Ireland is fortunate in having a thriving voluntary sector. A sector which between employment, sport, caring and entertainment touches the lives of almost every citizen on the island of Ireland. Possibly retaining personal data on every citizen on the Island of Ireland. Every city, town and parish in the country has sports clubs and schools at least that are run by voluntary boards or governing bodies. Bodies that may be data controllers in GDPR terminology. On each body volunteers mostly fill the various roles as board members or member of the governing board. Meaning the volunteers are in some way responsible for the governance of a data controller.
DigiTorc has been requested by several charities, schools etc. to help drive GDPR compliance and this post is an anonymized result of those GDPR compliance projects.
While the logic behind the EU’s General Data Protection Regulation (GDPR) may have been targeted at large corporates, the effect is equally felt by Not For Profit Organisations or Charities. The Charities Regular has produced some resources to help boards of management as they wrestle with compliance to health and safety, tax etc as well as Data Protection etc. But these resources are really just sign posts to what broad areas like GDPR need attention.
The first step is to remember there is no certification process unlike ISO 9000. No one can guarantee compliance as GDPR is a complex principle-based law which is open to interpretation. It is possible and indeed probable that national supervisory authorities and courts will diverge for a period of time.
The second step for Irish Charities is to become aware of your GDPR status. Consultants like DigiTorc can help you perform a GDPR audit and figure out where the big problems are. In GDPR there are as many opinions as there are players involved. You need to step back and see what exactly what is going on before rushing to implement something that may or may not have been suitable for a different organisation.
The third step is to roll up your sleeves. DigiTorc typically works with individual charities to implement the most critical changes first. It is not possible to state a priori what a charity needs to do for GDPR, but once the audit is done you will have a prioritised clear list. Normally the Pareto principle will apply, where 80{416be57fa161bbc70d468c2594f8d5c208287735b0b3958bde24bc0817fdbb51} of the problems come from 20{416be57fa161bbc70d468c2594f8d5c208287735b0b3958bde24bc0817fdbb51} of the causes. Clearing the first few big issues, will make a dramatic difference to your Charities GDPR compliance.
The fourth step is to start documenting. GDPR contains 99 Articles 52 of which require evidence to demonstrate compliance with the GDPR. It is important to start a folder on your network or keep a physical binder with important e-mails and documents concerning GDPR. If you are ever audited, you need to prove compliance. Even if you don’t reach full compliance, proving that you make an honest effort, will distinguish you from those Irish organisations who are trying to ignore the regulation.
In most cases Irish Charities have access to normal enterprise data like HR records and payroll, they might also have volunteers’ records as well all of which are covered by GDPR. In some cases, Irish Charities have access to special personal data like Children’s mental health records which should be treated extra carefully. All of this personal data must be retained for a defined period, shared with other bodies in accordance with Irish laws, and ultimately securely destroyed – a data life cycle. Naturally during the data life cycle, the data must remain confidential, unaltered and available. A common example of a GDPR compliant data life cycle for a charity is staff pay slips which must be retained for three years. (The National Minimum Wage Act 2000). Parental leave / force majeure leave records must be kept for 8 years from the date of the leave. (The Parental Leave Acts 1998 and 2006). By way of contrast CCTV footage normally must be erased after 28 days. (Data Protection Commissioner Guidance).
Note that each type of personal data may have a different retention period ascribed to it by law. That duration then becomes both a floor and an implied ceiling, as you may be expected to securely delete it soon after the retention period.
If you have any queries about Irish Charities and GDPR please get in touch and we’ll be happy to help you on the route to compliance.