Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

National Volunteering Forum: May18


Published on

Presentation regarding how charities can adapt and benefit from the GDPR changes.

Published in: Government & Nonprofit
  • To get professional research papers you must go for experts like ⇒ ⇐
    Are you sure you want to  Yes  No
    Your message goes here
  • I pasted a website that might be helpful to you: ⇒ ⇐ Good luck!
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

National Volunteering Forum: May18

  1. 1. Coming soon: a view from the ICO National Volunteering Forum – 15 May 2018 Richard Sisson, Senior Policy Officer, Policy & Engagement (Private & Third Sector)
  2. 2. About us … …and this presentation 25 May 2018
  3. 3. Key points about GDPR Evolution Not Revolution Focus on transparency and control Accountability Individual’s rights
  4. 4. !? Complying with the GDPR…. • Complete compliance the aim • 25 May is not an end date to compliance • ICO remains a pragmatic organisation • However, no grace period • Follow accountability principle • Know your lawful basis and be able to justify it • Be as transparent as you can Ten days to go:
  5. 5. Fining powers €20 million or 4% turnover, but: • ICO wants to promote good practice • Not going to be issuing fines to punish organisations • No guarantees not to fine but look at mitigation • Accountability practices ICO can issue greater fines but this is not our goal.
  6. 6. How to work with the ICO + Charity sector page ICO guidance ICO liaises with member bodies on issues ICO expanding – new teams and processes
  7. 7. Guide to the GDPR
  8. 8. Fundraising and direct marketing Confusion over use of legitimate interests (LI) and consent If marketing caught by PECR then you will need consent - except in certain circumstances LI can be used for marketing not caught by PECR - but must do a LI assessment - and, need for transparency
  9. 9. Issues for the sector 1: What do volunteers need to do about personal data -Will depend on how the volunteer is undertaking their role -If they are not processing personal data as part of their role then it is still useful for them to know about the legal obligations regarding personal data -may be useful to know about what the organisation does with personal data for purposes of transparency
  10. 10. Issues for the sector 2: Where volunteers do process personal data, they must: - know the purpose they need the individual’s data - know their lawful basis - be transparent - only collect the personal data that they need to - have appropriate security in place Organisation should decide whether individuals need to be processing the data independently or whether the organisation should process the personal data
  11. 11. @iconews Keep in touch Subscribe to our e-newsletter at or find us on… /iconews
  12. 12. Q&A @NCVOvolunteers #volforum
  13. 13. Open the conversation @NCVOvolunteers #volforum
  14. 14. Our experience of tackling an ICO Enforcement Notice Amy Symons
  15. 15. Alzheimer’s Society Alzheimer’s Society 21 • 2200 employees • 6100 volunteers • Over 2 million Dementia Friends The new deal on dementia: • Support • Society • Research
  16. 16. Why did we get an enforcement notice? …because we didn’t listen 22
  17. 17. 23
  18. 18. 24
  19. 19. What did we need to fix the issues? EN10 25
  20. 20. 26
  21. 21. 27
  22. 22. 28
  23. 23. 29
  24. 24. 30
  25. 25. Thank you for listening Any questions?
  26. 26. Do it with data GDPR Damien Austin-Walker Sharing & consent in volunteer brokerage
  27. 27. Pillars of GDPR ● Transparency - the right to be informed ● Access - the right to access and verify data is processed legally ● Rectification - the right to rectify incorrect or incomplete data ● Erasure - the right to be informed ● Portability - the right to obtain and reuse your personal data ● Objection - the right to object to marketing & profiling
  28. 28. Checkbox catch-up!
  29. 29. Access sport
  30. 30. Should not for profits learn from the commercial sector?
  31. 31. So what’s the issue with volunteering?
  32. 32. When you register your interest in a job or volunteering opportunity, we will forward your details to the recruiter. If the opportunity is advertised through a broker, such as a Volunteer Centre or recruitment agency, your details will be available to both the broker and the organisation providing the opportunity in order to take your application forward. What is Do it doing?
  33. 33. Transparency & consent
  34. 34. Transparency & consent
  35. 35. Your personal data vault
  36. 36. The Real Opportunity
  37. 37. Your life, your data
  38. 38. Rise of digital identity Data can be cryptographically protected so only the individual can grant access on a case by case basis. Additionally it can be decentralised - either stored across users’ personal devices, or across the internet on a blockchain.
  39. 39. Blockchain?
  40. 40. What is the future?
  41. 41.
  42. 42. Q&A @NCVOvolunteers #volforum
  43. 43. Open the conversation @NCVOvolunteers #volforum
  44. 44. Chris Wade Director of Engagement & Clare Sutton Learning and Development Officer ‘Equipping Volunteers for their responsibilities under GDPR’
  45. 45. The MND Association
  46. 46. A different approach ‘Protecting and Respecting Personal Data’ – creates engagement and a desire to comply with the regulations – positive response to this approach
  47. 47. Introducing Ted
  48. 48. Starting the conversation… Self Assessment • Each Branch/Group (B&G) member with data responsibilities asked to complete with support from Regional Volunteer Development Co-Ordinator • Almost 60% returned – used to inform training • Started B&G looking at their practices ahead of learning sessions
  49. 49. Learning Sessions… ‘What do I need to know?’ • National delivery of face-to-face learning sessions focused on ‘what do I need to know’ - not weighed down in technical information • Using real life examples and scenarios • Able to respond to questions and concerns immediately
  50. 50. ‘How to’ guides
  51. 51. Challenges… • National reach of volunteers – 79 active B&G • Creating opportunities for volunteers to attend learning sessions • Pitching the learning sessions at the right level • The complexities of applying GDPR • Managing varying attitudes to new regulations
  52. 52. What’s Next… • More learning events • Volunteer team able to deliver further sessions with learning resources • Webinars for those unable to attend • Review of B&G practice on-going
  53. 53. Meeting all your data protection and privacy needs
  54. 54. Privacy Statements (Squaring the Circle) Managing Multiple Relationships (Who are you to them?) Gary Shipsey | Managing Director 14th May 2018 15 May 2018
  55. 55. 15 May 2018
  56. 56. 15 May 2018 “We won’t share your details with other charities for marketing purposes. If that’s not OK, please tick the box.”
  57. 57. 15 May 2018 “…ought to reasonably have known that data subjects would be unlikely to infer from those terms that their person data would be processed for the purposes of wealth screening” para 40 BHF / para 47 RSPCA
  58. 58. 15 May 2018 …user-centric rather than legalistic The practical (information) requirements are outlined in Art. 12 - 14 However, the quality, accessibility and comprehensibility of the information is as important as the actual content of the transparency information…” Article 29 Working Party Guidelines on transparency
  59. 59. 15 May 2018 ‘Privacy notice’ to describe all the privacy information you need to make available to people. It must: • Be more detailed and specific • Make notices understandable and accessible • Be audience specific • Use house-style language still discretion for [you] to consider where the information… should be displayed in different layers of a notice.
  60. 60. 15 May 2018 Means of providing privacy information 3. engagement with stakeholders in developing and testing your privacy info.; 4. your approach to obtaining consent (where applicable) 5. your approach to collecting personal data via Applications (if applicable); 6. the different ways personal data is collected from each Data Subject Category 7. what potential methods, means and formats you have at your disposal to deliver the privacy information, and 8. an approach to providing privacy info. throughout the period of processing 1. the language and general accessibility considerations; 2. how you will approach vulnerable data subjects (if applicable);
  61. 61. 15 May 2018 Means of providing general privacy information Define how you will provide access to the privacy information that every Data Subject should be able to access - Data Controller - DPO / DP Lead - Individual’s rights - ICO
  62. 62. 15 May 2018 Baseline of specific privacy information (per Data Subject Category) Define a "baseline" of specific privacy information for each Data Subject Category. Much of the detail should come from your Record of Processing Activities (ROPA). Maintain a Master Log of “baseline” privacy information in your Privacy Information Strategy. Data Subject Categories A. Employees B. Contractors C. Councillors D. Applicants E. Service users
  63. 63. 15 May 2018 Means of providing general privacy information Means of providing privacy information Baseline of specific privacy information (per Data Subject Category) Privacy Information Assessments Undertaken to define how privacy information will be provided, in three situations: A. Collected directly from an individual - e.g. via a form; verbally; in person. B. Come into the organisation from another source - e.g. a referral from another organisation; a public source. C. When existing personal data is to be used for a new purpose
  64. 64. 15 May 2018 The request for consent shall be presented in a manner which is: Clearly distinguishable from other matters In an intelligible and easily accessible form Using clear and plain language
  65. 65. Consent 15 May 2018 Any freely given, specific, informed and unambiguous indication of [their] wishes… [either] by a statement or by a clear affirmative action
  66. 66. 15 May 2018 not…freely given, if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate When the processing has multiple purposes, consent should be given for all of them. Specific and informed …you should provide a separate opt-in for each…unless you are confident it is appropriate to bundle them together. If you want consent for various different purposes or types of processing… People should not be forced to agree to all or nothing… …they may want to consent to some things but not to others.
  67. 67. 15 May 2018 Direct Marketing “…communication (by whatever means) …of any advertising or marketing material …which is directed to particular individuals”. “All promotional material….including material promoting the aims [and ideals] of not-for-profit organisations… …the direct marketing rules…will apply to the promotional, campaigning and fundraising activities of [charities / NfPs]. …any messages which include some marketing elements, even if that is not their main purpose.
  68. 68. 15 May 2018 @ SMS+ Consent Electronic DM
  69. 69. 15 May 2018 Screen Vs: previous objections + TPS Legitimate interests OR Consent Legitimate interests OR Consent n/a
  70. 70. 15 May 2018 How long does consent last? PECR: • consents for the time being GB Red Cross Undertaking • 2 years ICO Direct Marketing • “consent lasts as long as circumstances remain the same, and will expire if there is a significant change in circumstances.” para 63. • “Even if consent is not explicitly withdrawn, it will become harder to rely on as a genuine indication of the person’s wishes as time passes. • ‘for the time being’. We consider this implies a period of continuity and stability, and that any significant change in circumstances is likely to mean that consent comes to an end.” para 99.
  71. 71. Managing Multiple Relationships (Who are you to them?) Gary Shipsey | Managing Director 15th May 2018 15 May
  72. 72. Common sense….? 15 May “Common sense is not so common” Voltaire
  73. 73. 15 May • Transparency • Accountability • Fines • Compensation shall be responsible for and be able to demonstrate compliance with the principles Greater emphasis
  74. 74. 15 May A) Accountability Strategica Operationalb Tacticalc Policy Standard Procedures How to achieve it; steps to follow What needs to be achieved Risk appetite and overall accountability DPO / DP Lead Public Regulators Suppliers Staff ICO / Fundraising Regulator / Charity Commission Protecture Management and Delivery of Key GDPR Requirements
  75. 75. 15 May Data Controller Data Processor Contract the controller and the processor shall implement appropriate technical and organisational measures… A) Accountability Management and Delivery of Key GDPR Requirements
  76. 76. 15 May Purpose Lawful basis Transparency  How much to collect  Who needs to see it  Who to share it with  How long to keep it Processing activities Extent to which people can use/enforce their rights Be fair – to inform people “… specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes… A) Accountability Record of Processing Activities (ROPA)
  77. 77. 15 May 1. Fundraisers 2. Finance team / HR (incl. volunteers) 3. Support Hubs 4. Recreation Club (gym) 5. Massage therapy 6. Shops Business Objectives / areas Data Subject Categories A. Employees / Volunteers B. Donors (financial) C. Service users D. Customers A) Accountability Record of Processing Activities (ROPA)
  78. 78. 15 May 1. Housing 2. Education 3. Justice 4. Health 5. Support & advice 6. Policy & research 7. Finance / HR 8. Fundraising Business Objectives / areas Data Subject Categories A. Employees / Volunteers B. Donors (financial) C. Service users A) Accountability Record of Processing Activities (ROPA)
  79. 79. 15 May 2018 Compliance with Legal Obligation Required by UK or EU Law A public task Official functions/tasks in public interest Vital interests Protect someone’s life Contract with the individual Supply what they want/steps taken at their request before entering into a contract Consent Legitimate interest* Your needs unless outweighed by the harm to the individuals right's and interests
  80. 80. 15 May Objective: Ensure all current technical and organisational measures in place are understood and any key risks mitigates or accepted C) Security
  81. 81. 15 May Taking into account the:  state of the art  the costs of implementation  the nature, scope, context, purposes of processing  risk of varying likelihood  severity for the rights and freedoms of natural persons …the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk… C) Security
  82. 82. 15 May In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed … C) Security
  83. 83. Q&A @NCVOvolunteers #volforum
  84. 84. FURTHER INFORMATION Practical support Data and research Investing in Volunteers Become a member 99
  85. 85. GET IN TOUCH @NCVOvolunteers 100