It seems like everyone is talking about the General Data Protection Regulations (GDPR) at the moment.
My clients talk to me very regularly about it, and are starting to plan what to do to make sure they comply. I’ve been spending a lot of time recently thinking about what not-for-profit organisations need to do over the next few months, to get themselves ready.
So, what will you be able to do, to be confident that you’ll be doing everything right by May next year?
Firstly, let’s look at a couple of things that you won’t be able to do:
- Ignore it. Hey, it’s an EU thing, right? Aren’t we leaving? Can’t we just ignore it, ’cause, y’know, Brexit? Well, no. Firstly, GDPR comes in on 25th May 2018, a full 10 months before the UK leaves the EU.
Secondly, the UK Government will almost certainly want to retain harmonisation with EU data and privacy laws, because such harmonisation will be crucial for any future trade deals with the EU.
Thirdly, it’s starting to look like there will be 2+ years of transitional arrangements that look very much like our current EU rights and obligations. And finally, the UK Government have proposed a new Data Protection that will replace the current Data Protection Act *and* incorporate the GDPR. So, ignoring GDPR is very much not an option.
- Pay someone else to fix it. It’s tempting to think “why don’t we just make someone else the Data Processor? Then, it’s their problem, not ours!” Tempting, but it ignores one big fundamental, which is that you will still be the Data Controller, and retain all the responsibilities that go along with it. Also, some organisations will be obliged to appoint a Data Protection Officer, and that person has specific legal obligations. So throwing money around won’t make this go away.
Or perhaps you meant you’ll just pay your CRM vendor to solve your GDPR woes? Or even better, maybe they’ve told you that their next upgrade will contain all the GDPR compliance stuff that you need? Then it’s simple, just upgrade and you’re compliant, right? Well, no. Technology is certainly a component of compliance (because so much of your data is held on databases, servers or in one or more clouds). But my reading of the regulations themselves and the various guidance articles that have been published, has led me to one very firm conclusion – GDPR compliance is first and foremost an issue of Policy, Process and People. These are the “3 Ps” of GDPR success, and you need to get them right. Let’s take a look at each one:
- Policy. You need to define what you as an organisation should be doing – and not doing – to make sure you comply. You should already have a Data Protection Policy anyway, because that will define what you’re doing in terms of the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR). So you shouldn’t have to start from scratch. And you really do need a policy, because if you haven’t defined what you’re doing, then you’re going to find it pretty hard to describe how you’re doing it (whatever “it” is). Which leads us neatly onto:
- Process. Or procedures, if you prefer. There are a number of things that you will need to be able to demonstrate under the GDPR, and you’ll need to know how. Here’s a few of the headliners:
- Legitimate Interests:
- Right of Access by the Data Subject:
- Right to Rectification:
- Right to Erasure:
- Right to Restriction:
- Right to Object / Automated Decision Making:
- Data Protection by Design and by Default:
- Security of Processing:
- Notification of a Personal Data Breach:
For each of these, you’re going to need to know how you’re going to comply. How will you record consent, and know what someone agreed to and when they agreed? How will you ensure that you erase all the data you hold on someone, and how will you manage the exceptions such as recent Gift Aid data? How will you make sure that Data Protection is designed-in to everything you do?
Here’s an example that’s worth looking at: How will you satisfy a request for all the data you hold on a person? Sure, you can probably dump it out of your CRM system. But where else is it held? In other systems? In emails? In spreadsheets on a shared network drive? In CSV files on someone’s “My Documents” that you don’t even know about? On an unencrypted USB stick in someone’s bag? Think about it – once you have personal data anywhere in your organisation, your staff will start doing things with it, and it can start to move around. Can you be sure you know all the places it’s gone, and can track it? If you needed to erase someone’s record, would you know every single place you’d need to look? If you haven’t got really good controls on your data processing, it’s going to be very difficult – probably impossible – to satisfy data subjects’ rights.
- People. You need to make sure that everyone in your organisation that handles personal data does so in a way that is appropriate and conforms to GDPR. How are you going to raise awareness, and stop someone from “going rogue” and doing something they shouldn’t? Of course you need to make sure your systems and networks are secure, but most data breaches happen due to mistakes, incompetence or poor training.
Some organisations are doing awareness training using online tools and multiple-choice questionnaires. There’s nothing wrong with this, and all awareness-raising is good, but you need to do more than just an online presentation and test. All those nice policies that you’re writing? Staff need to be told about them, and need to confirm that they’ve read them. All those procedures that you’re updating? Your staff need to be trained on them. And make sure your middle and senior managers really understand their responsibilities, because exceptions will happen; you’ll need to do things from time to time for which a procedure doesn’t exist, and your people will be looking to their managers for guidance on the right thing to do.
It’s worth remembering that you shouldn’t have to start from scratch. We’ve had the Data Protection Act (DPA) for years, and the Privacy and Electronic Communications Regulations (PECR) since 2003. So, how well are you already managing DPA and PECR? So long as you’re managing compliance with the existing laws, you shouldn’t find GDPR too much of a stretch, since in a lot of areas it consolidates existing regulations. And if you know there are gaps in your existing data protection practices, now is the time to give your policies, processes and training a comprehensive overhaul, so that you’re ready for the deadline on 25th May 2018.
Oh, and probably worth upgrading your CRM system, just in case.
Keep me posted!
Stay up-to-date with industry tips and what we’re doing