02 10 myths of gdpr charities - jersey community partnership · 2019. 1. 10. · 10 myths &...
TRANSCRIPT
![Page 1: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/1.jpg)
10 Myths & Fairy Tales of GDPRThe 10 most common misperceptions that undermine Jersey charities’ GDPR observance
![Page 2: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/2.jpg)
#1“Our charity is based in Jersey so GDPR does not apply to us.”
S C O P E
![Page 3: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/3.jpg)
• Jersey has incorporated the GDPR into local laws
• Required to protect personal data of Jersey data subjects in accordance with local law
• If you offer goods or services to EU data subjects or monitor their behaviour, you need to comply with the GDPR for that data
RealityS C O P E
RapunzelGeographical boundaries are no obstacle to your obligations!
![Page 4: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/4.jpg)
#2“We’ve got consent to send our fundraising emails so we don’t need to do anything else .”
S C O P E
![Page 5: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/5.jpg)
• GDPR covers all personal data your charity holds, not just information on your donors
• Charities often hold particularly sensitive data on their beneficiaries, which needs additional protection
• Consent is not the only lawful reason why you may process data
RealityS C O P E
Big footDon’t forget about your hidden data subjects amongst your volunteers, beneficiaries and trustees
![Page 6: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/6.jpg)
#3“I read that the GDPR did away with the requirement to register as a data controller so that’s one thing off my list.”
S C O P E
![Page 7: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/7.jpg)
• Jersey retained the obligation to register with the OIC
• UK ICO also has a requirement to pay a fee - £40 for charities
• Check obligations in other EU Member States where you process personal data
RealityS C O P E
Wolf in Sheep’s clothingRegistration obligations are not as innocent as they appear
![Page 8: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/8.jpg)
#4“Our charity only retains personal data in hard copy - not digital data. This means we are not required to meet GDPR obligations.”
D A T A
![Page 9: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/9.jpg)
• Focus has been on emailing and large scale data breaches
• GDPR covers all forms of personal data – including paper based records if they form part of a filing system
• So that file of business cards in your desk drawer is caught!
Reality
MerlinYour charity may still be paper-based, but your filing cabinets are just as dangerous as digital records
D A T A
![Page 10: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/10.jpg)
#5“All of our suppliers are certified GDPR compliant so we don’t need to look at our contracts with them.”
D A T A
![Page 11: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/11.jpg)
• There is no such thing as “certified GDPR compliant”
• The charity is ultimately responsible for the actions of any third party it passes personal data to
• Make sure you do your due diligence and review your contracts
• If the supplier is outside the EEA, make sure you have an appropriate mechanism to transfer data to them
Reality
Bridge TrollPoorly chosen third party suppliers are a hidden threat to your business
D A T A
![Page 12: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/12.jpg)
#6“We got someone to write us a privacy notice so we’re covered for GDPR compliance .”
D A T A
![Page 13: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/13.jpg)
• Privacy Notice should reflect what your charity actually does with personal data
• Essential that someone in your organisation knows what data you collect and what you do with it
• How can you protect it if you don’t know where it is and who has it
• Don’t forget about notices for all of your data subjects, not just donors
Reality
Odysseus and the CyclopsDon’t be blind to what you do with personal data
D A T A
![Page 14: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/14.jpg)
#7“Our charity completed our GDPR project back in May so we’re GDPR compliant.”
C O M P L I A N C E
![Page 15: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/15.jpg)
• GDPR compliance is never ending!
• Policies and procedures may be drafted but you must ensure ongoing adherence
• Charities’ uses of data is constantly fluctuating
• Data breaches and subject requests could happen at any time
Reality
PinnochioDon’t lie to yourself! “GDPR compliance” is a fairy tale – keep a close eye on your ongoing obligations
C O M P L I A N C E
![Page 16: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/16.jpg)
#8“We have deployed comprehensive cybersecurity technology and sophisticated encryption measures. We are confident we won’t have a data breach or leak, so GDPR simply isn’t an issue.”
C O M P L I A N C E
![Page 17: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/17.jpg)
• Data security is just one element of GDPR compliance
• GDPR is about understanding what you do with personal data and whether you have a right to do that
• No point building walls around data you are not entitled to have
Reality
CerberusYour data may be protected, but it’s not the end of the GDPR story
C O M P L I A N C E
![Page 18: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/18.jpg)
#9“We’ve done the paperwork on GDPR so we won’t have a problem if we ever get audited.”
C O M P L I A N C E
![Page 19: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/19.jpg)
• Paperwork is important but it’s not the be all and end all
• Educate your teams on your procedures
• Breaches are far more likely to originate from a volunteer or worker accidentally leaking data or not being aware of requirements
• Have infrastructure to back up your paperwork
Reality
MedusaDon’t turn to stone staring at the danger in front of you – breaches are more likely to occur from innocuous sources
C O M P L I A N C E
![Page 20: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/20.jpg)
#10“Our charity is too small to ever be caught or finedunder GDPR.”
P E N A L T I E S
![Page 21: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/21.jpg)
• The ICO in the UK fined 11 charities a total of £138,000 last year and carried out a specific review of charities in September this year so charities are far from exempt.
• No minimum amount of data before which GDPR applies
• OIC looking at charities’ awareness of obligations and intention to comply, not just how many people are effected
Reality
ThumbelinaEven the smallest charities can be investigated and fined
P E N A L T I E S
![Page 22: 02 10 myths of GDPR Charities - Jersey Community Partnership · 2019. 1. 10. · 10 Myths & Fairy Tales of GDPR The 10 most common misperceptions that undermine Jersey charities’](https://reader035.vdocuments.net/reader035/viewer/2022071211/6022477e5d8d045b39396518/html5/thumbnails/22.jpg)
Questions?