Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR for not-for-profit organisations - Hart Square February 2018


Published on

First delivered: 21 February 2018, London
Follow up event: 28 February 2018, London
Follow up webinar 5 April:

Published in: Government & Nonprofit
  • Be the first to comment

  • Be the first to like this

GDPR for not-for-profit organisations - Hart Square February 2018

  1. 1. GDPR in NfP - Breakfast Briefing Introduction: Allen Reid Director of Client Projects Hart Square
  2. 2. about INDEPENDENT - Work with over 50 CRM and web suppliers SECTOR SPECIALISTS – 20 years in the business STRATEGIC – How to achieve your goal through technology OPERATIONAL – Project delivery and project salvage “NICE TO WORK WITH” us
  3. 3. We’ve all gotten used to bad news on GDPR…
  4. 4. Non-profits in the news
  5. 5. Data privacy in the news
  6. 6. GDPR in the news
  7. 7. The good news… 1. The ICO has massively improved its guidance on GDPR for non-profits… 2. You don’t need to throw away all your data 3. The sensible marketing can be allowed under legitimate interest 4. While you must take action, the action you must take are clearer
  8. 8. The Context
  9. 9. Lawful reasons
  10. 10. Which the ICO says consent means in practice…
  11. 11. Consent must be…
  12. 12. A word about Legitimate Interest…
  13. 13. A word about consent
  14. 14. Your customers have rights There are 7 individual rights What they mean 1. The right to be informed 1. What are you collecting, why and who can see it? 2. The right to access 2. How can I get to see my own stuff? 3. The right to rectification 3. I want to change something 4. The right to restrict processing 4. I don’t want you to do that anymore 5. The right to data portability 5. Give me my stuff, I want to take it to someone else 6. The right to object 6. Stop doing that 7. Rights in relation to automated decision making and profiling 7. What decisions have you made which stop me doing/getting something?
  15. 15. With a Preference Centre at the centre
  16. 16. So, what do I need to do? The biggest single difference between the “old days” and now? • DPA was passive • Ignore it and hope for the best • Only a problem if you had a breach • GDPR is active • You must take steps • You must be able to prove you have taken steps
  17. 17. What you need to do - summary  Be able to report Data Breaches to the ICO within 72 hours  Answer a Subject Access Request (SAR) within 30 Calendar Days  Have clear lines of accountability and a nominated representative (DPO)  Prove you have compliant data processes –Acquisition, use, retention, deletion  Document Data Privacy Impact Assessments (DPIA)  Prove Consent vs Legitimate Interests has been considered
  18. 18. What you need to do – more detail First of all, note that your most important tool in GPDR compliance is this…
  19. 19. What you need to do – more detail Source: ICO – 12 steps
  20. 20. What you need to do – more detail Source: ICO – 12 steps
  21. 21. What you need to do – more detail
  22. 22. What you need to do – more detail Source: ICO – 12 steps
  23. 23. Main tips and take-homes Don’t have a lonely project Consider what help you need – and get it
  24. 24. Main tips and take-homes Don’t think of it as a technology project It’s about organisational change
  25. 25. Don’t panic and follow the golden rule Be open, transparent respectful… that’s it! Finally…
  26. 26. Thank you