GDPR & Data Governance – who is responsible for your data?

In this latest post in a series discussing GDPR and charities, Andrew Cross, Data and Insights Lead at Lightful, discusses the hot topic of who is responsible for data in your organisation

Guest Writer | 10th Oct 17

In this latest post in a series discussing GDPR and charities, Andrew Cross, Data and Insights Lead at Lightful, discusses the hot topic of who is responsible for data in your organisation

The new General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. If you’ve not started yet on the road to compliance, it’s not too late. Read the first post in our GDPR series: what is GDPR and how will it affect my charity?


Who is responsible for your organisation’s data?

Ultimately everyone is responsible for your organisation’s data – including you. Having strong levels of data protection compliance doesn’t just refer to mentioning it through long legally approved policies. It should be at a more practical level with basic steps such as; ensuring that devices are password protected and that the password to access the device is strong and unique. Don’t forget that with GDPR you will need to actively demonstrate your levels of compliance.


Do we need a Data Protection Officer?

The GDPR stipulates that a Data Protection Officer is only required when one of the following conditions are met:

  • The organisation in question is a public body, such as local councils*
  • The organisation carries out large scale monitoring of individuals
  • The organisation carries out large scale processing of special categories of data or processing of any data that relates to criminal convictions or offences

* Exceptions do apply – (courts acting in their judicial capacity, for example).


What does Special Categories of Data include?

 Special categories of data refers to the processing of personal data revealing:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • The processing of genetic data (biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited.)


What does the Data Protection Officer’s role consist of?

Before we look at what the tasks a Data Protection Officer (DPO) is required to perform, it’s important to state that they must possess some professional knowledge and experience of Data Protection Law.  This is taken into proportional account with what data processing the organisation is carrying out.

What this means is that the knowledge of the DPO needs to be in areas of what the organisation processes. So, if you’re processing donations and holding data on donors from around the world then your DPO needs to know about Data Processing Agreements and clauses that are required for the potential transfer of this data to other countries – potentially out of the EU in some level of adequate detail.

In an organisation, the DPO would carry out the following tasks:

  • Issuing advice and information on how the organisation needs to comply with the Data Protection laws, including GDPR.
  • Monitoring compliance against the Data Protection Laws and GDPR and advising on the key documentation to be completed to demonstrate compliance such as the Data Privacy Impact Assessment (DPIA).
  • Act as the first point of contact for any supervisory authority, employee or ANY individual whose data is being processed, for e.g. donors, supporters and volunteers.

Our recommendation to any organisation is to appoint a DPO. This can either be someone internal or could be contracted out to an individual or organisation. There is a significant amount of work for DPO’s to undertake in any organisation, therefore, it is important that sufficient resources are provided by the organisation – both financially and in terms of time. For example, if you’re going to ask a member of staff to take on the additional responsibilities of a DPO, you must ensure that they have adequate resources to do this role and meet the requirements; whilst being able to balance the demands of their current role. Do not under-estimate how much time will be spent on data protection.

Importantly, the DPO must report to the highest level of management available at the organisation, which is usually the board of trustees. The DPO can represent multiple departments or groups within the organisational structure; though this must be in respect of the sizes of these departments.


Where can I find a Data Protection Officer or specialist?

Firstly, try to find someone in your own organisation who can be trained to fulfil this role. If that’s really not feasible then look to hire a professional or even a specialist consultant through a job site such Guardian Jobs or Third Sector jobs.


Does our Data Protection Officer need specific qualifications?

It’s not compulsory that they have a qualification, however it is advisable. If you are a medium to large charity (with an income over £5 million), we strongly recommend that your Data Protection Officer/s undertake an accreditation, such as the certified GDPR training with IT Governance. For small to medium-sized charities, we recommend doing a GDPR Foundation course as a minimum and for small charities with an income of £100,000 or less we would recommend online seminars or webinars (we’ll be running one) as well as looking to appropriate legal firms for pro bono advice.

The above article offers general advice, based on our understanding of facts and guidance issued to date by various bodies, this in no way, shape or form constitutes legal advice.