supporting, developing and representing community groups,
voluntary organisations, social enterprises and volunteering
Does data protection impact on our organisation?
[Spoiler alert - yes, it does have an impact - regardless of what you do, how you do it or how small your organisation is!]
You will by now, I'm sure, have received an inordinate amount of e-mails (and in many cases letters and postcards) from companies asking if they can keep in touch with you! Hopefully, they are all explaining that this is them seeking your consent again due to the new data protection laws which come into effect later this month (25 May) - the General Data Protection Regulation.
We've written about GDPR quite a few times in recent months and a good number of organisations are taking active steps to ensure they are compliant. Many have attended our training sessions and some have purchased our GDPR Toolkit.
You do not need to attend our training or use our Toolkit - many organisations will be achieving compliance without our support. However, in discussions with some organisations there's a real risk that some organisations are not doing anything about this. Every third sector organisation must take steps to ensure compliance with the law. The law changes on 25 May and not having certain things documented (as an absolute minimum) could put you on the wrong end of a hefty fine.
As third sector organisations, our staff, volunteers and customers/clients/members/service users (people!) have every right to expect us to treat personal information securely, safely and only for certain purposes. This is now enshrined in law. The law sets out specific requirements and a failure to comply is a breach of the law, potentially impacting on the very existence of an organisation. A breach through negligence will impact on confidence, reputation and could even impact on funding as well as a likely fine. The Charity Regulator will take a dim view as will funders and partners.
We also heard somebody tell us recently that this only applied to computer systems which is categorically not the case - personal data and data protection can apply equally to paper records, handwritten notes and disclosure can be verbal, for example. It can be a complex area, but the basics are fairly clear and easy to follow. The law requires that you have assessed the risk, documented your data processing, put clear, robust policies and procedures in place and have data processing agreements in place with any organisation that you get data from, or share data with. The law also specifies the use of Privacy Notices to "be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used". All employees and volunteers must receive a Privacy Notice before 25 May so that you can continue to process (use, keep, access, delete) their data. People also have new rights and can make a request to see all of the data that you hold about them in all of your computer and paper-based systems/files etc. You will not be able to charge for this after 25 May and will have less time to comply than under the current legislation. There are also new rights which you should be aware of.
Our advice to every single third sector organisation is to do something to record where you are with data protection - including things like mapping personal data usage within your organisation, identifying any risks and required actions and implementing appropriate policies, procedures, notices, training and, please, record everything!