There is less than a month to go before GDPR comes into force on 25th May 2018. Like many people, I have been working on this and thought it would be helpful to share a few thoughts. I take a people focussed perspective as ultimately we each have a responsibility to do the right things under GDPR.
As you will have seen from recent high profile cases where things have gone wrong. When personal data is handled inappropriately there is a significant impact on reputation. We want to know what went wrong, why and who was responsible. It comes back to people, again.
I believe there are two aspects to how you work with people to support them to do the right thing under GDPR. Firstly, lead by example. Here I mean that as an employer you demonstrate really good practices in how you handle their data. Secondly it is about training and culture. Let’s take a look at both aspects in more depth.
GDPR – lead by example
Think of all the people who make your charity achieve what it does. This may include employees, volunteers and trustees. What data do you hold on each person? When you have that information, under GDPR, you need to be very clear why you need to hold it and be able to explain what you do with it.
If we take employee data as an example. Firstly, you hold employee bank account details so that you can pay them. Secondly, you may hold health information and details of who to contact in an emergency. The reason you hold this data is different, it is to enable you to protect employees’ vital interests.
Communication is key
To comply with GDPR requirements you communicate with your employees to inform them of the purpose and use of their personal data. You will also provide a clear explanation of how it will be treated. Acting in this open and transparent way sets the example for others to follow. This approach is good (and required) for volunteers and trustees too.
What about trustees?
What data do you hold on your trustees? For many charities this could be an area that requires attention. For example, when a new trustee joins the board you will need data that confirms their identity. What happens to this data after you have done this? Whether it is held in physical or electronic form, it is arguably no longer necessary. You can evidence that you have seen the necessary documents to confirm identity without holding copies. So unless you have a valid reason to keep data it must be permanently deleted. It is worth remembering here that ’just in case’ is not a valid reason for holding personal data.
GDPR – helping your people to help you
Unless you are a one-person organisation, where you are directly responsible for everything, you rely on others to ensure continued compliance with GDPR. So how do you help others to help you? As I mentioned earlier I believe this comes from effective training and an appropriate environment or culture.
Through effective training each person understands what is required in their role. The GDPR is principles based so it is very important that each person in your organisation knows and understands what it means for their role. It is highly unlikely that a single slide deck presentation will be sufficient to create this. When we learn we each make sense of new information from our own perspective and context. Therefore a vital element of any training is to give people opportunities to do this.
My suggestion for training is to look at the groups within your organisation who have similar roles and create training for these groups. If as part of this training, they are able to discuss what they have heard and ask questions it will allow each person to make sense of it. This means it is much more likely they will adapt to the change.
One off training is also not likely to be effective on its own. This brings us to the second aspect, an appropriate environment or culture. What GDPR is seeking to achieve is to bring data protection and privacy into the way things get done in your charity. What this means will vary depending on what you do and the type of data that you hold. So if you are a charity that works with children for example you are likely to hold sensitive data. Your culture will need to reflect the importance of handling this data appropriately. It is likely that you will already have an appropriate culture but it is worth reflecting on what may need to change.
The people in your charity are closest to the data that you hold. To be truly effective in complying with GDPR you are reliant upon them to do the right thing. This is not always easy. The volume of data that can be available and the speed at which things happen can be unhelpful here. What can you do to create the mind-set for people in your charity that ensures data privacy is considered in all relevant decisions? It is this that will help most to ensure your charity remains on the right side of GDPR.
If you are still working through GDPR and what it means for you don’t worry there is still time. The ICO website has lots of information and great tools that can help. Finally, if you would like support you with your work on GDPR please do get in touch, I’d be delighted to hear from you.