Blog: Voscur’s GDPR journey...so far!
It’s only a few months to go, yet less than half of charities have heard of the new data protection regulation coming into play in May this year. The General Data Protection Regulation (GDPR) is the biggest shakeup of data protection since the 1998 Data Protection act and has caused concern within the charity sector. It’s no surprise, there’s a lot of scaremongering out there and many in the VCSE sector don’t have the time, knowledge or skills in-house to fully work out what GDPR means for them.
It has been no different for Voscur; although we are lucky enough to have a part time data officer (me!), GDPR is something completely new to me and the rest of the team and it has meant pausing other projects in order to get up to speed with what GDPR is and what we need to do to comply with the new rules. Although I won’t pretend we are ready yet, I wanted to share our journey so far on becoming GDPR compliant in a hope that this may help you and your organisation to do the same.
Research - First off I did A LOT of reading. It can be hard to find time, especially with so much information out there, but I would recommend you start with the ICO guide to GDPR. It’s quite a long read (80+ pages!) but is split up into manageable sections and written in quite an accessible way.
Planning - Next I worked out the key areas we needed to revise. This is where the ICO’s 12 step checklist comes in handy. With this I was able to break down the massive task of becoming GDPR compliant into smaller chunks. I’ve used that breakdown to create a timeline plan detailing when different things need to get done. This might seem a bit over the top, but it is recommended that organisations have a plan in place to show how they are becoming compliant. The ICO recognises that GDPR compliance is an ongoing journey and are likely to look more favourably towards organisations with a plan in place.
Auditing - Unless you are starting a system from scratch, chances are you will need to tweak what is already in place to make it privacy by design (I won’t go into what that is here but the link gives a thorough explanation). Before doing this, you need to know what you already have, and my biggest learning so far has been doing a data audit. We’ve learnt on-the-go how to conduct this, and structuring it has been a challenge. I have attached an outline of the main questions I attempted to cover in this audit as a download below. What I realised when doing this, is I would get the fullest picture of our organisation’s data if I spoke to every member of the team.
Engaging the Team (including your Trustees!) - A lot of people feel fatigued just by the mention of data, so it’s been important to engage with staff in an accessible and efficient way, to understand how they use data. Voscur is a busy and dynamic team working on lots of different projects, and so the way we collect personal data varies across the organisation. When doing the data audit, I spent some time with each of my colleagues, talking over what kind of personal data they collect, store and process and how GDPR may affect this. Not only has this given me a clearer picture of our data, it has also engaged people around GDPR – meaning people are more likely to understand what is expected of them and to get on-board with any changes later down the line.
Spring cleaning - Like many organisations we’ve held on to data for years after it is needed, and store this in all sorts of different places. GDPR makes it clear you are unable to hold personal data indefinitely, instead you need to make sure you are only holding it for as long as necessary. Although clearing out can seem like a big chore now, it will put you in better stead to know who you are actually engaging with, and what people are actually interested in hearing about.
Policies and Procedures - Privacy policies on websites now need to be more explicit in describing why personal data is collected, how it is processed and what the individuals’ rights are. This means the majority of organisations will need to alter their existing policies, and also their internal procedures, to ensure data is protected as described. The changes to consent give more power to the individual and will require many organisations to rethink their ways of working.
Alongside all of this I’ve been attending training sessions (Voscur have one coming up soon in March), we’ve sought legal advice from Trust Law and kept the whole Voscur team up to date with what is going on and what they need to do. It’s taken up at least 80% of my 2.5 days a week, since August and will probably continue at that level for a few months yet, but hopefully we’ll come out the other side with a lot of knowledge to share and some much improved systems!