Many charities are making final preparations for GDPR by finalising their data audits and reviewing their policies and procedures. But if this has felt like too big a task until now, and you’re not sure where to begin, there will probably be a growing sense of anxiety about what you can achieve in the next six or seven weeks.
As a starting point, we suggest allocating the task of a data audit ideally to two or three people in your charity who understand reasonably well the personal data that your organisation holds. That small group should then get together to discuss the data audit in a logical and methodical way. An ideal way to do this is to use the ICO’s “Preparing for the GDPR: 12 Steps to take now” document, which can be downloaded from the ICO website.
Start by creating a list of the data that you know you hold and how you are already using it. There will be personal data about trustees and employees – this is almost certainly data which you are obliged by law to hold anyway. There will then be data about donors or supporters, and perhaps personal data about beneficiaries. Depending on the kind of charity you are, there may also be sensitive data about beneficiaries. Using the ICO’s definitions of personal and sensitive data, which can be found on their website, you should identify the broad groups and types of data that you hold and build it into a table.
Once you have an overview of data groups and types, you can then work your way through the 12 Steps guidance and consider how each of the 12 Steps applies to your organisation and the data you hold. You are likely to find that some of them will apply and you will be on top of them already (even if you’re not sure about that beforehand). Some steps will give rise to action points for you to consider and to work on. Others may not apply at all. When you have gone through the 12 Steps you will have started to build up an impression of where you are complying and where you need to do further work.
Build your results into a mini-report which can be shared with others in your organisation, and use the report to flag up the things you are doing well, the things you are not sure about (but which you want to review or to obtain advice upon) and the things that you can safely ignore. Our experience working with charities suggests that, by the time you get to this stage, you will find that you have narrowed data protection problems to a small handful of practical issues which you can tackle one by one.
Once you’ve followed up on action points, continue to review and update your data audit report and keep it on the agenda for trustee meetings so that the issue is not forgotten about.
By following this broad process, you may find that you have done enough work by the end of it to satisfy yourself of your charity’s GDPR compliance. Even if action points do arise, or you identify the need for advice on one or two particular matters, you will hopefully obtain reassurance that your charity is not too far off the mark. You will hopefully also find that the process is not as onerous as you feared in advance. A logical, methodical data audit, shared by a few people in your organisation, and kept under review by the board as a whole is a sensible starting point in assessing your own GDPR compliance.