There has been a lot said on data protection with General Data Protection Regulation (GDPR) looming over the last couple of months and coming in to effect 25 May, both in the corporate and not-for-profit sector. As the Information Commission Office (ICO) have said themselves, no one can tell you what’s right for your organisation as it is about what is proportional and reasonable for you and the community you serve.
With that said, I thought it might be useful to lay down some of the ways we, at Genetic Alliance UK, are working towards compliance.
We are not re-consenting all of our contacts, and here is why.
Genetic Alliance UK have never bought data, anyone that receives our information has signed up to receive it – either at an event, through our website, or as part our SWAN UK membership, and we make it easy to unsubscribe and stop hearing from us at any point.
I read recently that re-consenting rates are currently at around 10%, that means by asking for additional consent, many organisations are losing up to 90% of their contacts. For many small rare disease communities this could be completely disastrous. And, once you have asked for re-consent, if they don’t respond or actively re-consent, you are never allowed to contact them again. Their inaction is them withdrawing their consent.
We plan to send an email to all of our contacts, letting them know they are on our mailing list, linking to our updated Privacy Statement. This will tell them what they can expect to receive from us and give them an easy way out if they don’t want to hear from us. We believe that this approach is fair and proportional; it respects the individuals that we serve and communicate with. Of course, if the ICO decides that this is not enough, then we would have to look at re-consenting our contacts, but we will wait to be asked to do that, and make our point to them if necessary.
It’s also useful to note that publicly available contacts, i.e work email addresses and postal addresses are not covered under GDPR.
We have a list of what data we have, why we need it and where it is stored.
Anything that has a personal identifier, including that random spreadsheet you’ve got lurking from a mailer in 2015 in some unused file – is classed as a data asset, and as such needs to be assigned to someone within your organisation for safe keeping/updating/destroying when necessary. Do you still need those? Use GDPR as a reason to get rid of useless spreadsheets/documents – accumulate your data in to as few assets as you can, and make sure these are as safe as possible.
We have also used it as an opportunity to look at what we ask from people when they sign up. Thankfully for most of our services it is simply a name and an email address. But if you are asking for a person’s date of birth, why? Is it relevant to the service or your organisation? If it’s not, you shouldn’t be asking for it – so a review of what information you ask people for is also wise.
We are updating our Privacy Statement.
GDPR gives the perfect opportunity for you to look at your organisation, where you store data, how you keep things safe and update your Privacy Statement/Policy. It helps you to think through all aspects of GDPR. Why do you collect personal data? When are you going to destroy that data? Where do you keep it online? We’ve looked at GDPR and updated our Privacy Statement in line with the new spirit of transparency and allowing the individual to determine how their data is used and the ability to see how it is stored.
We are putting in place a clearer process for freedom of access requests and the right to be forgotten.
There is existing legislation that allows a person to ask for everything you hold on them; these freedom of access requests are covered within current data protection law. The difference now with GDPR is that there will be no fee for people to make these requests, and you must provide it within a month. This could prove a heavy administrative burden for many organisations, so we’re setting up a process so that we know how to deal with access requests quickly and efficiently.
We are making it clearer what people will get from us, and continuing to make it easy for people to stop hearing from us.
Gone are the days of ‘we will send you news from Genetic Alliance UK’ – now we have to make it clear what that actually means. For example:
‘By giving us your details you are signing up to Genetic Alliance UK’s mailing list. Weekly, we will send you information and booking details for events, research studies you can participate in, news and updates from us and our members, services or media inquiries we think might be of interest to you, fundraising initiatives and the work of our support network, SWAN UK, and our campaign Rare Disease UK. You can unsubscribe anytime, and we’ll never give your details to anyone for commercial or advertising purposes. Read our Privacy Statement here.’
Unsubscribing will continue to be made as easy as possible, and available on every e-communication we ever send.
We are working with our suppliers to make sure they have the right policies in place.
If I hand a spreadsheet of names and contacts to a print supplier so they can fulfil a mailing, and that print supplier has a data breach with that data – that’s my responsibility. So, we are reviewing and asking for the data protection policies of all our suppliers and also confirmation that any data we give them for the fulfilment of a service will be destroyed on completion of that job.
This is by no means a comprehensive list of what you should be doing, but more a spotlight on some of the key issues and the way we are choosing to respond – which we hope you might find useful.
If you want some more information you can: