Help! I run a Voluntary Not-For-Profit Group and I think we might be responsible for GDPR

Published on: 5th November 2018

Any organisation that holds personal data about living residents in the EU is accountable to the ICO for their use and management of that data. From the NHS to the local allotment society, everyone is now expected to take responsibility for their data. So if you run a not-for-proft, informal or voluntary group or association (however tiny) the GDPR relates to YOU!

Don't panic however. The ICO has clearly stated that it will be fair and proportionate in its expectations around compliance in these cases. It won't exempt you from the legislation (nor any fines should you REALLY mess up your data governance), but it will be understanding and (somewhat) flexible in the journey it expects you to take towards compliance. So take a deep breath and read on. Here's some guidance to get you underway...

Start out by taking a look at all the types of data about people that you store for your organisation. It may just be contact details, but it may also be financial records, emails, files, photos, video and more. Just write it all down as a list. Try and capture everything. This may take time. (Middle-of-the-night flashes of insight often help with this step.) Then think through (and write down) all the types of people you work with; e.g. members, clients, volunteers, public, suppliers, partners, et al.

Once you have this list of WHAT and WHO, you can check quickly to see if there are any "high risk" people or "high risk" information types in the two lists. High risk people are those deemed "vulnerable" by the GDPR. Article 29 states:

"Vulnerable data subjects may include children (they can be considered as not able to knowingly and thoughtfully oppose or consent to the processing of their data), employees , more vulnerable segments of the population requiring special protection (mentally ill persons, asylum seekers, or the elderly, patients, etc.)"

Recital 75 of the GDPR that refers to high risk data says that high risk arises: 

“where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures”.

Few small organisations will use or store this kind of information, but some social charities and support groups may. If your organisation does, it would be advisable to check with a professional GDPR consultant to see what risk this presents to you, and how you can reduce these risks in your organisation. You may be able to reduce this risk by simply deleting any unnecessary high risk information, or anonymising the personal information if you need this data to track service accessibility for example.

Following on from the WHO and WHAT it is possible to explore the WHY in your data world. Why do you even have this data? Do you need it at all? Do you need all of it? GDPR best practice is all about using data appropriately and in a justifiable way. It's easy to get sloppy in storing information, and simply store everything forever. GDPR challenges you to tighten up this behaviour and give clear and "legitimate" reasons for processing the data (this includes storing and using the data).

Working through the list of WHAT and WHO it is possible to look at each case and consider WHY you have the data and what you're using it for. Mostly this will be for legitimate reasons relating to the operation of your organisation, but you will find things that really should be removed and forgotten once they're dealt with. A good example is storing email details from someone enquiring about an event. Once you've answered the question and the event has passed there is no legitimate reason to keep their data, and the email correspondence. In this case the email and contact details should be deleted. The only exception to this would be if the enquirer has actively consented to you storing their details and contacting them again in the future. The ICO has a guidance section on identifying the lawful basis for processing information which you may find helpful, plus a telephone helpline.

We'll be writing some more about different kinds of Legitimate Interest in the coming weeks and months, and watching for specific ICO guidance as the Regulation comes into force.

If you can start to document these 3 areas of your organisation's data, you'll be well on your way on the journey to compliance. The final steps of the process focus on who accesses your data, how it is secured and how you manage consent. These are covered in this article here: "...where to start with GDPR" At the end of the journey you'll have created a record that can be shared with your organisation, its service users, and if necessary, the ICO. This is the recommendation contained in Article 30 of the GDPR, that you should have a clear understanding of your data, your obligations and your activities in relation to the people (data subjects) whose records you store.

PYXI GDPR Team: 5th Nov 2018 15:29:00