1. Get your house in order
We recommend you arrange a meeting with your ‘compliance team’ and consider the following questions:
- What are your resources for complying with GDPR?
- Who are the staff who need to be consulted, trained and authorised?
- What internal resources do you have?
- What structures do you need to put in place? Will there be a steering committee?
- Are there external consultants or technology solutions you should consider involving in the process?
We would be delighted to be part of such a planning meeting to ensure all the right questions are asked and the key matters considered.
2. GDPR Audit
You will need to conduct an audit of all the organisations systems, electronic and hardcopy files, activities, processes, correspondence, contracts etc. to make a record of all the personal data you hold, the purposes for which you process it and the legal basis on which you wish to process it.
The questions for you to consider should include:
- What personal data do you hold and process?
- Where is the personal data collected?
- How, where and why is it used (the data purposes)? With whom is it shared – within the organisation and with third parties?
- How long have you held the personal data?
- What technology/policies/contracts govern the processing of personal data?
- What security measures do you have in place?
We would be delighted to assist you plan and carry out this audit. We provide four levels of audit support for charities as follows:
|AUDIT — BRONZE SERVICE|
We will provide you with detailed written guidance for your audit based on the information you provide to us in the initial meeting.
|AUDIT — SILVER SERVICE|
In addition to the written audit guidance provided as part of the Bronze service we will review your audit process with you in a series of monthly visits to your premises over a three-month period.
|AUDIT — GOLD SERVICE|
In addition to the written audit guidance of the Bronze service and the monthly review visits under the Silver service, you will have access to our dedicated GDPR team through a telephone and email helpline for a period of three months. This will enable any day-to-day queries relating to your conduct of the audit to be answered.
|AUDIT — PLATINUM SERVICE|
We will undertake the full audit process on your behalf dealing with all the necessary steps. This covers everything from interviewing staff, reviewing and collating documents and preparing a detailed report which includes a “traffic light” system of risk assessment against the data and relevant documents recorded in the audit.
The bulk of this work would be conducted by us on your premises.
3. Compliance – plan your journey
On the basis of the personal data, purposes and processes recorded in the data audit report, you will need to conduct a risk and gap analysis of the data and formulate your compliance strategy accordingly.
The relevant questions for you to consider should include:
- Can you demonstrate the conditions for processing (consent, legitimate interest etc.) you wish to rely on?
- In particular, can you demonstrate explicit consent for the processing of special categories of personal data (race, ethnic origin, political opinion, religious belief, TU membership, physical/mental health, sex life, legal proceedings for any offence)?
- If you don’t have the consents you need, how will you obtain them?
- Are your contracts with third parties and privacy policies and notices GDPR compliant?
- Are you ready for dealing with the enhanced data subject rights such as subject access requests? Will you conduct mystery-shopper or ticket-testing exercises?
- What is a high risk and how should compliance be prioritised based on the risks?
- What is a realistic timetable for compliance?
- Are the right people appointed to implement the work that needs to be carried out? Will you have a Data Protection Officer to oversee further compliance efforts?
We offer three levels of support for your compliance needs:
|COMPLIANCE — BRONZE SERVICE|
We will attend a risk assessment meeting with you at which the results of your data audit report will be considered, the risks measured, strategic priorities set and a timetable agreed.
|COMPLIANCE — SILVER SERVICE|
We will review your data audit report and provide a ‘traffic light’ risk assessment on the basis of the report and attend a meeting – as provided in the Bronze service – to present our advice and discuss your compliance strategy.
|COMPLIANCE — GOLD SERVICE|
We will provide the services offered in our Bronze and Silver service and you will also have access to our dedicated GDPR team through a telephone and email helpline. We will deal with your day-to-day queries relating to the conduct of your GDPR compliance for three months following the date of the initial compliance meeting. This would not include drafting or amending any documents (see below).
Updating/ redrafting documents
It will become apparent once the audit has been concluded and the compliance process is underway exactly what documents – contracts/policies/fundraising materials – need to be amended to be GDPR-ready.
For further advice on GDPR Compliance, please call us on 01483 543210 or alternatively email firstname.lastname@example.org