02 10 myths of gdpr charities - jersey community partnership · 2019. 1. 10. · 10 myths &...
TRANSCRIPT
10 Myths & Fairy Tales of GDPRThe 10 most common misperceptions that undermine Jersey charities’ GDPR observance
#1“Our charity is based in Jersey so GDPR does not apply to us.”
S C O P E
• Jersey has incorporated the GDPR into local laws
• Required to protect personal data of Jersey data subjects in accordance with local law
• If you offer goods or services to EU data subjects or monitor their behaviour, you need to comply with the GDPR for that data
RealityS C O P E
RapunzelGeographical boundaries are no obstacle to your obligations!
#2“We’ve got consent to send our fundraising emails so we don’t need to do anything else .”
S C O P E
• GDPR covers all personal data your charity holds, not just information on your donors
• Charities often hold particularly sensitive data on their beneficiaries, which needs additional protection
• Consent is not the only lawful reason why you may process data
RealityS C O P E
Big footDon’t forget about your hidden data subjects amongst your volunteers, beneficiaries and trustees
#3“I read that the GDPR did away with the requirement to register as a data controller so that’s one thing off my list.”
S C O P E
• Jersey retained the obligation to register with the OIC
• UK ICO also has a requirement to pay a fee - £40 for charities
• Check obligations in other EU Member States where you process personal data
RealityS C O P E
Wolf in Sheep’s clothingRegistration obligations are not as innocent as they appear
#4“Our charity only retains personal data in hard copy - not digital data. This means we are not required to meet GDPR obligations.”
D A T A
• Focus has been on emailing and large scale data breaches
• GDPR covers all forms of personal data – including paper based records if they form part of a filing system
• So that file of business cards in your desk drawer is caught!
Reality
MerlinYour charity may still be paper-based, but your filing cabinets are just as dangerous as digital records
D A T A
#5“All of our suppliers are certified GDPR compliant so we don’t need to look at our contracts with them.”
D A T A
• There is no such thing as “certified GDPR compliant”
• The charity is ultimately responsible for the actions of any third party it passes personal data to
• Make sure you do your due diligence and review your contracts
• If the supplier is outside the EEA, make sure you have an appropriate mechanism to transfer data to them
Reality
Bridge TrollPoorly chosen third party suppliers are a hidden threat to your business
D A T A
#6“We got someone to write us a privacy notice so we’re covered for GDPR compliance .”
D A T A
• Privacy Notice should reflect what your charity actually does with personal data
• Essential that someone in your organisation knows what data you collect and what you do with it
• How can you protect it if you don’t know where it is and who has it
• Don’t forget about notices for all of your data subjects, not just donors
Reality
Odysseus and the CyclopsDon’t be blind to what you do with personal data
D A T A
#7“Our charity completed our GDPR project back in May so we’re GDPR compliant.”
C O M P L I A N C E
• GDPR compliance is never ending!
• Policies and procedures may be drafted but you must ensure ongoing adherence
• Charities’ uses of data is constantly fluctuating
• Data breaches and subject requests could happen at any time
Reality
PinnochioDon’t lie to yourself! “GDPR compliance” is a fairy tale – keep a close eye on your ongoing obligations
C O M P L I A N C E
#8“We have deployed comprehensive cybersecurity technology and sophisticated encryption measures. We are confident we won’t have a data breach or leak, so GDPR simply isn’t an issue.”
C O M P L I A N C E
• Data security is just one element of GDPR compliance
• GDPR is about understanding what you do with personal data and whether you have a right to do that
• No point building walls around data you are not entitled to have
Reality
CerberusYour data may be protected, but it’s not the end of the GDPR story
C O M P L I A N C E
#9“We’ve done the paperwork on GDPR so we won’t have a problem if we ever get audited.”
C O M P L I A N C E
• Paperwork is important but it’s not the be all and end all
• Educate your teams on your procedures
• Breaches are far more likely to originate from a volunteer or worker accidentally leaking data or not being aware of requirements
• Have infrastructure to back up your paperwork
Reality
MedusaDon’t turn to stone staring at the danger in front of you – breaches are more likely to occur from innocuous sources
C O M P L I A N C E
#10“Our charity is too small to ever be caught or finedunder GDPR.”
P E N A L T I E S
• The ICO in the UK fined 11 charities a total of £138,000 last year and carried out a specific review of charities in September this year so charities are far from exempt.
• No minimum amount of data before which GDPR applies
• OIC looking at charities’ awareness of obligations and intention to comply, not just how many people are effected
Reality
ThumbelinaEven the smallest charities can be investigated and fined
P E N A L T I E S
Questions?
Tara Manton