Managing my Organisation Well
>
Governance
>
Governance
Data Protection & GDPR
The General Data Protection Regulation (GDPR) law on data protection provides a range of safeguards around maintaining personal data.
Organisations and groups must handle personal information in a way that will give consideration to GDPR. Information systems should ensure appropriate privacy of sensitive information related to the charity or group and their beneficiaries. It is a legal requirement for organisations to document their processes relating to GDPR. In more recent legislation, individuals have more control over their data and its uses.
GDPR legislation applies to 3 main types of data:
Personal data
Identifiable person (E.g. name, email address, phone number and location data, including online identifiers such as IP address)
It also covers pseudonymized data (where information is given in a code to disguise information) if that code is easy to break
Special category data
Sensitive personal data (E.g. race, religion, gender, political beliefs, union membership, health concerns, sexual orientation)
Genetic and biometric data
Criminal offence data
Criminal convictions and offences
GDPR legislation also lays out 7 protection principles that covers organisations responsibilities when handling data
Transparency, lawfulness and fairness
Purpose limitation (data collected for specified, legitimate purposes and isn’t processed beyond them)
Data minimisation (collecting data that is necessary for the purpose)
Accuracy (data is accurate and up-to-date)
Storage limitation (data is only kept in an identifiable form for the purposes of processing)
Integrity and confidentiality (protect data against unlawful or unauthorised processing and accidental loss, destruction or damage)
Accountability (comply with UK GDPR and be able to demonstrate your compliance
When it comes to organisations holding data on individuals, UK GDPR gives individuals 8 rights
Right to be informed
Right to access
Right to rectification
Right to erase/ be forgotten
Right to restrict processing
Right to data portability
Right to object
Rights in relation to automated decision making and profiling
Key points
Organisations and groups must comply with legislation relating to personal information
Breaching GDPR has serious consequences