General Data Protection Regulation (GDPR) became law in May 2018, the first major overhaul of data protection in the UK for 20 years. 

The purpose is to give individuals more rights, to have more transparency and to ensure any organisation that collects, handles or shares personal data does so with a clear and lawful purpose.

There are some really terrific things about GDPR, things that will help you to reconnect with your audience as well as potentially helping you to save money in the future.

We really believe that ultimately you will have a more transparent relationship with everybody you wish to communicate with, because they will trust you to store and use their data responsibly.

In short, GDPR improves on old data protection laws to accommodate for the digital age. See how it can help your business by reading below!

Glemnet can help by providing a self-help GDPR portal to help the seamless transition to becoming a GDPR-regulated business.

There are eight steps toward achieving better, more lawful processes when handling the data of your customers, supporters, and members.

Identify the Right People

GDPR would like you to identify a framework of people responsible for data protection. In a small organisation this probably won’t be too difficult. You will mostly need a Data Controller who takes responsibility for data on a daily basis. Make the identity of this person known to your data subjects whenever you communicate with them, and post it on your website too.

Data Processors and Third Party Contractors

If you’re sharing data with anyone you will need a written processor contract between the organisations. GDPR says that if you share data with another organisation so that they might perform a task on your behalf, they too must be GDPR data compliant. So for example, if you are printing a batch of letters and need a local printer to help, you will need a clear agreement before you can share your database with them. The agreement will make it clear that they too should handle the data with care, restrict access to it, keep it secure and only use it for the purpose you have agreed. 70% of data breaches occur when a processor is involved. You will be responsible for their mistakes should there be a problem, so think carefully about who you will be working within the future.

A Clear Reason for Sending Communications

GDPR states that there are six conditions for processing data. Effectively, a condition is a reason or a purpose. We think there are three charities may be able to use in the future. You only need to apply one at any time to be lawful.

Consent

Must to unambiguous, freely given, clear and demonstrable. It must be all of these things or it isn’t GDPR compliant. This is clearly the best condition as it enables you to send any kind of message that your privacy notice has explained and by any channel you may have asked to use. The period consent is valid from depends on your interpretation of the rules. The Fundraising Regulator has suggested it might need refreshing every two years.

Legitimate Interest

You need to write down and demonstrate what your interest is and make a case for it. Nearly always it will be the aims and objectives of your organisation. To pursue these you will need to raise money or sell something to someone. Justifying your interest will be a key part of establishing a way to communicate with your audience. You can use your Legitimate Interest in printed communications but not in electronic channels. The rights and freedoms of individuals on your database must always be considered and their right to object and ‘Opt-Out’ of this form of marketing must be very clear and strictly upheld.

Necessary for Contract

If you sell products or services then you may use this condition to service that sale. For example, if you sell tickets to an event you will have created a contract between the buyer and seller. The buyer has the right to appeal against you if you don’t supply the said purchase or if they are dissatisfied. Therefore, you will need to communicate with them potentially about the date or the arrangements made for the event or it may even be about other similar events in the future. It can’t be a marketing message about a completely different subject. These communications can be sent by email if you collected the address at point of sale.

Privacy Notices

GDPR wants you to be very clear about why you are collecting data. It’s all about giving people a clear choice. Gone are the long never-read notices written in a language only a lawyer could understand. The new way will be short, easily understood that are relevant, transparent and unambiguous. It will be a challenge, but we’ll all be better off for this approach. So break down your information, avoid ‘catch all’ statements and go with separate statements for each request you make.

A Policy and Procedure Framework

GDPR wants you to start writing a series of policies that demonstrate your understanding of the regulation. You should start by deciding which policies you will need. You’ll definitely need a DP policy statement as well as a data retention policy. You will also need a Processor policy for when you are deleting data or disposing of hardware data may have been kept on.  An Internal data breach log is necessary for when minor mistakes have occurred but not reported. It is also strongly advised that you have a plan in place that will guide you if you ever have to report a breach to the ICO. Some important questions to consider include; ‘How will you decide it should be reported?’ ’Who will do this?’ ‘How will you inform data subjects?’.

Contact Us

By submitting your information, you agree to the Terms & Conditions and Privacy & Cookies Policy.

Glemnet - padlock on keyboard

Still worried about GDPR? Drop us a line about your concerns

Click here!