It is clear form the conversations I am having with my own network (mostly within the voluntary sector) that the GDPR is causing a lot of the stress. Each individual I talk to seems to have a slightly different idea of what the requirements are and what they have to do to meet them.
With that in mind, here is my particular interpretation. I am not a lawyer and I’m not putting myself forward as the GDPR expert, however, I think a short summary of the main points is required – so I am trying to do that in this article.
The good thing is that if I’m getting it wrong it gives an opportunity for the real experts to put me right – hopefully as a comment that others can then read. So here is my interpretation of GDPR in six bullet points.
1. You can only data for the purposes agreed to
The GDPR legislation requires that consent must be specific. This means you can’t add people to your general mailing list if they signed up for something else; i.e. if they signed up to get a free download or to register for a webinar your can’t start sending them your newsletter.
‘Consent’ is the key word here. If you can’t demonstrate that consent was given you must you must stop emailing them (from May 25, 2018). You must also keep a trail showing how they joined and how consent was given.
If you cannot prove ‘consent was given’ not only must you stop emailing them you must remove them from your mailing lists. Consent must have been actively given, i.e. they clicked a checkbox or choose something from a pulldown list or clicked a link during a double opt-in process. You are not allowed to have pre-clicked checkboxes saying that they are agreeing to be on your mailing list.
1.1 If the people on your mailing list gave consent in the past do you need to seek it again?
You do, only if the consent provided was not in accordance with the GDPR guidelines and if the reason for having the data falls within the GDPR consent requirements.
In such an instance, on my analysis – you do not need to seek consent once again. However, I am happy from GDPR experts who can tell me that I am wrong – so please get in touch to confirm or deny my interpretation.
2. You must explain how data will be used
You are not allowed to collect data without explaining how you are going to use it. Clearly this is related to point 1; i.e. if they register for your newsletter you tell them you will be sending them your newsletter; if they register for your webinar you deliver your webinar.
Unless you have specifically said you are collecting their data to share it to a third party or to market specific services or products – that is not something you can do. Each of these activities requires separate active consent.
3. You can only collect the data you need
You are only allowed to collect the minimum amount of data for your purpose. If your purpose does not require a physical address you can’t collect that data; if your purpose does not require an individuals age you can’t collect their age.
4. You can’t keep data indefinitely
You should not keep data about people forever if here is no reason to keep it. If you have no reason to keep data you must delete it.
5. You must protect the data you collect
You have to take reasonable steps to protect the data you collect. This means that when you are collecting or storing information on your website you should provide a secure connection and data should be stored behind a secure wall (e.g. password collected).
- Your contact information.
- Details fo the information you collect and why you collect it.
- What you intend to do with the data including who else will access it.
- Their rights under the GDPR.
I am not a lawyer or a legal expert on the GDPR; so please do not take the information provided above as the gospel truth. However, I recognise that this is a topic causing a lot of stress for the people in organisations I work with – so I have attempted to summarise and clarify my understanding in the clearest way I can. Hopefully I have got it correct and that there are people who will find this summary useful.
Contact me if you have any corrections about what I have written above and I will update this page.
Digital Access consultant
The GDPR is the EU data protection regulation which replaces the current Data Protection Act. It aims to simplify regulation and give individuals more control over their personal data.
For Third Sector organisations already working within the constraints of the Data Protection Act it is unlikely to mean enormous changes to their approach. However, it does come with some additional duties and and some additional anxiety, due to the enormous penalties for non-compliance. The penalties for non-compliance will make third sector organisations think twice about their use of personal data (i.e. fines can be up to 4% of worldwide turnover).
The regulations become enforceable from 25 May 2018. From that point on organisations who process personal data must comply with the new regulations.
For example, regulations will apply to data stored and processed for campaigning, for fundraising and for volunteer management. It should also be noted that volunteers are to be treated in the same way as employees, i.e. they must have appropriate training in the area of data protection.
Third sector organisations must arrange an audit of personal data held and know:
* Where it comes from?
* Who it is shared with?
When asking for consent to store someone’s personal details:
* You must explain why you are collecting the data.
* Explain why you are retaining it .
* And provide clear information on how it will be used.
Explicit consent is now required to sell or share data with third party organisations. For example, when building an online mailing list a pre-ticked box on a form is no longer allowed. Consent must be unambiguously indicated through an action of the subscriber, i.e. they must tick the box themselves.
Everyone who is on an existing list must be aware that they are on the list and why they are on there. Consent is not however required for all forms of direct marketing – organisations can still make calls or send direct marketing material by post provided they can satisfy the ‘legitimate interest’ condition. Situations where you do not need consent are set out specifically in the GDPR* (see my notes at the foot of this article).
Individuals will have a right of access to their own data at any time. Third sector organisations therefore will need to plan how to handle data access requests and decide on timescales and procedures.
There is also a new ‘right to be forgotten’ choice and individuals can request to be removed from data lists. Data also has to be kept up to data; so regular checks will be required on existing data. This will require privacy policies to be updated to outline procedures for individuals to request removal of their data. Individuals also have to be able to find out what data you hold about them.
Procedures need to be in place to detect, report and investigate any personal data breaches.
The new legislation provides an opportunity to review current practices and ensure you are not contravening any of the additional protections required by the new act. And of course it needs to be taken seriously due to the severe penalties for any organisation found to be in breach of the the new legislation.
What about Brexit?
Brexit will not put paid to this legislation; it is almost certain that the UK will adopt most (or all) of GDPR legislation.
Do you need help with compliance?
Jim Byrne Accessible Website Design can help your organisation comply with the new regulations in the following areas.
Making your online content more secure
If you are holding individuals data on your web site (e.g. members, volunteers, clients) you need to be active in ensuring your website is secure. I can help you by hardening security on your server, providing security monitoring services, enabling secure connections (e.g. an SSL Certificate) and providing backups for all of your online data (both database content and files).
Ensuring online forms comply
I can review your existing forms to check compliances and update any that need to be updated.
Providing a website compliance audit
I can also provide an audit of your website and website data to check how you are collecting and storing users personal data.
Contact me now for help with GDPR compliance.
* The UK’s Data Protection Regulator’s (ICO) highlights four factors in relation to whether you can rely on Legitimate Interests to hold an individual’s data:
- You need to show that you have balanced their interests with your interests when processing their data.
- Your assessment needs to be documented, be available and be open to challenge by affected individuals on the Regulator.
- You need to be able to uphold the individual’s right to object to such processing.
Contact me If you value experience (over 20 years as a web developer) and unrivalled technical know-how. Get in touch. Tel: 07810 098119. Email: firstname.lastname@example.org