The Information Commissioner's Office (ICO) recently conducted voluntary information risk reviews with eight charities, and you can read the ICO's full report here.
The ICO noted many examples of good practice amongst the audited charities, including proper delegation of responsibility for data protection, effective staff training, gathering consents to marketing communications via positive opt-ins, transparent privacy and data protection policies, and specific information governance procedures.
There were also substantial areas the ICO felt organisations needed to work on, including regular refresher training for staff and volunteers around data protection and information governance, consistent and systematically reviewed policies and GDPR compliance checks, and sensible retention schedules around personal data.
There were several findings with potentially quite serious ramifications: many of the charities reviewed weren't adding fair processing notices to their marketing consent forms, many were retaining personal data for far longer than was necessary, and many could not comply with an individual's 'right to erasure'. These issues could all be seen as significant breaches of the GDPR.
Circle can help you work towards best practice around many of the points raised in the report. We can:
Install and advise on proper use of the CiviCRM GDPR extension
Make recommendations around how to gather GDPR-compliant opt-ins from your supporters/members
Help you ensure that your systems and processes are as secure as they possibly can be via our security reviews - more information to come on these
If you need advice around any of these issues, or just want to talk through how your organisation is handling the new data protection laws, please feel free to get in touch.