The basic concepts of data protection are quite simple.
You might want to download the Induction Training presentation at the end of this post. Or, keep reading for a brief summary of the key points.
Lawful, fair and transparent
If you wouldn’t be willing to go and tell someone that you’re doing something with their information, you shouldn’t be doing it.
And you should be proactive about telling people what you’re doing. It’s a privilege to use people’s information, not a right. At the end of the day, it doesn’t belong to you – it’s still their information.
Collected for a specified purpose and not used for anything else
You can’t collect personal data for one thing, and then decide to do something completely different with it later.
For example, you collect someone’s information in order to tell them about an upcoming charity event. Great. Good. You can’t then use their information to send them marketing materials about plumbing supplies. They did not sign up for that.
Don’t collect or use more personal data than you actually need. Don’t collect someone’s information just in case you “might” want it later. If you can do something without using personal data, or with the identifying information removed, you should.
Accurate and up-to-date
Things go wrong when you’re working with bad information. Letters get sent to the wrong person, or you might make a poor business decision.
Regularly update your contact lists, and give people a chance to check their information is still accurate.
Not kept for longer than necessary
If you don’t actually need the personal information anymore, get rid of it. Securely, of course.
We need to make sure we protect people’s personal information properly. Think about the different controls you could put in place to ensure files don’t get lost, aren’t accessed by people who shouldn’t see them, and to prevent your computer systems being hacked.
It is the organisation’s responsibility to ensure they comply with the law, and, if they were asked, they should be able to evidence that.
There are plenty of things for which you don’t need consent, for example if you have a contract. However, you do need it for things like direct marketing (which includes fundraising and communications activities).
Consent under the GDPR means something very specific: the person understands what you’re going to do with their information, they have actively agreed you can do it (i.e. ticking a box), and you could demonstrate that later.
An “incident” is any event or activity which is not in line with the law. Under the GDPR, serious breaches of the law need to be reported to the regulator within 72-hours. Some incidents won’t be serious, but you’re still going to want to keep a record of what happened and take steps to ensure it doesn’t happen again.
Relationships with other organisations
There are likely to be times where, quite legitimately, you need to share information with someone else. Maybe it’s an IT contractor who needs access to your systems in order to repair them. Perhaps you’re passing information to another charity, because they provide a service for you.
You just need to make sure you have a written agreement or contract in place, if you’re sharing data with someone regularly. You should also do some due diligence to make sure they’re taking care of the data properly on their end.
There is some data protection-specific jargon. And you’ll find the whole subject easier if you understand the language.
|Data protection||What we do, and don’t do, with personal data|
|Personal data||Any information which relates to a living person e.g. bank details, name, car license plate, a photograph of them, a recording of a call.
Not information about companies
|Processing||Anything you do with personal data e.g. collecting it, using it, storing it, archiving it, deleting it|
|Controller||The organisation that decides what you’re going to do with personal data, and how|
|Processor||An organisation who follows instructions about processing personal data|
|Third party||Someone with access to personal data that is not the data subject, controller, or processor|
|Data subject||The subject of the data i.e. the person the information is about|
|Supervisory authority||The regulator who looks after data protection, in this case, the Information Commissioner’s Office|
|Data sharing||Giving someone personal data, or giving someone access to personal data|
Have a look at the Induction Training, and then take this quick Quiz to test your understanding.