Having got through the 25th May ourselves, I was very keen to attend this panel discussion at this year's ICSA Conference.
How does a charity implement GDPR compliance and what is the view of the board?
Their role as Company Secretary was to get the board ‘switched on’ to GDPR and they were in the best place to do so. Both have also taken on DPO responsibilities, as the traits needed for successful working in these roles were similar.
But GDPR is over, you say! We’ve all got over that hurdle on the 25th of May. However, that is when the era of GDPR began as well as the era of legitimate interest (LI).
According to ICO (Information Commissioner’s Office): Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
There is a simple procedure that ICO recommends identifying your LI basis:
- identify a legitimate interest (someone has donated to your cause before, someone downloaded your whitepaper, etc.);
- show that the processing is necessary to achieve it (can you get them to donate again without processing this information? If so LI does not apply and will not be there to help you if you are in violation); and
- balance it against the individual’s interests, rights and freedoms (how much do you need to know to achieve your desired result?).
To quote Claire and Phillippa: Can you explain to an authority, why you have someone’s data and your need to process it? If yes, all should be fine.
For charities it can be quite simple. People have donated in the past. But what if they are inactive? For how long have they been inactive?
Both panellists found that about 20-30% of their newsletter subscribers were inactive or non-responsive, which when framed in pure numbers seemed like a huge loss in database size. And the ‘soft opt-in’ rule does not apply to charities. This became an opportunity to improve the quality of the database as well as the messaging.
GDPR also sparked a change organisation culture. Everyone had to go through GDPR compliance training, including volunteers, and there were no exceptions made. There was some trepidation from the board and senior managers, as organisations like this rely on volunteers. However, nearly everybody went through the training on time, and those who didn’t simply weren’t assigned with duties until after they completed the training.
So what do they recommend for DPO/Company Secretaries?
- Be the annoying four-year old in the room. Have the confidence to ask why and challenge the board.
- Share information that is protected by encryption rather than by passwords. If you would not send it on a postcard don’t send it in an email.
- Share information or process information that is necessary not what the board or others ‘want’.
- And understand the flexibility of GDPR. Legitimate businesses and non-profits have nothing to do but simply understand their own processes.