Data processing for community groups and charities
Whatever size your organisation is you are bound to hold some personal data information – this could be contact details of committee members or trustees, your volunteer team or your beneficiaries and service users.
If you do then you need to ensure that you are processing (i.e collecting, using and storing) that data in line with data protection obligations.
There are three elements that need to be in place
- Data Protection Policy
- Data Audit
- Privacy notice
If you have all three of these elements and they are kept current and up to date you will likely be fulfilling your obligations.
Data Protection Policy
This is the high-level document that outlines the principles of data protection that you are committed to. This should include
- Recognition of your commitment to the Data Protection Principles
- Recognition of the Individual Rights and processes for implementing them
- Information on your named person
- Information on where/how to complain
If you need help developing a policy please talk to our Chatbot for guidance.
Data Protection audits
Complementing your Data Protection policy should be a Data Audit to identify what data you hold. This should include
- Whether data is categorised as personal data or a special category of personal data.
- What you Lawful basis (and additional reasons) for processing data is
- Why you hold the data and how it will be used
- Who can access it
- How it is stored
- Any third party who may process is and how you can confirm they have appropriate security in place
- How long data is retained.
Undertaking this activity will help you understand if you are compliant and help fill any gaps in relation to storage and retention.
A sample template is provided here.
Privacy notice
A key feature of data protection is being transparent with those people whose data you hold (data subjects). The recommended way of doing this is through a privacy notice.
This needs to be:
- Clear and accessible
- Provide details on how to get in touch
- Provide information on individuals rights
- Available wherever personal data is collected
- Give information on how to withdraw consent (if appropriate)
- Provide details on how to complain
If you have a lot of different types of data or data subjects you may want to have clear information for them all. Consider literacy, digital literacy, language.
Consider the below questions:
- Where and how will you collect data?
- What information will be collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- How will be stored?
- How long will it be stored?
- Who can access it?
Our Chatbot can help you to draft something suitable to your audience.
Did you find this useful?
Next Topic: Lawful Basis