GDPR – ready or not?
It seems to have happened almost overnight: data protection has become the number one topic of discussion for fundraisers and charities. With the new regulations coming into effect in 2018, you must be prepared or face potential financial penalties.
You may have experienced that sinking feeling recently on realising that, not only are you not prepared for the new rules, but you’ve been breaking the law for years without realising it – emailing people without proper consent, buying, processing and sharing data when you shouldn’t have. The General Data Protection Regulation (GDPR) is all about giving people back control of their data so, from next year, if your charity uses someone’s data, you’ll be doing so because that someone said you could.
With the deadline looming, now is the time to get started and prepare your data protection plan for the future. This is the first major review of data protection for 20 years; it is intended to protect data subjects with powerful new rights. The new data protection laws will seriously impact the way you communicate with your supporters, how you process data and who you share data with.
The GDPR aims to give clearer guidelines for communications consent-based preferences for data subjects; you won’t be able to communicate with your supporters without a good and lawful reason. There are also going to be hefty monetary penalties to discourage offenders from taking any chances with personal data, with penalties rising from a top limit of £500,000 to an incredible £20 million! You also have the Information Commissioner’s Office (ICO) to deal with and its new powers, such as the right to enter your premises, the right to audit you and the right to reprimand you. No one knows what will happen, or whether these powers will be exercised, however, these are likely to be tested. The GDPR is a principles-based legislation, so it’s up to you to interpret the rules to work in your particular circumstances so that your organisation can continue to grow.
Interpreting the GDPR’s 99 articles lawfully will be a challenge but, ultimately, the core of the regulation highlights the importance of ‘Consent’, where your subject has clearly, specifically and unambiguously demonstrated their wish to have a dialogue with your charity.
The regulation provides your data subjects with some new robust rights, including the right to be forgotten or erased and the right to object to marketing. Ignoring these rights will almost certainly lead to a fine. Subjects also have enhanced rights to request a copy of their data so you will need to find an effective way to quickly identify a person and provide their information in a clear format.
Subjects also have a judicial right if you cause them material or non-material loss. Fundamentally, if their data is stolen, shared or otherwise abused, they will be able to sue you. It’s widely anticipated that law firms will bring affected data subjects together in a series of class actions against offenders.
In short, the GDPR is here to stay – and for good reason. Ninety per cent of all data that has ever been collected has been done so in the past five years – a sign of the motive behind the new regulation, but also the importance of data and the power it brings. By May 2018, you must make sure you are operating with the laws of the regulation. If you handle, store, share or process personal data of UK or EU subjects, you can’t ignore the GDPR or you could suffer the consequences. Charities have enough time to make the necessary changes so our message is do not panic – start the process to implement your internal policies and procedures.
Kingston Smith “powered by ClearComm” have taken a very positive view of the GDPR and our additional experience in fundraising, through our specialist Fundraising and Management department, helps us deliver the most up-to-date and relevant GDPR advice to charities.
We offer simple yet effective GDPR solutions to meet the needs of all types of industry such as:
GDPR Implementation and Gap Analysis
Fully trained Data Protection Officer – will work with you as part of your team and is responsible for the strategy and implementation of your data protection, and ensuring your charity complies with GDPR requirements
Compliance Certification – step-by-step training to becoming fully GDPR compliant
Staff Awareness Training