As we enter the year of reckoning for GDPR, there is a lot of concern, and increasing frustration, aired in the charity sector via press and social media around the arrival of scaremongering ‘experts’.
These characters are portrayed as having little knowledge of the sector, but are not shy in sowing FUD — Fear, Uncertainty and Doubt — around charities’ data practices and issuing orders for these to stop, full stop, come May 25th.
Charities are certainly in the front line for some of the trickier aspects of GDPR specifically, and Data Governance in general. They handle often very sensitive, “special category” personal data, and much of their most important work is delivered not by employees, but by citizen volunteers.
One specific concern voiced in last week’s Third Sector is charities are receiving and acting on advice from such experts that they can’t store data on former volunteers under GDPR.
In truth, volunteer data is no different from personal information held by charities about any other type of individual, be it donors, trustees or general contacts. They all have a right to be informed you wish to obtain their details, why and where you are keeping them, and have an opportunity to withdraw consent.
To give these experts benefit of the doubt, their attitude may stem from the fact the GDPR is a legal instrument, and interpretation and guidance concerning its implications originated from the legal world, with its inbuilt ‘binary’ approach to risk.
In the field of charity activity, risk is a much more contextual, holistic concept, and this is very much how the regulator (ICO) approaches their task of raising awareness and enforcing both current and forthcoming regulations.
Irrespective of need to comply with GDPR, it can only be a good thing for charities to examine their volunteers as a vital stakeholder group, and ask some basic questions:
· What does a current volunteer sign in terms of paperwork?
· Where is this information held and for how long?
· Does this process cater for existing legislation such as the Data Protection Act 1998 & PECR (2003)
Tools and support for this exercise can be found (for free) as part of the materials the ICO provides on its website, which along with its blog is an excellent, growing resource.
From this platform, GDPR becomes an opportunity to contact your database of volunteers and find out if they’re happy to remain on there, and to re-engage. Sure, some of those contacts will be dead ends, some of them will say ‘no way’, and it’s likely your store of data will end up smaller.
But done right, you will end up with a cleaner list of more engaged current and would-be volunteers. Having a process whereby new volunteers give their consent in an informed way at point of signup shouldn’t be a headache either.
25th May 2018 is an opportunity for charities, not-for-profits and similar organisations to show they are serious about collecting, storing and using data in a responsible way, from a position of public trust. Scaremongers need not apply to join this ongoing journey…