efa skillshare - jitty van doodewaerd
Post on 29-Jan-2018
37 Views
Preview:
TRANSCRIPT
EFA Skillshare
GDPR and Fundraising
Jitty van Doodewaerd – DMCC Nederland B.V.
© 20171
New obligations under the GDPR
In 5 questions- What data do you collect- Is this documented- Who’s responsible- Are you transparant about your collection- Do you ever delete data
But first:
Some privacy basics
Today’s program
2 www.dmcc.nl
What personal data do you collect?
© 20173
Personal data
4 www.dmcc.nl
Privacy = processing of personal data
• Processing• Personal data
Personal data (Art 1 GDPR): any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data (Art. 9/ 10 GDPR): data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, data relating to criminal convictions and offences.
Personal data
5 www.dmcc.nl
Personal data
6 www.dmcc.nl
Personal data
7 www.dmcc.nl
Personal data
8 www.dmcc.nl
Where point (a) of Article 6(1) applies, inrelation to the offer of information societyservices directly to a child, the processing ofthe personal data of a child shall be lawfulwhere the child is at least 16 years old.Where the child is below the age of 16years, such processing shall be lawful only ifand to the extent that consent is given orauthorised by the holder of parentalresponsibility over the child.
Member States may provide by law for alower age for those purposes provided thatsuch lower age is not below 13 years.
Is your processing documented?
© 20179
Register of processings
10 www.dmcc.nl
1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:a. the name and contact details of the controller and, where applicable, the joint
controller, the controller's representative and the data protection officer;b. the purposes of the processing;c. a description of the categories of data subjects and of the categories of personal
data;d. the categories of recipients to whom the personal data have been or will be
disclosed including recipients in third countries or international organisations;e. where applicable, transfers of personal data to a third country or an international
organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
f. where possible, the envisaged time limits for erasure of the different categories of data;
g. where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
Data mapping
11 www.dmcc.nl
Fundraising
➢Donor administration
➢Volunteer administration
➢Collection
➢Petitions
➢Patient association
➢Patient/ member travels
➢Website(s) en action pages
➢News letter registrars
➢Legacies
➢Major donors
➢affiliates
➢Social media
➢Cookies
➢Analytics
Projects
➢ Project management
➢ Investments
➢ Investee/ Investor due
dilligence
HRM
➢Personell administration
➢Payroll
➢Social security
➢Learning management
➢Time and attendance
Finance
➢ Creditors
➢ Debtors
➢ Beneficiaries
➢ Billing
➢ Reporting
12
Donor Ex donor participant Prospect Site visitor Beschikbaarheid Vertrouwelijkheid
Adress detaiils X X X X
E-mail X X X X
Gender X X X X
Data of birth X X
Contact and order history X X X X
Data regarding payments,
transactions etc
X X X X x
Financial data X X X
Derived financial data X X X
Lifestyle characteristics, prifile
information
X X
Special categories of data
Data mapping
13
Partij 1 Partij 1
Partij 1
Intern beheerd Partij 2
Externally managed
Partij 1
Partij 2
Partij 3
Inernally managed Externaly managed
Internally managed
Retention
Data analyses
Customer
(data warehouse)
Customer
database
Online accounts
Single Customer View
(selection tool)
(database marketing en
sales trial and ex-
subscribers)
e-mail tool sales
and marketing
Blacklistopt-out requests
(automated
dialer)
websites/
landing pages Data
enrichment and validation
Telemarketing
E-mail Direct mail
(field marketing
tool) Direct sales
Data mapping
14
Data mapping
Who’s responsible? (governance structure)
© 201715
DPA (Art. 28 GDPR)
Governance
16 www.dmcc.nl
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:a. operates under clear instructionsb. ensures confidentiallity;c. takes appropriate security measuresd. will inform about any sub processorse. helps the controller respond to requests from data subjectsf. assists the controller in ensuring complianceg. at the choice of the controller, deletes or returns all the personal data to the
controller after the end of the provision of services relating to processingh. makes available to the controller all information necessary to demonstrate
compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
DPO (Art 37 GDPR)
Governance
17 www.dmcc.nl
The controller and the processor shall designate a data protection officer in any case where:a. the processing is carried out by a public authority or body, except for courts acting in
their judicial capacity;b. the core activities of the controller or the processor consist of processing operations
which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
c. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
Are you transparent about your data collection?
© 201718
A. Fair and lawfull processing
Art. 6 GDPR
a) consent(= opt-in, e-mail, sms, social media and cookie data)
b) contract (gift, donor agreement, legacies)
f) legitimate interest (profiling, direct mail etc.)
Direct Marketing is een gerechtvaardigd ondernemersbelang
Lawfull processing
B) In a transparant manner
Art 12, 13 and 14 GDPR
Information relating to processing to the data subject in a concise, transparent, intelligible
and easily accessible form, using clear and plain language about:
1) Identity
2)Purpose
3) category of data
4) rights
5) third parties
Direct Marketing is een gerechtvaardigd ondernemersbelang
Transparancy
Privacy statement
Direct Marketing is een gerechtvaardigd ondernemersbelang
Transparancy
Direct Marketing is een gerechtvaardigd ondernemersbelang
Transparancy
Direct Marketing is een gerechtvaardigd ondernemersbelang
Transparancy
At te time of collection
Direct Marketing is een gerechtvaardigd ondernemersbelang
Transparancy
Direct Marketing is een gerechtvaardigd ondernemersbelang
Transparancy
Direct Marketing is een gerechtvaardigd ondernemersbelang
Transparancy
Art 4 GDPR
(8) ‘the data subject’s consent’ means any freely-given, specific and informed (…) indication
of his or her wishes by which the data subject, either by a statement or by a clear
affirmative action, signifies agreement to personal data relating to them being
processed;
is een gerechtvaardigd ondernemersbelang
Consent
Art 7 GDPR
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
is een gerechtvaardigd ondernemersbelang
Consent
Freely given
The freedom to say ‘no’to the transaction without it significantly affecting you or produce a legal effect
is een gerechtvaardigd ondernemersbelang
Consent
Specific
Third parties, advertisers etc?
is een gerechtvaardigd ondernemersbelang
Consent
Informed?
is een gerechtvaardigd ondernemersbelang
Consent
is een gerechtvaardigd ondernemersbelang
Consent
is een gerechtvaardigd ondernemersbelang
Consent
Consent
35
When
• In effect since 2016
• Implemented by you in May 2018
Positive elements
• Instrument of a regulation
• Transparency obligations
• Fundraising is recognised as a legtimate purpose
Consent
Do you ever delete data?
© 201736
37
• Use of data limited to as long as necessary for purpose of collection
• De-activating is not enough
• Adequate data retention periods?
Data retention
Jitty van Doodewaerd (+31 (0)625516373)
DMCC Netherlands B.V.
38
Telefoon : +31 (0)88-7779311E-mail: info@dmcc.nlWebsite: www.dmcc.nl
top related