GDPR (General Data Protection Regulation) became law in 2016, so voluntary organisations have had two years to become compliant with the new rules. On 25th May, the law will become enforceable across the European Union. We will have to adhere to the rules, even when Brexit eventually happens. This law will replace the Data Protection Act of 1998. With the rise of the internet and changes in technology, it is about time that the law is refreshed, as a lot has changed in the last 20 years.
GDPR takes the definition of Personal Data and expands it to include ANY data that could be used to potentially identify an individual. Unlike most data protection rules, this also includes B2B data, like a work email address and job or volunteer title. As an organisation, you should start preparing the changes to your current policies and procedures.
GDPR is not just a tick box exercise, and it needs all staff and volunteers to adhere to the changes. Information and guidance data protection legislation covers all the personal data you keep on the people you interact with. This includes employees, volunteers, service users, members, supporters and donors. Voluntary organisations may be the most vulnerable to breaches and fines, due to lack of staff and a lack of awareness.
Every voluntary organisation should have a written policy and procedure for how they handle personal data and handle privacy issues. GDPR is not just the appointed Data Protection Officer’s role; everyone from the CEO to all volunteers need to be involved, and understand the fundamentals of the new law coming in. Volunteers must be trained in data protection, just as their employee counterparts must be. As an organisation, you are responsible for ensuring this occurs.
As an example, there is the practical risk of using volunteers to process personal data of other people. There is the risk of a data breach if you allow data to be used by people who may not be trained, or who are using their own insecure equipment, such as personal laptops. It may be worth hiring a specialist trainer to come to your organisation and speak to all your staff and volunteers, so that all parts of the organisation are on the same page, or sending them on a GDPR training course. Refresher training will also be useful at future intervals.
Gaining consent for holding and using data under GDPR is crucial. Voluntary organisations must be transparent when collecting personal data, and must be upfront about what they will use the data for. It is a legal requirement for users to know what is happening with their data. It is so important for consent to be "freely given, specific, informed and an unambiguous indication of the data subject’s agreement". What may be difficult is asking for consent for data you already hold. The existing consent may be insufficient under GDPR, and you may need to refresh any forms you have.
Depending on your recruitment process for volunteers, it is likely, almost certain, that the volunteers will be required to fill in a volunteer registration form with personal details on it, such as their full name and contact details e.g. phone number. It is important to state on the form what their information will be used for. As an example, the following could be used:
Information from this form will be held on a database to help answer enquiries and progress your interest in volunteering. It will also be used to compile statistical data on the voluntary and community sector locally for our funders, but this will never include references to an individual. We will share your volunteer registration form with the organisations you have shown an interest in to volunteer with so your enquiry can move forward. We will not sell or pass this information on to a commercial third party.
This way, as an organisation, you are being upfront with the volunteer about what their information will be used for. It is very important to have this in writing, as the volunteer will then sign the form and you, the organisation, will have their explicit consent when it comes to storing and processing their information.
It is vital that this information is kept in a secure place, whether that’s in hard copy or electronically stored. There are safeguards you can put in place, such as storing the forms in a locked cabinet, shredding hard copies, or holding the information on a password protected spreadsheet. Passwords should always be strong, ideally using upper and lower case letters, numbers and symbols.
It is a good idea to log what personal information files you are holding on users in a GDPR spreadsheet, so you can keep track of all the data that you hold. It’s a bit like having a checklist that you can tick off to keep on top of all the personal data. Having an audit of all your files is good practice generally, as you can delete the information you no longer need to hold, but may be unaware that you still have.
What are you doing as an organisation to keep up with GDPR? Do you have any questions regarding the changes in law? Comment below with your questions.