Worryingly, only 44 per cent of charities have heard about GDPR according to a government survey, but the General Data Protection Regulation (GDPR) isn’t as scary as it sounds and presents an opportunity for all of us to improve and be more confident in the way we use data.
GDPR emphasises handling personal information in a clear, honest and transparent way, and offers six ‘lawful bases’ for processing data:
- Consent
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interest
The new legislation requires all organisations to understand how they obtain data, document the lawful basis under which the data is processed, have clear data retention policies, and allow people access to their own personal data on request.
As VONNE goes through the GDPR preparation process, I’ll be writing a series of blog posts looking at a different area of GDPR. I don’t have all the answers but hopefully this will help support anyone else in the sector going through the same process.
For this first one, it’s personal data and data mapping.
Personal data means anything which could – directly or indirectly – identify an individual. So a work email address, a National Insurance number, address, or IP address could be personal data.
Sensitive data is also referred to as ‘special categories’ of data, and under GDPR it includes genetic and biometric data as well as ethnicity, physical or mental health records, sexual orientation etc. The GDPR also makes special reference to handling information about criminal offences.
All VCSE organisations will handle personal and sensitive data in some form (in HR and recruitment functions for example) and some that work directly with clients or service users may be processing sensitive data in their records.
Create a data map
Think about what data you hold and who in your organisation is best placed to conduct the first step towards GDPR compliance: data mapping. At VONNE we’ve split it between communications, which is responsible for our member data, and Angela, our Finance and Office Manager, who deals with recruitment/employee and board data).
After attending some excellent training organised by Newcastle CVS (now Connected Voice) and NCVO with its data protection officer Mark Burnett, we used his template to create a data map in excel with the following headings:
- Data collection point
- What data is collected?
- Is a privacy or consent form used at point of collection?
- Where is the data stored?
- What is the data used for?
- Who can access the data internally?
- Who can access the data externally? (‘Third party sharing’)
- How and when is the data reviewed and updated?
- How long is the data kept for?
- What is the current policy on data?
This has helped us enormously to see exactly what information we are collecting and where we need to improve processes to become fully GDPR compliant.
Next month I'll be writing about privacy notices (long and short).
Find more GDPR resources on the VONNE website.
Jule is VONNE's Marketing and Communications Manager, responsible for our GDPR compliance, and can be contacted via vonne@vonne.org.uk.