As we approach the six-week countdown to the GDPR coming into force, here are 3 top tips for charities and community groups:
1. Don’t panic, but do make a plan
Yes, everyone is talking about GDPR and how the law around data protection will become stricter after 25 May, but please don’t panic. First things first, it’s an evolution not a revolution in data protection law. This means that if you already have good data protection practices in place, then it’s just about enhancing what you already do. So take a step, review what you are already doing and make a plan for any tweaks you need to make.
2. It’s not just about fundraising – it applies to all processing of personal data
Although fundraising regulations will be tighter after 25 May, the GDPR will have a much wider application. It will apply to all processing of personal data – so this includes how you collect and process data for your service users, volunteers, trustees, staff and supporters.
A good place to start is to think about the different groups of people, and ask yourself the following questions:
- What personal data do we ask them for?
- How do we let them know what we are using it for?
- Do we need them to consent or can we rely on ‘legitimate business reason’ (see below)
- Do we share the data with anyone else – such as partner organisations? If so, do we obtain the service user’s specific consent?
- If we need consent, do we ensure it is opt in and specific.
- How do we protect their data and keep it secure?
- How long do we really need to keep it for (including any statutory mimimum periods)?
- Can they opt out or amend their data easily?
- If someone says they don’t want to be contacted, do we put this on a ‘suppression list’ and ensure they are not contacted again?
3. Consent is important, but there are other options too
If you need to refresh your consent forms because they didn’t offer an opt-in option, then it is better to do that in a structured way than to panic with a blanket email to everyone saying that if they don’t reply to you by the 25 May, they’ll never hear from you again. You could end up shooting yourself in the foot as it’s quite difficult to go back on a statement like that.
Instead, take a look at who you need to gain consent from and when you may already be meeting/seeing them and how you could use this to ‘check people off’. If you see service users in person between now and the deadline, that is also good time to refresh your consent. Another option is any forthcoming AGM or large event that you may already be holding where you could ask people to renew consent as you welcome them to the event.
Also consider whether you actually need consent or whether you can rely on ‘legitimate interests’ as a lawful basis for contacting some people. If you think you can, then you should put together a statement on this.
RVA are hosting a further GDPR workshop on 9 May – You can book online here
If you would like help with revising your Data Protection Policy, please contact firstname.lastname@example.org or telephone 0118 9372273