10 Myths & Fairy Tales of GDPRThe 10 most common misperceptions that undermine Jersey charities’ GDPR observance

#1“Our charity is based in Jersey so GDPR does not apply to us.”

S C O P E

• Jersey has incorporated the GDPR into local laws

• Required to protect personal data of Jersey data subjects in accordance with local law

• If you offer goods or services to EU data subjects or monitor their behaviour, you need to comply with the GDPR for that data

RealityS C O P E

RapunzelGeographical boundaries are no obstacle to your obligations!

#2“We’ve got consent to send our fundraising emails so we don’t need to do anything else .”

S C O P E

• GDPR covers all personal data your charity holds, not just information on your donors

• Charities often hold particularly sensitive data on their beneficiaries, which needs additional protection

• Consent is not the only lawful reason why you may process data

RealityS C O P E

Big footDon’t forget about your hidden data subjects amongst your volunteers, beneficiaries and trustees

#3“I read that the GDPR did away with the requirement to register as a data controller so that’s one thing off my list.”

S C O P E

• Jersey retained the obligation to register with the OIC

• UK ICO also has a requirement to pay a fee - £40 for charities

• Check obligations in other EU Member States where you process personal data

RealityS C O P E

Wolf in Sheep’s clothingRegistration obligations are not as innocent as they appear

#4“Our charity only retains personal data in hard copy - not digital data. This means we are not required to meet GDPR obligations.”

D A T A

• Focus has been on emailing and large scale data breaches

• GDPR covers all forms of personal data – including paper based records if they form part of a filing system

• So that file of business cards in your desk drawer is caught!

Reality

MerlinYour charity may still be paper-based, but your filing cabinets are just as dangerous as digital records

D A T A

#5“All of our suppliers are certified GDPR compliant so we don’t need to look at our contracts with them.”

D A T A

• There is no such thing as “certified GDPR compliant”

• The charity is ultimately responsible for the actions of any third party it passes personal data to

• Make sure you do your due diligence and review your contracts

• If the supplier is outside the EEA, make sure you have an appropriate mechanism to transfer data to them

Reality

Bridge TrollPoorly chosen third party suppliers are a hidden threat to your business

D A T A

#6“We got someone to write us a privacy notice so we’re covered for GDPR compliance .”

D A T A

• Privacy Notice should reflect what your charity actually does with personal data

• Essential that someone in your organisation knows what data you collect and what you do with it

• How can you protect it if you don’t know where it is and who has it

• Don’t forget about notices for all of your data subjects, not just donors

Reality

Odysseus and the CyclopsDon’t be blind to what you do with personal data

D A T A

#7“Our charity completed our GDPR project back in May so we’re GDPR compliant.”

C O M P L I A N C E

• GDPR compliance is never ending!

• Policies and procedures may be drafted but you must ensure ongoing adherence

• Charities’ uses of data is constantly fluctuating

• Data breaches and subject requests could happen at any time

Reality

PinnochioDon’t lie to yourself! “GDPR compliance” is a fairy tale – keep a close eye on your ongoing obligations

C O M P L I A N C E

#8“We have deployed comprehensive cybersecurity technology and sophisticated encryption measures. We are confident we won’t have a data breach or leak, so GDPR simply isn’t an issue.”

C O M P L I A N C E

• Data security is just one element of GDPR compliance

• GDPR is about understanding what you do with personal data and whether you have a right to do that

• No point building walls around data you are not entitled to have

Reality

CerberusYour data may be protected, but it’s not the end of the GDPR story

C O M P L I A N C E

#9“We’ve done the paperwork on GDPR so we won’t have a problem if we ever get audited.”

C O M P L I A N C E

• Paperwork is important but it’s not the be all and end all

• Educate your teams on your procedures

• Breaches are far more likely to originate from a volunteer or worker accidentally leaking data or not being aware of requirements

• Have infrastructure to back up your paperwork

Reality

MedusaDon’t turn to stone staring at the danger in front of you – breaches are more likely to occur from innocuous sources

C O M P L I A N C E

#10“Our charity is too small to ever be caught or finedunder GDPR.”

P E N A L T I E S

• The ICO in the UK fined 11 charities a total of £138,000 last year and carried out a specific review of charities in September this year so charities are far from exempt.

• No minimum amount of data before which GDPR applies

• OIC looking at charities’ awareness of obligations and intention to comply, not just how many people are effected

Reality

ThumbelinaEven the smallest charities can be investigated and fined

P E N A L T I E S

Questions?

Tara Manton

PrivacyTeam@Calligo.Cloud