About

As well as providing training and a GDPR Toolkit (details below) I also provide extended support to people who have attended training, bought the toolkit, or just need some friendly guidance. The GDPR Toolkit can be found here http://www.adaptconsultingcompany.com/gdprtoolkit/ Jersey Business as supporting the GDPR Training and they can be found at https://www.jerseybusiness.je/get-advice/it-office-systems/data-protection-small-business/

Wednesday 17 January 2018

GDPR CHARITIES AND MAILING LISTS – QUESTION AND ANSWER

QUESTION

I have a database of about 800 emails, can I still talk to them after May about events and things that may be of interest, or do I need to contact every one and ask their permission?

RESPONSE

Simple Answer: YES. However there are some things to consider. 

This is a really great question because I am sure it is typical for many charities and not-for-profit organisations. It is also interesting because the answer is not straight-forward and does offer some insight to what you need to think about.

Before I offer my answer I’d like to share a great quote from a Data Protection Regulator: You don’t ask a policeman how to drive your car. That’s up to you. However if you break the law the policeman will come knocking.

It should be clear that GDPR is the law, but it is up to each organisation, charity or not-for-profit organisation how they meet the requirements of the law. It is entirely possible for organisations to take different approaches to achieve the same ends.

The answer below is not definitive but a common sense approach. There may be many other approaches and different emphasis depending on the people, process, technology, organisation or person (“data subject”) I welcome people to share their views, experience or useful links and guidance in the comments below.

ANSWER

How did you get the data? Did the people agree to give you their details? Or did you get it from somewhere else or someone else?If people did agree to give you their details it would be useful to have a record or evidence to prove this. If you already have permission or agreement, you do not have to get it again.

It really depends on whether you already have permission from the 800 people for you to email them things, and that the permission covers everything you do with their data.

It is a bit simplistic, but basically GDPR is beefed-up Data Protection and the Jersey Data Protection Act 2005 already applies [Link 1]. So this isn’t something you need to be doing in May. It is something you should already be doing!

What GDPR says is that there should be a lawful basis for having data [Link 2]. That might be by having explicit consent from each of the 800 people or it could be by agreement, for example if they have subscribed to a mailing list or agree to a contract. There are other lawful bases but they’re not relevant to this question.

If you don’t already have a valid reason, contract or consent then you need to get this. [Link 3] However before you email 800 people think “If I am going to email this people what do I want to say in the email”.

Each email, letter, meeting or phone call is an opportunity for people to say YES or NO. So plan carefully what you intend to say.

Nobody likes to be on a database if they don’t know why, and what protections exist to ensure that it is accurate, fair and safe. It’s a bit Big Brother. And given that so many businesses seem to loose data [names, addresses, phone numbers, credit card details – Link 4] or sell it to marketing or junk-mail companies people are becoming more choosey about what they share, with whom and why.

GDPR gives everyone rights over their data. That’s rights for you and me. [Link 9]

This is why it important to think what data do you hold, why, and what protections exist to ensure that it is accurate, fair and safe. [Link 5] If you can then explain this in a Privacy Notice, contract or other document then people are better able to make the right decision [Link 6].

What’s really helpful is to create a map of what data you hold, where, and who has what access to it. [Link 7] This includes any which is shared with other organisations and what protections you have for data stored on computers.

If all you are doing is using your laptop for emailing a list of coffee morning events then there is no big deal and the explanation should be simple and agreement straight-forward.

If however you are storing medical, religious, political or other sensitive data [Link 8] to target people who might be interested in help, counselling or volunteering. And if you are sharing that data with other organisations. And if you are using that to sell stuff. And if that data is on many computers, or computers you don’t control. You can see it quickly gets tricky, because you’re going to have to do a lot of things to convince your customers that their data is accurate, fair and safe.

Importantly if you agree to use data for one purpose (example monthly update on coffee morning events) you cannot use it for another purpose (example fund raising for other organisations)

ADVICE

Create a map of what data you hold, why, where, and who has what access to it. Understand what policy, processes and controls exist to keen it accurate, fair and safe. When you have all this you should be able to write a Privacy Notice, contract or other document (or webpage) that explains this in really simple terms.

If you are transparent about this, people will trust you and can agree for you to talk to them about events and things that may be of interest. You are then providing an agreed service and not just holding data and sending junk-mail.

Remember that people have rights, and they can ask what data you hold about them and why (amongst other things). You should be able to answer that question quickly and clearly.

Would you trust an organisation that couldn’t?

USEFUL LINKS

Link 1 Guide to Data Protection Act 2005
http://www.ogier.com/publications/jersey-data-protection-a-brief-guide-to-the-law


Link 2 Lawful Basis For Having Data
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/


Link 3 Consent
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/


Link 4 List of Data Breaches Affecting People
https://en.wikipedia.org/wiki/List_of_data_breaches


Link 5 GDPR Principles
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/


Link 6 Privacy notices, transparency and control
https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/


Link 7 Documentation (Process Maps and Data protection impact assessments)
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/


Link 8 Sensitive or Special category data
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/


Link 9 Individual rights over data
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/


GDPR ADVICE FOR LOCAL CHARITIES AND NOT-FOR-PROFIT

I am working with Jersey Community Partnership and Association of Jersey Charities to possibly set-up a presentation / workshop to talk about GDPR for local Charities and Not-for-Profit. This will probably be Tuesday 30th January and I look forward to confirming details in due course.

In the meantime, for January, I have proposed a useful approach to help local charities might be if organisations pick a question or topic and I offer general advice on best approach which we can publish and share with other charities and not-for-profit organisations.

You can email with your question or topic at timhjrogers@gmail.com

CONTACT

TimHJRogers@AdaptConsultingCompany.Com
+447797762051 Skype: timhjrogers TimHJRogers@gmail.com













































































































1 comment:

  1. online gdpr training You made such an interesting piece to read, giving every subject enlightenment for us to gain knowledge. Thanks for sharing the such information with us to read this...

    ReplyDelete