efa skillshare - jitty van doodewaerd

Post on 29-Jan-2018

39 Views

Category:

Presentations & Public Speaking

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

EFA Skillshare

GDPR and Fundraising

Jitty van Doodewaerd – DMCC Nederland B.V.

© 20171

New obligations under the GDPR

In 5 questions- What data do you collect- Is this documented- Who’s responsible- Are you transparant about your collection- Do you ever delete data

But first:

Some privacy basics

Today’s program

2 www.dmcc.nl

What personal data do you collect?

© 20173

Personal data

4 www.dmcc.nl

Privacy = processing of personal data

• Processing• Personal data

Personal data (Art 1 GDPR): any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data (Art. 9/ 10 GDPR): data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, data relating to criminal convictions and offences.

Personal data

5 www.dmcc.nl

Personal data

6 www.dmcc.nl

Personal data

7 www.dmcc.nl

Personal data

8 www.dmcc.nl

Where point (a) of Article 6(1) applies, inrelation to the offer of information societyservices directly to a child, the processing ofthe personal data of a child shall be lawfulwhere the child is at least 16 years old.Where the child is below the age of 16years, such processing shall be lawful only ifand to the extent that consent is given orauthorised by the holder of parentalresponsibility over the child.

Member States may provide by law for alower age for those purposes provided thatsuch lower age is not below 13 years.

Is your processing documented?

© 20179

Register of processings

10 www.dmcc.nl

1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:a. the name and contact details of the controller and, where applicable, the joint

controller, the controller's representative and the data protection officer;b. the purposes of the processing;c. a description of the categories of data subjects and of the categories of personal

data;d. the categories of recipients to whom the personal data have been or will be

disclosed including recipients in third countries or international organisations;e. where applicable, transfers of personal data to a third country or an international

organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

f. where possible, the envisaged time limits for erasure of the different categories of data;

g. where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Data mapping

11 www.dmcc.nl

Fundraising

➢Donor administration

➢Volunteer administration

➢Collection

➢Petitions

➢Patient association

➢Patient/ member travels

➢Website(s) en action pages

➢News letter registrars

➢Legacies

➢Major donors

➢affiliates

➢Social media

➢Cookies

➢Analytics

Projects

➢ Project management

➢ Investments

➢ Investee/ Investor due

dilligence

HRM

➢Personell administration

➢Payroll

➢Social security

➢Learning management

➢Time and attendance

Finance

➢ Creditors

➢ Debtors

➢ Beneficiaries

➢ Billing

➢ Reporting

12

Donor Ex donor participant Prospect Site visitor Beschikbaarheid Vertrouwelijkheid

Adress detaiils X X X X

E-mail X X X X

Gender X X X X

Data of birth X X

Contact and order history X X X X

Data regarding payments,

transactions etc

X X X X x

Financial data X X X

Derived financial data X X X

Lifestyle characteristics, prifile

information

X X

Special categories of data

Data mapping

13

Partij 1 Partij 1

Partij 1

Intern beheerd Partij 2

Externally managed

Partij 1

Partij 2

Partij 3

Inernally managed Externaly managed

Internally managed

Retention

Data analyses

Customer

(data warehouse)

Customer

database

Online accounts

Single Customer View

(selection tool)

(database marketing en

sales trial and ex-

subscribers)

e-mail tool sales

and marketing

Blacklistopt-out requests

(automated

dialer)

websites/

landing pages Data

enrichment and validation

Telemarketing

E-mail Direct mail

(field marketing

tool) Direct sales

Data mapping

14

Data mapping

Who’s responsible? (governance structure)

© 201715

DPA (Art. 28 GDPR)

Governance

16 www.dmcc.nl

Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:a. operates under clear instructionsb. ensures confidentiallity;c. takes appropriate security measuresd. will inform about any sub processorse. helps the controller respond to requests from data subjectsf. assists the controller in ensuring complianceg. at the choice of the controller, deletes or returns all the personal data to the

controller after the end of the provision of services relating to processingh. makes available to the controller all information necessary to demonstrate

compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

DPO (Art 37 GDPR)

Governance

17 www.dmcc.nl

The controller and the processor shall designate a data protection officer in any case where:a. the processing is carried out by a public authority or body, except for courts acting in

their judicial capacity;b. the core activities of the controller or the processor consist of processing operations

which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

c. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

Are you transparent about your data collection?

© 201718

A. Fair and lawfull processing

Art. 6 GDPR

a) consent(= opt-in, e-mail, sms, social media and cookie data)

b) contract (gift, donor agreement, legacies)

f) legitimate interest (profiling, direct mail etc.)

Direct Marketing is een gerechtvaardigd ondernemersbelang

Lawfull processing

B) In a transparant manner

Art 12, 13 and 14 GDPR

Information relating to processing to the data subject in a concise, transparent, intelligible

and easily accessible form, using clear and plain language about:

1) Identity

2)Purpose

3) category of data

4) rights

5) third parties

Direct Marketing is een gerechtvaardigd ondernemersbelang

Transparancy

Privacy statement

Direct Marketing is een gerechtvaardigd ondernemersbelang

Transparancy

Direct Marketing is een gerechtvaardigd ondernemersbelang

Transparancy

Direct Marketing is een gerechtvaardigd ondernemersbelang

Transparancy

At te time of collection

Direct Marketing is een gerechtvaardigd ondernemersbelang

Transparancy

Direct Marketing is een gerechtvaardigd ondernemersbelang

Transparancy

Direct Marketing is een gerechtvaardigd ondernemersbelang

Transparancy

Art 4 GDPR

(8) ‘the data subject’s consent’ means any freely-given, specific and informed (…) indication

of his or her wishes by which the data subject, either by a statement or by a clear

affirmative action, signifies agreement to personal data relating to them being

processed;

is een gerechtvaardigd ondernemersbelang

Consent

Art 7 GDPR

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

is een gerechtvaardigd ondernemersbelang

Consent

Freely given

The freedom to say ‘no’to the transaction without it significantly affecting you or produce a legal effect

is een gerechtvaardigd ondernemersbelang

Consent

Specific

Third parties, advertisers etc?

is een gerechtvaardigd ondernemersbelang

Consent

Informed?

is een gerechtvaardigd ondernemersbelang

Consent

is een gerechtvaardigd ondernemersbelang

Consent

is een gerechtvaardigd ondernemersbelang

Consent

Consent

35

When

• In effect since 2016

• Implemented by you in May 2018

Positive elements

• Instrument of a regulation

• Transparency obligations

• Fundraising is recognised as a legtimate purpose

Consent

Do you ever delete data?

© 201736

37

• Use of data limited to as long as necessary for purpose of collection

• De-activating is not enough

• Adequate data retention periods?

Data retention

Jitty van Doodewaerd (+31 (0)625516373)

DMCC Netherlands B.V.

38

Telefoon : +31 (0)88-7779311E-mail: info@dmcc.nlWebsite: www.dmcc.nl

top related