GDPR // What to do in September

07.09.17

GDPR has got a lot of heads spinning, but what does it all mean? The General Data Protection Regulations (GDPR) will be implemented from May 2018.

Every month until next May, we will bring you one or two actions directly from the Information Commissioner’s Office to help you make sure you’ve covered everything. Our best advice is to read the ICO’s Overview of GDPR and consider how it applies to your organisation.

What to do in September

Awareness

You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. It would be useful to start by looking at your organisation’s risk register, if you have one. Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. You may find compliance difficult if you leave your preparations until the last minute. Find out more from ICO: GDPR Overview and ICO: GDPR Principles

Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation or within particular business areas. The GDPR requires you to maintain records of your processing activities. It updates rights for a networked world. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with. You should document this. Doing this will also help you to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place. Find out more from ICO: Accountability and Guidance

Remember:

  1. GDPR follows the same principles as the Data Protection Act- these new regulations tighten up existing legislation.
  2. GDPR applies to data held about individuals.
  3. GDPR has implications for your whole organisation, not just fundraising.
  4. There is no definitive list of what you must do to comply. Our best advice is to read the ICO’s Overview of GDPR and consider how it applies to your organisation.

Please note: content for this article comes from the Information Commissioner’s Office website.