Everyone who works with data needs to know about data security and should at least understand the basics of GDPR. Which is why we’re giving you a brief outline here.
GDPR has seven main principles;
- Lawfulness, fairness and transparency,
- Purpose limitation,
- Data minimisation,
- Storage limitation,
- Integrity and confidentiality (security) and,
Individuals must be fully aware of how you will use their details in relation to these principles, and they need to know right from the start, before you collect their personal information.
Each principle is fully explained in the Guide to the General Data Protection Regulation (GDPR) from the Information Commissioner’s Office (ICO).
Lawfulness, Fairness and Transparency
You are only allowed to use the data you collect and hold in line with the GDPR legislation and use it fairly; not in a way that could be “unduly detrimental, unexpected or misleading to the individuals concerned.”
You need to be transparent about the data you collect, use and store.
This information must be easily accessible and written in plain English that’s easy to understand. Read more on this principle.
The way you use people’s personal details, and why you’re using them need to be clear and documented. If you’re going to be using them for a new purpose, you need to get consent. Read more on this principle.
You should only collect the data you need to use for your stated purpose, and no more than you need. Read more on this principle.
You must always ensure that the information you hold is correct and up to date. Read more on this principle.
You’re only allowed to keep personal details for as long as you need it for your stated purpose. And no longer. You must also include a “Data Retention Policy”, setting out standard retention periods, in your documentation. Read more on this principle.
Integrity and Confidentiality (Security)
You need to ensure that you have appropriate security measures in place to protect the data you store electronically, on external devices, in cloud storage and, in hard-copy format. Read more on this principle.
You need to be accountable for the way you handle the personal details you hold and use. You must also need to provide all the relevant documentation to prove your compliance with legislation. Read more on this principle.
The documentation you provide around your compliance with GDPR will not only ensure that you are compliant and that all your data is stored safely, but it will also build trust within, and outside of, your organisation.
Further reading, useful information and, guidance about data privacy and GDPR:
- General Data Protection Regulation: A Guide for Charities – https://cfg.org.uk/GDPRGuide
- Data protection: privacy notice model documents – https://www.gov.uk/government/publications/data-protection-and-privacy-privacy-notices
- Data Protection & GDPR: Five Things for Trustees to Know – https://blogs.ncvo.org.uk/2017/11/24/data-protection-and-gdpr-five-things-for-trustees-to-know/
- How to Comply with GDPR – https://knowhow.ncvo.org.uk/how-to/how-to-comply-with-gdpr#