VAST Vault - GDPR - VAST | Providing professional services for voluntary and community groups

VAST Vault – GDPR

Everyone who works with data needs to know about data security and should at least understand the basics of GDPR. Which is why we’re giving you a brief outline here. GDPR has seven main principles;

Lawfulness, fairness and transparency,
Purpose limitation,
Data minimisation,
Accuracy,
Storage limitation,
Integrity and confidentiality (security) and,
Accountability.

Individuals must be fully aware of how you will use their details in relation to these principles, and they need to know right from the start, before you collect their personal information. Each principle is fully explained in the Guide to the General Data Protection Regulation (GDPR) from the Information Commissioner’s Office (ICO).

Lawfulness, Fairness and Transparency

You are only allowed to use the data you collect and hold in line with the GDPR legislation and use it fairly; not in a way that could be “unduly detrimental, unexpected or misleading to the individuals concerned.” You need to be transparent about the data you collect, use and store. This information must be easily accessible and written in plain English that’s easy to understand. Read more on this principle.

Purpose Limitation

The way you use people’s personal details, and why you’re using them need to be clear and documented. If you’re going to be using them for a new purpose, you need to get consent. Read more on this principle.

Data Minimisation

You should only collect the data you need to use for your stated purpose, and no more than you need. Read more on this principle.

Accuracy

You must always ensure that the information you hold is correct and up to date. Read more on this principle.

Storage Limitation

You’re only allowed to keep personal details for as long as you need it for your stated purpose. And no longer. You must also include a “Data Retention Policy”, setting out standard retention periods, in your documentation. Read more on this principle.

Integrity and Confidentiality (Security)

You need to ensure that you have appropriate security measures in place to protect the data you store electronically, on external devices, in cloud storage and, in hard-copy format. Read more on this principle.

Accountability

You need to be accountable for the way you handle the personal details you hold and use. You must also need to provide all the relevant documentation to prove your compliance with legislation. Read more on this principle. The documentation you provide around your compliance with GDPR will not only ensure that you are compliant and that all your data is stored safely, but it will also build trust within, and outside of, your organisation. Further reading, useful information and, guidance about data privacy and GDPR:

General Data Protection Regulation: A Guide for Charities – https://cfg.org.uk/resources/gdprguide
Data protection: privacy notice model documents – https://www.gov.uk/government/publications/data-protection-and-privacy-privacy-notices
Data Protection & GDPR: Five Things for Trustees to Know – https://blogs.ncvo.org.uk/2017/11/24/data-protection-and-gdpr-five-things-for-trustees-to-know/
How to Comply with GDPR – https://www.ncvo.org.uk/help-and-guidance/digital-technology/data-protection-and-cybersecurity/gdpr-data-protection-law-brexit-and-how-keep-top-your-responsibilities/