The new data protection law, General Data Protection Regulation (GDPR) comes into effect in May in the EU and UK.
It will affect, not only financial and health services, but many charities, in fact, just about any company that holds customer data on its systems. It is extensive, it is also useful and serviceable. Some companies, however, may find it a little daunting.
The first thing to remember is that the aim of GDPR is to protect customers from any privacy or data breaches and to enable them to be in control of their own information. The new regulations have been designed to harmonise data privacy laws across the EU and includes the UK. So, now is the time to look at and reorganise your data bases and implement any new processes that you need to ensure the data you hold is stored correctly and in accordance with the regulations and to avoid any fines.
It makes sense to review the personal data you hold, where it came from and who you share it with. You need to cover the rights of customers by checking your procedures are up to date with the new regulations. Under the new rules you are required to maintain records of your processing activities.
Privacy notices should also be reviewed. GDPR makes privacy by design an express legal requirement, under the term data protection by design and by default. It also makes PIAs (Privacy Impact Assessments) – referred to as data protection impact assessments or DPIAs – mandatory in certain circumstances. A DPIA is required in situations where data processing is likely to result in high risk to individuals
Consent is also covered under GDPR and includes special protection for children’s personal data. A review of how you record and manage consent looking ahead and indeed existing consents would be sensible. If existing consents do not meet the new standards set out in GDPR you will have to refresh them. You will also, more than likely, have to make changes to your marketing strategies.
Review your data processing by identifying the lawful basis for your processing activity in GDPR, document it and update your privacy notice to explain it also making sure you have the right procedures in place to detect, report and investigate a personal data breach.
Looking at your CRM system or any software to ensure it is effective and able to deliver CDPR compliance prior to the May deadline. Is it already enabled to deliver or will new features need to be added? If so, how will the new processes work in action.
Will it enable you to manage the use of personal information for all the different purposes you require? Does it record proof of consent? Will they be automated? Are they easy to use and is there an effective support system in place?
If your system provider isn’t confident in their ability to deliver you may want to start looking into a new system that will ensure the protection of your donors and their data.
Your CRM software should be able to take most of the compliance burden off your shoulders. You just need to be sure your provider has complete and adequate features in place to help it do so.