Following last May’s GDPR implementation date, most charities across the UK breathed a sigh of relief that all their hard work had paid off, and they had achieved compliance before the deadline struck. Time to sit back and relax? Well, no…
The simple fact is that compliance can very easily erode. Ticking all those boxes didn’t end there. May 2018 was just the start, and all organisations that handle personal data, including charities, need to ensure they maintain their focus on compliance on an ongoing basis.
There have already been some high-profile cases of organisations dropping the ball and landing themselves hefty fines from the Information Commissioner as a result, including the record £183m for British Airways and Marriot’s £99m. But it’s not just about avoiding punitive fines of course: compliance is also crucial to ensuring supporters’ continued permissions for charities to use their data: absolutely essential for continuing engagement and creating mutually rewarding relationships.
But what in practice does it take to maintain compliance?
In essence, it means not only implementing the relevant processes to become GDPR-compliant in the first place but having regular checks and reviews of these processes in place to ensure you continue to meet them. How frequently can be set by the organisation, quarterly or six-monthly check-ups are sensible to catch anything falling through the gaps but a full review at least every 12 months is generally perceived as reasonable.
Areas to check when conducting a review include:
- Is all documentation accurate, up to date, and accessible?
- Are your Data Protection Impact Assessments also up to date, and accurate?
- Are Data Processing Agreements still accurate and in place – and more importantly do people know what they say and mean?
- Have you started using any new data sources or holding data in a different place, and do you know exactly what you have and where it is?
- Are you still regularly checking that consents remain valid & supporters’ data requests are met?
- If you are using Legitimate Interest as your basis for processing personal data, have you reviewed it to ensure it still stands?
- Are you also regularly cleaning & updating your data, and securely deleting it as soon as it’s no longer needed?
- Is the process you originally created still working and fit for purpose? If not, how can it be improved?
- Is part of that process continual review and improvement?
- Is there a mechanism to disseminate and educate throughout the organisation?
Reviewing compliance should be an intrinsic part of working life. Ensuring that everyone in your organisation – and not just top-level staff – is aware of what GDPR compliance means will go a long way in preventing problems, thereby ensuring charities can continue interacting with supporters, building stronger and better relationships that benefit both sides.
To make sure all staff are aware of the rules and their responsibilities, you can do a number of things such as: introducing it to new staff inductions; creating a relevant KPI in everyone’s annual review; making it an agenda item in team and trustee meetings; and ensuring there is diarised annual training on an organisation-wide or individual level.
Training is absolutely vital to maintaining compliance. New staff, for example, should have training on what donors can expect and the process that the organisation uses to meet their requests. There should also be at least annual refreshers for existing staff, while for those who are speaking to clients all the time, implementing a re-cap before each campaign and a wash up at the end really helps to capture learning and to refine the process, keeping it front of mind.
It’s also a good idea to raise data protection’s profile within the organisation through internal recognition of individuals who are not just doing the actions but are embracing the new world of putting data at the heart of the organisation.
Certainly, GDPR compliance is an ongoing process in itself. Only by regular training and reviews of your charity’s data protection processes and procedures will you be able to maintain it long-term. Whilst this isn’t an exhaustive list, implementing these types of procedures, and carrying them out regularly and consistently, will go a long way towards creating and sustaining a charity-wide culture of data compliance that will help to strengthen supporter relationships and raise more vital funds.
Written by Suzanne Lewis, founding director of Arc Data. She specialises in helping not-for-profit organisations source, manage and understand their data. She regularly advises at sector level, having sat on expert panels including the IoF’s focus group for GDPR, the DMA Code and the DMA’s Governance Committee.