GDPR: It’s not just about fundraising |
G.D.P.R. Four letters that have sent a collective shiver down the spine of the charity sector lately. Standing for the rather less awe-inspiring ‘General Data Protection Regulation’, the GDPR updates and replaces the current UK Data Protection Act. The four horsemen paving the wave are seen as the Information Commissioners Office; the Fundraising Preference Service; the 13 charities fined; and the as yet uncompleted GDPR guidance. Under GDPR, the ICO can issue fines of up to £17m compared to the current £500,000. The negativity obscures a real opportunity to review and protect the personal data of staff, volunteers, service users and donors. Shouldn’t we be welcoming changes to legislation that strengthens the rights of individuals with regards to their data, and that puts more onus on data collectors and users to treat this data carefully? Much discussion of GDPR has focused on the impact it will have on charity fundraising. We are missing the big picture if that is the focus of GDPR compliance. We should be looking at the impact of GDPR on all of the personal data that we hold-whether that’s on staff and volunteers, or service users and donors. If your organisation is already up to speed with the Data Protection Act, then you will find GDPR enhances the existing standards. If data protection has been at the end of your large to-do list then you will have further to travel. It can be confusing: the ICO has not yet provided all the guidance on how to implement GDPR, while there appears to be a GDPR industry of private firms willing to advise for a fee. GDPR will cover everything on how a charity collects, stores, analyses and deletes personal data on staff, volunteers and service users. Consult previously written guidance on the Data Protection Act, much of which remains current under GDPR, and can be a helpful guide in bringing data protection to life. On 8 November we held a debate on the use of personal data by charities.
Here is what GDPR consent dialogues could look like. Will people click yes?
THIS NOTE HAS NOW BEEN SUPERSEDED BY A A MORE RECENT PAGEFAIR INSIDER NOTE ON GDPR CONSENT DIALOGUES. PLEASE REFER TO THE NEW NOTE. This note presents sketches of GDPR consent dialogues, and invites readers to participate in research on whether people will consent. In less than a year the General Data Protection Regulation will force businesses to ask Internet users for consent before they can use their personal data. Many businesses lack a direct channel to users to do this. It is likely that they will have to ask publishers to seek consent on their behalf. This is a sketch of what a GDPR consent request by a publisher on behalf of a third party may look like, with references to the elements required in the GDPR. Update: it is important to note that this is a limited consent notice. It asks to track behaviour on one site only, and for one brand only, in addition to “Analytics partners”. What percentage of people are likely to click “OK”? Tracking preferences. In addition to the consent requirements in the GDPR, the forthcoming ePrivacy Regulation requires that users be presented with a menu of tracking preferences when first they install a browser or setup a new system that connects to the Internet. The menu above is as it might have appeared under the original proposal from the European Commission, in January 2017. The European Parliament is developing amendments to the Commission’s proposal. Below is a sketch of the menu as it might appear under the latest text from June 2017. Notice that “Accept only first party tracking” is pre-selected. This is because Recital 23 in the current draft stipulates that the default setting should prevent “Cross-domain tracking” by third-parties. This menu may change again as the Regulation is further developed. Assuming that some version of this tracking preferences menu becomes law across the European Union, how many people can be expected to opt back into tracking for online advertising?
Get your organisation ready for the General Data Protection regulation changes with our GDPR Brochure. This brochure will aid you in understanding the changes, whether or not these changes will apply to your organisation and the 13 key areas that they will affect if they do. Paper records represent a significant GDPR compliance risk. To help companies ensure their paper records don’t fall foul of the Regulation, we have a team of experienced business consultants and digital specialists on hand to help you fully understand the impact of the incoming GDPR, and the Data Protection Bill, on your organisation. GDPR and paper records – why it’s not all cyber and fines. GDPR compliance regulations will be in effect before we know it, and though most businesses are aware of the law and what it requires, only 10% of people polled in a recent Restore survey say they have sufficient measures for handling paper records. An individual is behind every piece of personal information recorded on paper. The enhanced individual rights of the GDPR reflect this renewed focus on the individual: the removal of fees for making access requests; the right to require erasure where information no long serves a purpose; the right to seek compensation should any failure lead to damage. As awareness grows, any increase in the number of individuals using their rights will increase scrutiny on the methods used by organisations to manage paper records containing their personal information. Our recent customer webinar looked at how paper records represent a significant GDPR compliance risk, and provided advice on how you can start managing those risks. In the meantime you can download a copy of the slides. If you would like to hear the full discussion on GDPR with Rowenna Fielding, Data Protection Lead at Protecture, please click the Soundcloud track below: Take the first step towards your GDPR readiness assessment. Contact us to find out more about our services and our free GDPR health check.