GDPR: how does it work for non-profits?
During recent periods of lockdown, the work of the association has not stopped and the activity has continued remotely from homes. This has brought yet again attention to security of the processing of personal data whilst using a?CRM system. Therefore, it is essential to revisit the subject of the GDPR implemented over four years ago. Let us go back to this law and its implications for charitable and cultural associations and foundations.
Despite the fact that GDPR is often known for the possibility of managing your preferences for processing your data, it goes much further. Due to the quantity and variety of data available to organisations, they have an important responsibility for the processing and maintaining the security of this data.
?
Who is affected by GDPR?
GDPR applies to the 27 countries of the EU to unify the rules and the legal framework for the processing of personal data and to allow the development of digital professional activities. This legal context is not set in stone since it adapts to follow developments in technologies and digital uses in our societies, thus building on the trust of users.
The General Data Protection Regulations concern any private or public company or organisation, regardless of its activity as long as it is established on the territory of the European Union or its activity targets European residents. Therefore, organisations established in countries other than those of the EU are also affected by these legal provisions. Even though the UK has left the EU, the UK will still need to comply with the GDPR. It has been incorporated into UK Data Protection law at the end of the transition period.
?
What is personal data?
Personal data is recognised by any information relating to an identified or trackable person, from single data to combination of several. It could be:
Within the framework of associations, foundations and NFPs, this data is numerous and essential if you want to be able to attribute a KPI score to your members, a perfect example in the context of data processing and cross-referencing.
But beware: personal data is not only found in your unused databases. Paper documents, even archives, can contain personal data: CV, register of members, register of volunteers, quotes and invoices from your service providers, tax receipts, beneficiary monitoring file etc. All of this data falls under the GDPR and should be treated the same as digital data.
?
What is data processing?
Processing data amounts to performing an operation or a set of operations on it, regardless of the processes used: collection of contact details via a questionnaire, update of supplier files, edition of a tax receipt, creation of a membership card etc.
The processing of personal data must be able to be justified: it must have an objective, be legal and be legitimate. In the context of the relationship with a member, this can translate into:
领英推荐
* opt-in / opt-out: agreement option / opt-out option
Purpose:?the recording and use of data on an existing person must be done for a specific, legal and legitimate purpose.
Proportionality and relevance:?the data collected must be limited to their relevance with regard to the purpose of the file.
Retention period:?a retention limit must be set, depending on the type of data and the purpose of the file.
Confidentiality:?data must be secure and only accessible and used by authorised persons.
Right of individuals:?the owners of data have a right to access, rectify and consent to the use of these.
These principles can provide more information about IT structure within your organisation. It will show the ethics of data processing and reassure your members and other contacts about the security of it (especially if they provide you with their bank details).
?
Focus “safety”: what measures to take?
There are many risks associated with processing and handling data. Here are 10 things your organisation can do to protect itself and keep it safe.
If you have any more question Sarah Cotton is always happy to help!