The GDPR isn’t necessarily everyone’s favourite acronym. Certainly for many charities, there were concerns in the run-up to 25 May 2018 about what they had to do to comply, what compliance would mean for the personal data they already held, and what impact this would have on their fundraising. For many, the GDPR became a dirty word.
But, at its heart, data privacy is something that we should all be grateful for and want to uphold. Data privacy law in the UK and Europe (law like the GDPR) is built around the concept of the right to privacy. In recent years this has been more clearly expressed as a fundamental right. It’s a fundamental right because certain elements in society – governments, big business, law enforcement, criminals – may try to take it away and therefore it needs protecting.
Privacy is also about freedom and dignity. Without privacy, it’s arguably impossible to be free. It’s one of the reasons why the introduction in the nineteenth century of the secret ballot for parliamentary elections in the UK was so important. It’s about dignity too because every individual is entitled to the same level of protection when it comes to their personal data. That includes, in particular, those who are vulnerable or disadvantaged – those who often depend on charities to get by. In our heavily datified world, the control of personal data can lead to exploitative practices which rob individuals of the unique dignity that every human being deserves. So, protecting the privacy of individuals will align with most charities’ core values – to respect the rights of individuals whether they are employees, supporters or service users.
So, if that’s the principle – how has the GDPR changed this? The law has put a new emphasis on the requirement of accountability. Charities now have to clearly demonstrate how they comply with data privacy law. Being able to point to a data privacy compliance framework that is in place to ‘show and tell’ becomes critical. But there’s no one size fits all approach. A smaller charity can argue that a more compact framework is appropriate whereas a substantial global charity should have in place a more sophisticated framework. Additionally, a charity handling health information regularly will be held to a higher standard than a charity whose main database only holds supporter names and email addresses.
Accountability means policies and procedures are more important. But much can get lost if we focus only on policies and procedures. For a start, it can give the mistaken impression that data privacy compliance is all about policies and procedures, about ticking boxes and getting the precise wording right in privacy notices. Much of which misses the point. So we need to move away from thinking that compliance is ‘done’ because we have a policy that’s been signed off. If the policy itself isn’t communicated to those handling personal data then it will remain a policy only on paper. Awareness, education and training are vital to make compliance a reality. Furthermore, compliance with policies should be monitored and the standards set out in those policies reviewed to ensure ongoing relevance.
More broadly, the GDPR is intended to prompt a shift in culture. So, yes it may be tiresome to have to complete a Data Protection Impact Assessment. But this process is designed to force you to think through why you’re using the data and whether it is really necessary in view of the impact on individuals. This change in culture won’t happen overnight. Compliance is an ongoing process and, in reality, full compliance with GDPR is almost impossible!
The Information Commissioner, Elizabeth Denham, has spoken of a culture of privacy that should pervade an entire organisation. It’s a high watermark but it reveals that regulators will expect all organisations to focus their efforts on influencing their organisation’s culture. The way to do this is through an accountability framework. Indeed, the ICO’s Regulatory Action Policy indicates that when investigating breaches of the GDPR, a failure to implement accountability is more likely to lead to a penalty being imposed.
So if the ICO expects a culture of privacy and accountability, how can charities demonstrate it? Well, there are a few initial questions that are worth considering: Are you confident that your workforce understands their obligations when handling personal data? How do you check this? Would a refresher training session or online surveys seeking feedback help to give you a better picture? Have you recently looked at the policies you put in place to meet the 25 May 2018 deadline to check they are fit for purpose? Where you’ve had incidents involving personal data in these last 18 months, have you implemented and documented a lessons learnt follow up? If you’ve reported a serious incident to the Charity Commission or been investigated by the Fundraising Regulator, are there any associated privacy elements that you need to remedy? Remember that the ICO has entered into Memoranda of Understanding about the sharing of information with both the Charity Commission and the Fundraising Regulator.
Accountability is essential to your charity’s approach to the GDPR. The ICO will be working on an Accountability Toolkit in the next few months and are currently consulting on the approach so if you’re interested in finding out more, have a look at the ICO’s website: www.ico.org.uk.
« Back to all blog posts