A last minute GDPR checklist for charities – infographic

Still working out what to prioritise for GDPR compliance? Our last minute GDPR checklist for charities has you covered, outlining the key steps to take and the main ICO resources to refer to.

Chloe Green | 10th May 18
Image of person writing a checklist, representing a last minute GDPR checklist for charities Image: Glenn Carstens Peters, Upsplash

With only a few weeks to go until GDPR (General Data Protection Regulation) implementation day, there’s still time to get the ball rolling if you haven’t done so already. But many organisations are still scrambling to work out what to prioritise to stay compliant. The full text of GDPR contains 99 articles running to over 200 pages, and it can be a challenge cutting through the noise to identify the practical steps to take.

Don’t panic – our quick guide to GDPR for charities below outlines five steps to GDPR-readiness.

Click below to view or download the infographic: ‘A last minute GDPR checklist for charities.’

Image of 'Last minute GDPR checklist for charities' (click to view full infographic) Text: Wondering what to prioritise? It's not too late to get GDPR-ready. We've simplified the journey to data compliance with these five hands-on steps to applying GDPR within your organisation. Links to relevant resources and information from the ICO are at the bottom of this graphic. 1. Awareness: The primary step in any compliance project should be to ensure that senior decision makers in your organisation are aware of the impact it’s likely to have, are able to help overcome any problems areas, and can sign-off any needed budget. You will also need to educate staff and volunteers so everyone is onboard with changes. Hire or become a GDPR ‘expert.’ Read up on the ICO’s guidance for charities and know your responsibilities. Look at your charity’s risk register and identify areas that could cause problems. Identify trustees or senior management that are already on board with GDPR and can become advocates for others. Highlight examples of charities who have fallen foul of data regulation. For example, in 2017 the ICO fined a number of charities for breaching the Data Protection Act, the largest fine of £18,000 going to the International Fund for Animal Welfare (IFAW). Under GDPR, the charity would face a fine of up to £17 million or 4% of its annual turnover. Create an employee awareness campaign around how they store and handle personal information (the ICO provides free materials). 2. Gap Analysis. In order to know how to protect your data, you need to first have a complete picture of it and your processing activities. Data mapping or conducting a 'gap analysis' will help you see how the regulation applies to your organisation, and identify any areas that need investigation or improvement. Organise an information audit of your organisation, and of individual departments and activity areas. Document all the personal data you hold, where it came from and who you will share with it. You may wish to look at all the GDPR requirements or a selected few high-risk areas, e.g. the rights of individuals, consent, data breach processes, according to your charity's risk register. Identify quick wins - including cost savings with the removal of duplicate data. The ICO's free self-assessment toolkit is helpful to assess your compliance and is aimed at small to medium sized organisations.Organise an information audit of your organisation, and of individual departments and activity areas. Document all the personal data you hold, where it came from and who you will share with it. You may wish to look at all the GDPR requirements or a selected few high-risk areas, e.g. the rights of individuals, consent, data breach processes, according to your charity's risk register. Identify quick wins - including cost savings with the removal of duplicate data. The ICO's free self-assessment toolkit is helpful to assess your compliance and is aimed at small to medium sized organisations. 3. Policy Review. Alongside a review of your data, you will need to review the data privacy policies and procedures you have in place. You may already have policies in place under the Data Protection Act, but they will need to be refreshed for GDPR rules such as right to be forgotten and data portability. Review your current privacy statement in light of GDPR: there are a number of additional things you will need to tell people, such as explaining your lawful basis for processing their data, data retention periods and their right to send complaints to the ICO. The ICO provides a free code of practice for privacy notices and how to communicate to people about how you will use their data. Your policy statements can also act as the internal authority for employees and data owners to be aware of their responsibilities. A good starting point is to look at charities who have already updated their privacy policies and adapt it to your own. 4. Security. Under GDPR, there is extra responsibility on you to prove that you are processing personal information securely, with appropriate measures in place to protect it. Significant data breaches need to be reported immediately to the ICO and to the individuals affected. Make sure you have the latest security software in place. Security and anti-virus software donations are available from Tech Trust's tt-exchange donation programme for eligible charities. Keep on top of any system updates, and, where possible, run the latest version of any operation system as they are more likely to have the latest security patches. Look into measures such as how to encrypt any data you hold. Should the worst happen and you experience a personal data breach, you should make sure you have the right procedures data breach in place to detect, investigate and report it. The ICO's data-security checklist offers further guidance. 5. Ongoing review. GDPR is not intended to be a quick fix- the 25th May 2018 is just the beginning, not the end, of your compliance journey. You will need to continually review and improve how your charity handles personal information. After 25th May, you must be able to show that you have the foundations of accountability in place, and demonstrate willing to work with the ICO to resolve any issues as they arise. Those who are able to demonstrate that appropriate systems and thinking are in place will find that the ICO takes this into account when they consider any regulatory action. Periodically review your practices and data privacy policies. Keep GDPR on the agenda with trustees by keeping them abreast of the latest news on important regulatory developments, as well as other charities that may have faced pentalites or overcome issues similar to yours.