The biggest change in data protection law for 20 years is now firmly in place. We now live in the GDPR world in which personal information has gained added value, given the level of fines which organisations face should they fail to adequately protect the information they hold.
However, many myths surrounding the GDPR persist, whether through misinformation, lack of awareness or snake oil solutions being offered by some advisers. In advising charities and social enterprises, we come across many of these myths. In this article, we look to debunk some of the most common misunderstandings we see when advising charities and social enterprises on their responsibilities when it comes to data protection.
Myth 1: we don’t need to worry about the GDPR, that’s only for Facebook and Google
Much of the hype before the GDPR came into force was concerned with how the tech giants would change the way they handled our personal information. However, data protection is relevant to every organisation and compliance is not an optional extra for charities and social enterprises.
It is important that charities look closely at their current data protection compliance documents and update them in light of the GDPR. This is done through a process of mapping what the organisation is doing with personal data, analysing those activities to establish a lawful basis for each activity under data protection law, then adopting appropriate documents to reflect the mapping and analysis.
There is no set list of documents that organisations need to adopt and much will depend on the nature and size of the organisation. However, almost all organisations will require:
- A privacy notice (or possibly multiple notices, for example one to employees and another to beneficiaries), explaining to those whose data the organisation processes how they do so;
- A data protection policy, outlining internal procedures for handling personal information such as what to do when a data subject exercises their rights or when a security breach is identified;
- A data breach register, which will act as a record to show where a breach has been identified, actions taken, whether it has been reported to the Information Commissioner’s Office (ICO) and/or the data subject and the reasoning for these decisions; and
- A retention and destruction policy, outlining the periods for which personal information will be retained (or the criteria under which the periods will be determined).
While further documents may be required if the organisation is large or undertakes significant processing of personal information, the above is a good starting point to ensure that organisations comply with their data protection obligations.