Much has been made about the complexities of complying with GDPR, however in reality for most businesses compliance can be achieved through some common sense business practices and a written policy relevant to your business.
What is GDPR
The General Data Protection Regulation (GDPR) came into effect in May 2018.
GDPR imposes certain obligations on companies and other organisations, which process personal data relating to individuals.
The majority of businesses will have to comply with GDPR, which requires adjustments to business processes, documents and cultures.
We are happy to assist any businesses, with initial GDPR compliance, whether its practical training, making GDPR assessments for your business, or developing compliance plans or policies for your business.
In early 2018 we undertook work with numerous clients to assist with initial GDPR compliance, prior to the legislation coming into force, this included
- GDPR Training, including simplifying the legislation and practical ways to comply
- Developing a GDPR compliance plan tailored to each client
GDPR and Charities
Whilst many of our clients were SME's we also undertook numerous work with local Charities.
Charities are required to comply with GDPR to the same level of any other business, but they have unique complexities, which general businesses don't necessarily encounter.Some of the difficulties that charities face include;
- The belief that ICO will not target charities, this is now proofed not to be the case, due to recent fines imposed by the ICO on numerous global and local charities.
- Many charities rely on using numerous volunteers and often on an adhoc basis, meaning that training these individuals and enforcing GDPR is harder to achieve through these individuals, and the danger that they stop volunteering if things become too complex.
- Many Charities deal with vulnerable people, meaning data can be sensitive personal data, and there is an obligation on the Charities to ensure that these individuals understand GDPR and their rights. This often requires Charities to find simple ways to explain their rights to these individuals, a one size fits all policy is not suitable in these cases.
- There is often a lack of systems to effectively record/store personal data, which means data is vulnerable.
- Personal data obtained through numerous and often informal methods, ie signing people up for funding in the streets.
- Historically personal data has been used in many ways to assist the charity promote themselves or raise funds, but these are no longer appropriate under GDPR.
- There is often a lack of funds and staff to implement GDPR
- Many Charities are governed by Trustees, who also need training on GDPR
We worked together with these charities to deal with these unique issues and came up with practical ways to deal with GDPR whilst still being able to operate the Charity for the purposes for which is was created.
On Going GDPR Compliance
GDPR is not a tick in the box exercise; the (Information Commissioner Office) ICO requires organisations to implement a culture change and develop processes and policies, which embeds GDPR principles throughout the organisation.