We hear from MAST ICT CRM consultant, Andy Hepburn, on what GDPR means for your charity or NFP organisation.
It seems like everyone is talking about the General Data Protection Regulations (GDPR) at the moment.
My clients talk to me very regularly about it, and are starting to plan what to do to make sure they comply. I’ve been spending a lot of time recently thinking about what not-for-profit organisations need to do over the next few months, to get themselves ready.
So, what will you be able to do, to be confident that you’ll be doing everything right by May next year?
Firstly, let’s look at a couple of things that you won’t be able to do:
Secondly, the UK Government will almost certainly want to retain harmonisation with EU data and privacy laws, because such harmonisation will be crucial for any future trade deals with the EU.
Thirdly, it’s starting to look like there will be 2+ years of transitional arrangements that look very much like our current EU rights and obligations. And finally, the UK Government have proposed a new Data Protection that will replace the current Data Protection Act *and* incorporate the GDPR. So, ignoring GDPR is very much not an option.
Or perhaps you meant you’ll just pay your CRM vendor to solve your GDPR woes? Or even better, maybe they’ve told you that their next upgrade will contain all the GDPR compliance stuff that you need? Then it’s simple, just upgrade and you’re compliant, right? Well, no. Technology is certainly a component of compliance (because so much of your data is held on databases, servers or in one or more clouds). But my reading of the regulations themselves and the various guidance articles that have been published, has led me to one very firm conclusion – GDPR compliance is first and foremost an issue of Policy, Process and People. These are the “3 Ps” of GDPR success, and you need to get them right. Let’s take a look at each one:
For each of these, you’re going to need to know how you’re going to comply. How will you record consent, and know what someone agreed to and when they agreed? How will you ensure that you erase all the data you hold on someone, and how will you manage the exceptions such as recent Gift Aid data? How will you make sure that Data Protection is designed-in to everything you do?
Here’s an example that’s worth looking at: How will you satisfy a request for all the data you hold on a person? Sure, you can probably dump it out of your CRM system. But where else is it held? In other systems? In emails? In spreadsheets on a shared network drive? In CSV files on someone’s “My Documents” that you don’t even know about? On an unencrypted USB stick in someone’s bag? Think about it – once you have personal data anywhere in your organisation, your staff will start doing things with it, and it can start to move around. Can you be sure you know all the places it’s gone, and can track it? If you needed to erase someone’s record, would you know every single place you’d need to look? If you haven’t got really good controls on your data processing, it’s going to be very difficult – probably impossible – to satisfy data subjects’ rights.
Some organisations are doing awareness training using online tools and multiple-choice questionnaires. There’s nothing wrong with this, and all awareness-raising is good, but you need to do more than just an online presentation and test. All those nice policies that you’re writing? Staff need to be told about them, and need to confirm that they’ve read them. All those procedures that you’re updating? Your staff need to be trained on them. And make sure your middle and senior managers really understand their responsibilities, because exceptions will happen; you’ll need to do things from time to time for which a procedure doesn’t exist, and your people will be looking to their managers for guidance on the right thing to do.
It’s worth remembering that you shouldn’t have to start from scratch. We’ve had the Data Protection Act (DPA) for years, and the Privacy and Electronic Communications Regulations (PECR) since 2003. So, how well are you already managing DPA and PECR? So long as you’re managing compliance with the existing laws, you shouldn’t find GDPR too much of a stretch, since in a lot of areas it consolidates existing regulations. And if you know there are gaps in your existing data protection practices, now is the time to give your policies, processes and training a comprehensive overhaul, so that you’re ready for the deadline on 25th May 2018.
Oh, and probably worth upgrading your CRM system, just in case.