John Simcock: How to take the positive path to GDPR compliance

Charities should be looking at the new regulation as a chance to improve and regain much-needed public trust, our columnist writes

John Simcock
John Simcock

< This article has been amended: see final sentence.

The new General Data Protection Regulation is looming ever larger on the horizon and will be fully enforced by May 2018. I don’t think it’s any secret that a lot of people in the sector, perhaps more than in most other sectors, are looking upon that deadline with a mixture of fear and dread.

Is now the right time to question whether this is the right way to be looking at the GDPR? I believe so. Instead, I believe charities should be looking at the new regulation as a chance to improve and regain much-needed public trust. Here’s how that can work.

Make consent work for you

The most pressing task for charities is the need to deal with the issue of consent. According to many, this will be a cause of complication that’s only being made worse by th confusing advice given by some organisations. Other organisations, on the other hand, have taken the view that it’s a big opportunity. The RNLI, for example, is already running opt-in-only campaigns that will help it cull its database and prepare for the GDPR. The happy consequence is that the RNLI says this move has achieved "three times normal returns". These are remarkable results and provide real inspiration and hope for charities worried about the GDPR. The ICO is also now recommending opt-in as the path to take.

Create new privacy policy agreements that shine

The GDPR makes organisations responsible for giving people clear and adequate information about how their information will be protected. This means most will need to develop new, much more user-friendly privacy policy agreements that are written in plain English. This should also be seen as a good thing. Indeed, as companies in other sectors, such as The Guardian, have already shown, new PPAs are in fact a real opportunity for charities to promote how responsible and trustworthy they are in a way that is fresh and stands out.

Deal with subject access requests the digital way

The GDPR gives people the right to make subject access requests at any time and get responses within a month for straightforward queries. This process, if handled badly, could become very laborious for both the users making the requests and the organisations that need to respond to them. However, digital specialists have an opportunity to make a difference here by following one of the GDPR’s key best practice recommendations. This says that organisations should try to provide secure online self-service systems that provide each person with direct access to his or her information.

This kind of "manage your privacy settings" system is only a recommendation and not compulsory, but it could be well worth exploring if your organisation is committed to digital transformation. In effect, it could be a new digital service that organisations can develop to streamline potentially time-consuming processes and provide a better user experience.

Appoint a DPO with an eye on the bigger security picture

The GDPR will require many charities to appoint a data protection officer to achieve compliance. It’s also a good idea to make sure any potential DPOs are cyber security-aware and trained. GDPR compliance implies implementing cyber security regulations, so it will benefit your charity if you make sure your DPO is up to speed with the latest thinking on cyber security and broader organisational resilience. If they are, they will help to guarantee your data’s security, integrity and accessibility by disseminating cyber security best practice throughout your organisation.

These are just some of the ways that charities can use the GDPR in a positive way to improve performance and relationships. Some of it will seem like very hard work at first, but the thing to remember is that most of it can be turned to your advantage if you think about it in the right way.

John Simcock is director of charities and third sector at Eduserv, a not-for-profit provider of IT, digital and web development services

< This article originally said that individuals had the right to make a subject access request at any time and get a response within 72 hours, but the ICO told Third Sector that the timescale was within one month.

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in
RSS Feed

Third Sector Insight

Sponsored webcasts, surveys and expert reports from Third Sector partners