I'm often told by charities that data protection compliance feels overwhelming and that they don’t know where to begin.
My advice in a nutshell is to start with the areas of highest risk and to “make hay while the sun shines”. But what does this mean in practice?
Information and cyber security
When it comes to data breaches and cyberattacks, it’s not if, it’s when. Assume that you will have data breaches and be targeted by cybercriminals.
Your charity must have “appropriate” organisational and technical measures in place to keep personal data secure. Organisational measures are things like policies, procedures and staff training. Technical measures include IT and physical security safeguards.
When deciding what are appropriate measures for your charity, consider the risks that might result from the data being compromised. The greater the risks, the more robust the measures needed.
Training and awareness
Whilst it’s likely that one person will be responsible for managing data protection compliance at your charity, data protection is for everyone from trustees to volunteers. Everyone should receive data protection and information security training on induction and then at regular intervals.
But training once in a while might not be enough. Consider what you can do to keep data protection front and centre.
Some organisations use bite-sized reminders at staff meetings, posters in the office and quizzes. Certain roles (eg trustees, fundraising and HR) might benefit from role-specific training. Make sure that this is practical and specific to the charity sector.
Records management
I know that records management isn’t a topic that gets the heart racing, but your future self will thank you for getting things organised now.
For example, knowing where personal data is stored makes it much easier to respond to individuals’ rights requests (eg subject access requests). It also makes it more straightforward to work out what data has been compromised by a data breach and to retain personal data for the appropriate length of time.
Consider areas, such as filing emails rather than keeping them in inboxes, implementing an information asset register and mapping data flows before starting a new project.
Baking compliance into your everyday
The UK GDPR includes a requirement known as data protection by design, which essentially means building in data protection compliance from the outset. Data protection should not be an afterthought. This can save large amounts of time later on, for instance, avoiding complaints and data breaches.
To achieve data protection by design, everyone at your charity needs to be aware of the data protection essentials so this links with the training and awareness raising discussed above.
You may find doing a data protection impact assessment (DPIA) helps you to spot issues sooner rather than later. A DPIA is required before starting to use personal data in a way that is likely to result in high risks to individuals.
Demonstrating compliance
Last, but very much not least, your charity must be able to demonstrate its data protection compliance, known as “accountability”. Not only is accountability a requirement under the UK GDPR, but it also helps your charity to build a data protection culture and makes it easier to spot risks early enough to mitigate them.
There is no prescriptive way to do this – what is appropriate for your charity will largely depend on the risks around your use of personal data and what is most effective at mitigating those risks.
But most charities will need at least the following: staff guidance, policies and procedures, DPIAs, records of training, a record of processing activities and compliant contracts with service providers who process personal data on your behalf.
