About

As well as providing training and a GDPR Toolkit (details below) I also provide extended support to people who have attended training, bought the toolkit, or just need some friendly guidance. The GDPR Toolkit can be found here http://www.adaptconsultingcompany.com/gdprtoolkit/ Jersey Business as supporting the GDPR Training and they can be found at https://www.jerseybusiness.je/get-advice/it-office-systems/data-protection-small-business/

Thursday, 15 February 2018

What should go into a Privacy Notice?



QUESTON

What should go into a Privacy Notice?

SHORT ANSWER

At the time of collecting their data, people must be informed clearly about at least:

1.      who your company/organisation is (your contact details, and those of your DPO if any);
2.      why your company/organisation will be using their personal data (purposes);
3.      the categories of personal data concerned;
4.      the legal justification for processing their data;
5.      for how long the data will be kept;
6.      who else might receive it;
7.      whether their personal data will be transferred to a recipient outside the EU;
8.      that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights);
9.      their right to lodge a complaint with a Data Protection Authority (DPA);
10. their right to withdraw consent at any time;
11. where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.

There is guidance here



LONG ANSWER

I have answered a few questions on Privacy Notice already and have added a couple of links below for further reading, in order to avoid repetition here.

Based on my own experience so far having worked with a good number of organisations ahead of GDPR coming into force in May I would offer the following advice.

THINK WHY – WHAT IS THE PURPOSE?

Think about the purpose and the people and align everything to these. If the purpose is “club membership for newsletters” then the data gathered and processing should be based on the necessity for “club membership for newsletters”.  If the purpose is “look after the health and wellbeing of customers” then the data gathered and processing should be based on the necessity for “look after the health and wellbeing of customers”.

This keeps things narrow, easy to manage and control. There may be a bias towards “..lets have all their data about everything and then we can do anything…” but this is entirely contrary to GDPR and is the key cultural change that I don’t think people have grasped.

KEY PRINCIPLES

Next make sure each statement in the Privacy Notice meets the key principles. If you remember nothing else, remember the key principles!

Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
Purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Accuracy
Personal data shall be accurate and, where necessary, kept up to date
Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Accountability
The controller shall be responsible for, and be able to demonstrate compliance with the GDPR



POSSIBLE HEADINGS

These are some useful headings

1.     About Us And What We Do
2.     About The Service We Provide And Why Information Is Necessary
3.     What Data We Gather
4.     The Roles And Controls Protecting Your Data
5.     Data Sharing Or Disclosure (If You Do Any?)
6.     Location Of Data (Eg Transferred To A Recipient Outside The Eu)
7.     The Legal Basis And Your Rights
Note rights include [1] that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights); [2] their right to lodge a complaint with a Data Protection Authority (DPA); [3 ] their right to withdraw consent at any time; [4] where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.

See earlier article “What information must be given to individuals whose data is collected? “

SAMPLE PRIVACY NOTICE

If you want a model Privacy Notice then I suspect that the Privacy Notice of the people in charge of Privacy Notices, is probably a good start! Have I look at the regulators Privacy Notice!!


However as said many times, if you organisation is not doing what the ICO is doing then your notice doesn’t need to say what the ICO is saying.

See earlier article “I am sharing feedback as a learning exercise for anyone contemplating a Privacy Notice and a stark warning for anyone who simply recycles someone else’ Privacy Notice without thought.”



Tuesday, 6 February 2018

What information must be given to individuals whose data is collected?




 QUESTION

What information must be given to individuals whose data is collected?

ANSWER

At the time of collecting their data, people must be informed clearly about at least:

1.      who your company/organisation is (your contact details, and those of your DPO if any);
2.      why your company/organisation will be using their personal data (purposes);
3.      the categories of personal data concerned;
4.      the legal justification for processing their data;
5.      for how long the data will be kept;
6.      who else might receive it;
7.      whether their personal data will be transferred to a recipient outside the EU;
8.      that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights);
9.      their right to lodge a complaint with a Data Protection Authority (DPA);
10. their right to withdraw consent at any time;
11. where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.

See complete list of information to be provided.

The information may be provided in writing, orally at the request of the individual when identity of that person is proven by other means, or by electronic means where appropriate. Your company/organisation must do that in a concise, transparent, intelligible and easily accessible way, in clear and plain language and free of charge.

When data is obtained from another company/organisation, your company/organisation should provide the  information listed above to the person concerned at the latest within 1 month after your company obtained the personal data; or, in case your company/organisation communicates with the individual, when the data is used to communicate with them; or, if a disclosure to another company is envisaged, when the personal data was first disclosed.

Your company/organisation is also required to inform the individual of the categories of data and the source from which it was obtained including if it was obtained  from publicly accessible sources. Under specific circumstances listed in Articles 13(4) and 14(5) of the GDPR your company/organisation may be exempted from the obligation to inform the individual. Please check whether that exemption applies to your company/organisation.

References
Article 12(1), (5) and (7), Articles 13 and 14 and Recitals (58) to (62) of the GDPR
Article 29 Working Party guidelines on transparency

FURTHER ADVICE AND SUPPORT

If you need more specific support (for example a meeting) I know the Jersey Community Partnership and Association of Jersey Charities are looking to co-ordinate some resources with various local suppliers. Where necessary grant funding may be available.


USEFUL LINKS

Jersey Data Protection Association

There is a list of Jersey Data Protection events here

For a general understanding of GDPR I highly recommend the guidance of Jersey’s Data Protection Authority

Monday, 5 February 2018

Facebook - am I allowed to individually message these people asking them if they would like to support us?



QUESTION 

Last year a large number of people ‘liked’ a particular Facebook post of ours. Many obviously have a link to our organisation but are not known to us as members. As part of a membership drive, am I allowed to individually message these people asking them if they would like to support us? (I am not sure whether this falls into the GDPR category particularly...)

SHORT ANSWER

Yes

LONG ANSWER

When people join Facebook, LinkedIn or Twitter they do so knowing that there data is “public” and so they have agreed (by signing up to Facebook, LinkedIn or Twitter) to offer their data on Facebook, LinkedIn or Twitter.

Importantly Facebook, LinkedIn or Twitter give them the right to accept to reject your link with them. So by all means connect, but if they reject your connection you should respect that.

If you do connect, make sure you get their permission if you do anything else with their data – like adding it to a mailing list!

FURTHER ADVICE AND SUPPORT

If you need more specific support (for example a meeting) I know the Jersey Community Partnership and Association of Jersey Charities are looking to co-ordinate some resources with various local suppliers. Where necessary grant funding may be available.


USEFUL LINKS

Jersey Data Protection Association

There is a list of Jersey Data Protection events here

For a general understanding of GDPR I highly recommend the guidance of Jersey’s Data Protection Authority

Some great questions about CRM, Members and Databases, including USA!



Some great questions about CRM, Members and Databases, including USA!

QUESTION 
I am planning to write to all members… but what about the people who have given gifts – anything, big or small. Since January 2018 we input their details into our new CRM (name, address, amount given) even if they are only one-off donations. Do I have to go to them and say their info is stored on our database?

SHORT ANSWER

Yes

LONG ANSWER

You need to explain how you manage people’s data private, safe and secure. It would be wise to do this in a comprehensive document, agreement, contract or membership form that covers everything in one place where possible.

See also previous Q&A which are relevant

http://gdprjersey.blogspot.com/2018/01/sports-clubs-do-i-need-privacy-notice.html




QUESTION 

When we receive notification that someone has made an online donation, is it ok to email them and thank them directly (rather than just the automated thank you that goes out)?

SHORT ANSWER

Yes

LONG ANSWER

GDPR will not stop emails, letters, thank-you and correspondence. You can send a personal or an automated reply. GDPR is about  how you manage people’s data private, safe and secure.  So sending an email “Thank you Mr Jones for £50000” is fine, but writing “Mr Jones gave us £5000, and here is his email address” is not!

QUESTION

I have checked with our CRM hosts, Blackbaud (eTapestry) about where the data is held. When sending out the letters to members, should I get explicit consent that they are ok with this….?

Our eTapestry data is hosted in either California or Boston.  Blackbaud are certified under Privacy Shield, which replaced the old Safe Harbour Agreement.  You can find out more information on this here: https://www.blackbaud.co.uk/privacy-shield

ANSWER

This is messy because according to many US privacy-shield will NOT acceptable to EU GDPR and there are real doubts and concerns about use of US systems. So much so that many US data businesses (eg DropBox) are actually moving their services to Europe to comply!

In this scenario you are the data-controller and Blackbaud (eTapestry) are the data-processor. You are responsible for their actions!

See also previous Q&A which are relevant




You have to take a risk-based decision, and you have to alert your customers, members, users (whoever’s data is being put at risk) what decisions you have made and what measures you have taken. In most cases there will be a GDPR compliant alternative.

If the data is simple name and address, and business is reputable with security etc., you may be OK, provided that people fully understand and agree the risks.  If the data is sensitive or high-risk you may be wise to find another supplier who is GDPR compliant.


However you still have the issue how you and they work together in the event of subject-access-request or a breach notification. Do they have procedures and processes to satisfy this need?

Don’t rely upon people being reputable – must of the big data breaches are by household names!!


A final thought – what if it was your data. What if your name, email, address and other (possibly sensitive) data was in a place that was not private, safe or secure? What if that data was lost or stolen? What would be the impact?

FURTHER ADVICE AND SUPPORT

If you need more specific support (for example a meeting) I know the Jersey Community Partnership and Association of Jersey Charities are looking to co-ordinate some resources with various local suppliers. Where necessary grant funding may be available.


USEFUL LINKS

Jersey Data Protection Association

There is a list of Jersey Data Protection events here

For a general understanding of GDPR I highly recommend the guidance of Jersey’s Data Protection Authority