The General Data Protection Regulation (or GDPR for short) can feel a bit intimidating, especially if you’re a new or very small organisation.
GDPR is important as it safeguards the privacy of your customers and users. It encourages you to think about the personal data you ask for, how you use it, and how it’s stored.
By personal data we mean anything that could be used to identify an individual, and there’s more detail here.
The fount of all GDPR knowledge is the Information Commissioner’s Office (ICO) and we link to them a few times on this page.
There’s no choice about implementing GDPR – every organisation that collects personal data in the UK has to do this.
About this page
We’re not currently planning to write a step by step guide to implementing GDPR in an organisation. If we see the need to write something, or you’d like us to do this, please let us know.
There’s so much information out there already, so we’re pointing to the best guides we find – see below for a list.
In the meantime, we’ll use this page to collect tips that TechResort has found useful, either in implementing GDPR for ourselves or in our work with other organisations.
We’ll keep adding tips here. If you’ve anything to share, please let us know in the comments.
Good GDPR resources
It’s worth bookmarking the Information Commissioner’s Office (ICO) website. Every aspect of the law is there, and it’s relatively easy to follow.
Which? has a great guide written from a customer’s perspective. It’s worth a read when you have time.
GDPR was established by the European Union, so Brexit may ultimately affect what you need to do. The UK has included GDPR in our own laws, but will be able to review them after the transition period ends on 31 December 2020. We’re keeping an eye on this ICO page for more.
What’s worked for us
Understanding what you have to do
If you’ve read anything about GDPR, you’re sure to have come across strange sounding terms called “Controllers” and “Processors”. Organisations need to work out which one they are, because it makes a big difference to what they need to do.
You’re a Controller if:
- you decide what data is collected
- what it’s used for
- how it’s processed or used
You’re a Processor if:
- Someone else collects the data, and you’re following instructions from them
There’s also such a thing as a “Joint Controller” where you share responsibilities with another organisation.
The ICO has some straightforward advice about Controllers and Processors which will help you identify which one you are.
Think carefully about the data you want to collect
It’s really tempting to ask people for all sorts of personal data. If you know more about customers you’ll be able to market to them better, and so on.
In our conversations with small businesses though, few have had the time to use the data they’ve collected over the long term. It’s hard work doing marketing well and consistently.
If you factor in GDPR’s need to spell out how this data will be used and stored, then this becomes a big and complicated task. It’s far better to ask for only what you absolutely need.
Even huge organisations like GOV.UK keeps the data it collects to an absolute minimum.
Here’s a couple of examples to think about:
You might need to know where your users are based, so it makes sense to ask for a postal address. But do you need the full address? Would postcode or electoral ward suffice? It’s less to collect, and doesn’t personally identify a user.
If you’re grant funded for a project, check with the funder whether they’ll require any individual details of beneficiaries of the project. If they’re happy with anonymised data then reduce the data you hold to anonymous information as soon as possible.
Be clear about how you’re using personal data
Your website needs to explain what you need customer data for, and how you intend to use it. If you’re using paper forms to collect data, you need to add the same explanation there too.
We’ve found that this feeds back to the point above, about only asking for data you really need. If you can’t explain why you’re asking for data, odds on you probably don’t need it. If this is the case, don’t ask for it in the first place.
Appoint a Data Protection Officer
Someone in your organisation (maybe you?) needs to have a good grasp of the personal data that’s being asked for, how it’s used and how it’s stored.
Make someone on your committee, board or senior team responsible for understanding the GDPR basics, for drawing up the policy and for training staff and volunteers.
Keep records of policy reviews and staff training to be able to demonstrate how you comply.
Store the data safely
Make sure the people with access to the data really need it, and choose your data storage method carefully.
Here’s some things that have worked for us:
- Invest in a sturdy locked cabinet for paper records.
- Put digital personal data on designated computers only and ensure the computers are password protected so that no casual users can see the information.
- Don’t share log-in details for shared cloud storage if there’s personal data involved. Give people who need it access via their own account so you can withdraw access later.
- Be careful with portable storage like laptops and USB sticks. It’s easy to forget what data’s on there.
- When you don’t need paper records any more – shred the paper, don’t just bin it.
- If you pass computers onto other organisations make sure the data has been removed with a tool like DBAN – just deleting files isn’t completely secure.
We see the same big problem time and again – mass emails to people using software like Outlook, with tens of email addresses in the “To” or “CC” fields. Instantly everyone’s email address has been made public.
Many people might be OK with that, but that’s not really the point. GDPR is all about asking users for permission to share their data, before you share it.
The easiest way to fix this is to send the email to yourself, and put your list of email addresses in the BCC box. Sometimes the BCC box isn’t switched on by default, so you might need to hunt for it.
The other big no-no is sending personal info by email – avoid it if at all possible!
There’s two good rules of thumb here. If you’re going to use people’s details for marketing (this includes newsletters) you must not automatically opt them into a mailing list – they have to make a positive choice. Have a sign up form on your website explaining what information you’ll be sending and how often, with a checkbox for them to tick to opt in.
It also must be really easy for people to opt out of marketing. Using dedicated email sending software like Mailchimp takes care of sign up forms and unsubscribe requests in one package.
Some organisations we’ve worked with find Mailchimp complicated to use, so we’re planning a post about alternatives – if you have any suggestions please let us know.
There are special rules for passing data on – make sure your Data Protection Officer learns the essentials before passing on any client data.
If you really need to collect information that would be considered sensitive (for example, medical details, ethnicity, sexual orientation, gender identity, disability information or household income) then it’s essential to double check the safeguards you need to put in place. You should also be especially vigilant about how you store the information and who can see it.
When you no longer have need of the data delete it, shred it or anonymise it. If the data is on a computer, use a tool like DBAN – just deleting files isn’t completely secure.
Let clients know how they can contact you to share with them the data you hold on them.
If you learn of any inaccuracies in your data, make sure you correct them.
If at any point you believe that personal data you hold has fallen into inappropriate hands, you must let the people who’s data it is (called the “subjects”) know.