About

As well as providing training and a GDPR Toolkit (details below) I also provide extended support to people who have attended training, bought the toolkit, or just need some friendly guidance. The GDPR Toolkit can be found here http://www.adaptconsultingcompany.com/gdprtoolkit/ Jersey Business as supporting the GDPR Training and they can be found at https://www.jerseybusiness.je/get-advice/it-office-systems/data-protection-small-business/

Monday, 5 February 2018

Some great questions about CRM, Members and Databases, including USA!



Some great questions about CRM, Members and Databases, including USA!

QUESTION 
I am planning to write to all members… but what about the people who have given gifts – anything, big or small. Since January 2018 we input their details into our new CRM (name, address, amount given) even if they are only one-off donations. Do I have to go to them and say their info is stored on our database?

SHORT ANSWER

Yes

LONG ANSWER

You need to explain how you manage people’s data private, safe and secure. It would be wise to do this in a comprehensive document, agreement, contract or membership form that covers everything in one place where possible.

See also previous Q&A which are relevant

http://gdprjersey.blogspot.com/2018/01/sports-clubs-do-i-need-privacy-notice.html




QUESTION 

When we receive notification that someone has made an online donation, is it ok to email them and thank them directly (rather than just the automated thank you that goes out)?

SHORT ANSWER

Yes

LONG ANSWER

GDPR will not stop emails, letters, thank-you and correspondence. You can send a personal or an automated reply. GDPR is about  how you manage people’s data private, safe and secure.  So sending an email “Thank you Mr Jones for £50000” is fine, but writing “Mr Jones gave us £5000, and here is his email address” is not!

QUESTION

I have checked with our CRM hosts, Blackbaud (eTapestry) about where the data is held. When sending out the letters to members, should I get explicit consent that they are ok with this….?

Our eTapestry data is hosted in either California or Boston.  Blackbaud are certified under Privacy Shield, which replaced the old Safe Harbour Agreement.  You can find out more information on this here: https://www.blackbaud.co.uk/privacy-shield

ANSWER

This is messy because according to many US privacy-shield will NOT acceptable to EU GDPR and there are real doubts and concerns about use of US systems. So much so that many US data businesses (eg DropBox) are actually moving their services to Europe to comply!

In this scenario you are the data-controller and Blackbaud (eTapestry) are the data-processor. You are responsible for their actions!

See also previous Q&A which are relevant




You have to take a risk-based decision, and you have to alert your customers, members, users (whoever’s data is being put at risk) what decisions you have made and what measures you have taken. In most cases there will be a GDPR compliant alternative.

If the data is simple name and address, and business is reputable with security etc., you may be OK, provided that people fully understand and agree the risks.  If the data is sensitive or high-risk you may be wise to find another supplier who is GDPR compliant.


However you still have the issue how you and they work together in the event of subject-access-request or a breach notification. Do they have procedures and processes to satisfy this need?

Don’t rely upon people being reputable – must of the big data breaches are by household names!!


A final thought – what if it was your data. What if your name, email, address and other (possibly sensitive) data was in a place that was not private, safe or secure? What if that data was lost or stolen? What would be the impact?

FURTHER ADVICE AND SUPPORT

If you need more specific support (for example a meeting) I know the Jersey Community Partnership and Association of Jersey Charities are looking to co-ordinate some resources with various local suppliers. Where necessary grant funding may be available.


USEFUL LINKS

Jersey Data Protection Association

There is a list of Jersey Data Protection events here

For a general understanding of GDPR I highly recommend the guidance of Jersey’s Data Protection Authority

No comments:

Post a comment