GDPR: Our own journey to compliance – Part 1
31st July 2017
We have less than ten months left to make sure we are GDPR compliant by the time the new EU Data Protection legislation comes into force on 25th May 2018.
As an infrastructure charity that offers advice and guidance to voluntary and community organisations across the county, Northumberland CVA has an obligation to raise awareness and share good practice on important issues like Data Protection. However, neither I nor any of my colleagues can claim to be an expert in GDPR. In fact, to get our own house in order we’re relying heavily on the guidance that is trickling from the Information Commissioner’s Office and other national advisory and regulatory organisations. Then it occurred to us that, apart from continuing to circulate information as it becomes available, possibly the best way we may really be able to help voluntary and community groups in Northumberland is to share our own journey towards GDPR compliance.
This blog then is the first in a series that will chart our trials and tribulations along the way.
Whilst here at Northumberland CVA we’ve been trying our best to raise awareness of the coming changes for some time now via our fortnightly VCS Support Services and monthly Northumberland Trustees’ Network e-bulletins, it’s only relatively recently we’ve begun work in earnest on our own journey to compliance. Much of this work has landed on my desk but since it was I who brought the spectre of GDPR to the attention of our CEO and board of trustees in the first place (long before the Brexit vote cast doubt on whether we would need to comply) perhaps I shouldn’t complain.
We actually began the process more than a year ago with the ICO’s document: ‘Preparing for the GDPR: 12 Steps to Take Now’ (now updated). We formed a working group to look at how we measured up against all the points. Then there was a long gap while the whole country wrestled with the results of the Brexit referendum and how that might impact on any new legislation coming from Europe. And of course now we know that Brexit makes no difference; the UK will still be an EU member when the new legislation comes into force and if we want to continue trading with Europe after Brexit, we will need to comply with the GDPR beyond it.
I’ve had to do a lot of reading along the way! I do find it much easier to absorb complicated information from the printed page rather than onscreen (perhaps it’s an age thing) - and boy is this stuff dry. So dry, it’s a wonder the downloaded documents haven’t burst onto flames on my desk as I’ve turned the pages. Once the Brexit question was settled and information and guidance started to emerge from the ICO, I resolutely began my reading marathon and wrote a report for the board on our progress, with suggestions for our next steps. We reformed our little working group and decided on the order in which to tackle them. Two priorities of equal importance quickly became clear:
1: Any consent we gain now on personal data, and may still need to rely on beyond the implementation date must meet the GDPR standard if we want to continue processing it post–May 2018:
Although the new regulations don’t come into effect until 25th May 2018, we do still need to review current privacy statements and consent requests as a matter of urgency and, where we need to rely on consent as our legal basis for processing data beyond May without having to seek fresh consent, we need to ensure they meet the GDPR compliance standard by updating everything as soon as possible.
At the time of writing, the ICO is still busy analysing the feedback received from their Consent Guidance Consultation, which closed at the end of March, and will not be able to publish the final version of the guidance until the Article 29 Working Party of European Data Protection Authorities (WP29), of which the ICO is a member, has agreed and published its Europe-wide consent guidelines – the latest timetable for this to be agreed and adopted is December 2017. In the meantime, the ICO intends to publish a summary of the responses to the consultation. That means we need to rely on the draft guidance now and hope that no major changes are made later.
- Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
- It must cover the controller’s name, the purposes of the processing and the types of processing activity.
- Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
- Consent should be obvious and require a positive action to opt in.
- Explicit consent must be expressly confirmed in words, rather than by any other positive action.
- There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
At Northumberland CVA, we have several different projects for which we rely on consent to process the personal data of both volunteers and service users, and so we need to have all the emergency work on consent finished as soon as possible. In the short term, this may mean removing existing options – for instance, the online application form for membership of Northumberland VCS Assembly – until we have mastered the digital consent requirements.
2: Before we can move forward, we need to know exactly what information we currently hold, where it came from, who we share it with, and whether we still need to keep it.
We decided to look upon this aspect of the process as an opportunity to have a good clear out of the information we hold. As far as electronic information is concerned, one positive has been our recent acquisition of a new database, which means much of this work has already been done.
Similarly, an audit on the physical records we keep has been simpler because of a recent shredding exercise.
A lot of the physical information we previously held was in the form of records from projects gone by, from previous employees, and from organisations we’ve had no contact with for some time – perhaps because the person who used to be our contact has now left the organisation. But physical records may also include any “photographs, films, microfilms, printed material, maps and plans”, which is something to keep in mind as you go through your own information. We’ve now reviewed our retention policy and archived or destroyed any hard copy information that contains personal data accordingly.
As part of our information audit, I also sat with each member of staff in turn and identified everything they may hold/use in both personal and networked folders, on laptops and memory sticks, as well as any physical data they store in their own work area. I’m currently in the process of putting all this together in an inventory document in time for our next sub-group meeting.
Even though we set out to address just these two issues initially, I’ve found that they’ve inevitably bled into the other aspects listed in the Preparing for the General Data Protection Regulation (GDPR) - 12 steps to take now document. I’ve found myself embarking on activities that are actually part of carrying out a ‘Privacy Impact Assessment’, as suggested in Step 3, in that I’m starting to map the way information flows, the different ways we process data, and the points at which we need to, either ask for consent or rely on other legal bases for processing. Call me odd if you like, but I find I’m actually enjoying the task.
If you’d like to know more about the GDPR, visit the ICO webpages: https://ico.org.uk/for-organisations/data-protection-reform/