the relevance of data protection legislation in their day to day activities and how to recognise key issues such as personal data breaches and subject access requests.

Transparency is key
Updating your privacy policy alone is not enough. The onus is on organisations to ensure that their supporters, service users and staff know how their personal data is being used. Take a multi-pronged approach to providing privacy information – this may be via privacy notices, face to face explanations, infographics and videos.

Do your thinking up front
Embedding privacy and data protection into thought processes is vital; ensure that use of personal data in new projects or campaigns is aligned with the GDPR principles. This may even require a data protection impact assessment (DPIA) to be conducted.

If relying on consent, ensure it is valid
If you are relying on consent for a specific activity, it must always be “freely given, specific and informed” – just asking people to tick a box is not necessarily valid consent. You should also consider whether consent is the most relevant lawful basis to process data for a specific activity – it may be that another basis for data processing is more applicable in the circumstances.

Data protection isn’t only about security.
Information security is still very important, but it is only one of the seven data protection principles. Do not over-emphasise security to the detriment of the other principles.

‘What should we do?’ not ‘What can we do?’
Given that we are still in the early days of GDPR, there are still areas of ambiguity about what may or may not be permissible in relation to using personal data. During this period, as voluntary sector organisations, it is advisable to think about how you use personal data from an ethical perspective, not simply a legal one. Think about whether your supporters, service users and staff would be happy with how you are using their data.

Looking ahead

The above steps are not technical or IT related measures but organisational and governance measures that can really help you to manage your risks around personal data by embedding data protection thinking and risk management into your processes. Awareness and accountability at all levels are the key starting points for working towards this.

If you are struggling to understand your organisation’s data protection needs or where to prioritise your resources moving forward, our Self-Assessment Tool will help to give an overview of where the gaps are. We can also work with you to address those gaps in a pragmatic manner.