GDPR: I’ll show you mine if you show me yours….

August 16, 2018

Hands up if you’re so happy with your body image that you’d be willing to post a nude selfie on social media? I doubt there will be many takers! The idea of laying ourselves bare for all to see and judge makes us feel vulnerable. Yet a similar reaction is provoked if asked: are you GDPR compliant? GDPR - the new EU data protection legislation, has wrought fear and anxiety among many organisations - from small charities to large multinational companies. At DataKind, we have shared that trepidation. But this has been outweighed by our commitment to ensuring the personal data we collect is legally and ethically used. So we’ve decided to cast aside some of our worries (What if my GDPR doesn’t look like everyone else’s? What if there is something wrong with my GDPR!) and share how DataKind UK and DataKind HQ has implemented GDPR. We hope it will help more of you to reveal yourselves!

 

  1. What is GDPR?

Through the GDPR, the EU aims to strengthen the rights of its citizens concerning the data that is held on them. While we welcome the spirit of GDPR and the increased transparency and security it should bring, there has been an awful lot of conflicting information about what it is, and what it means. The GDPR ‘certified’ (by whom?) consultant industry that has sprung up has often not proved particularly helpful in answering our questions.

So how did we did we get GDPR ready? First, we set up a book club. and read the original text of the GDPR. Yes, that’s right, our volunteer data scientists read hundreds of pages of legal text, written in the unfamiliar language of legalese and turned this potential snoozefest into a fun get-together, garnering interest from national media.

We now had a good understanding of what the GDPR was. Led by our heroic volunteers, Stef and Gianfranco, with the rest of our volunteer team who lead on programme development, we kicked off a 10 month project to get DataKind UK GDPR-ready.

 

  1. What personal data do we process?

GDPR only applies to personal data. That means information relating to living individuals which would allow them to be identified, either directly e.g. by their name or indirectly e.g. by combining significant characteristics such as date of birth and place of residence. In addition, there are special categories of personal data which require additional protection, such as ethnicity and sexual life or orientation.

To implement GDPR, it was essential to map out what personal data we process- i.e. collect, use, store, share and delete. In our case that means the personal data we hold on volunteers, but also the personal data we process when working with charity partners on data analytics projects. We undertook a thorough audit of all the personal data we held on partner organisations, volunteers and staff, and the myriad journeys that information makes through the systems and platforms we use every day. We then completed the ICO’s template for documenting our processes which required us to state the legal basis for collecting the data and how we used it and kept it secure.

 

  1. Were our tools and systems for collecting data GDPR compliant?

As a small charity, we make use of generally free, well-known digital tools to process data. Being honest, we largely took for granted how compliant they were to the previous Data Protection Act but GDPR made us take a serious look at the terms and conditions of the tools that we had signed up to. Some were great, clearly noting that they were GDPR compliant and having simple to understand terms which backed up their claims. Others were not so great, for example, when testing one tool - it only allowed us to delete profile information about a subject, but not discussions the subject has posted! We’re still working on how to ensure we can comply with all subject access requests when using third party tools. Clearly, some providers still need to make changes for GDPR.

 

  1. Embedding lawful, fair and transparent data processing

Our core purpose is to work with the data of social purpose organisations and we take a ‘privacy by design’ focus. For the majority of our projects, we use anonymised or pseudonymised data, or work with organisations to help them anonymise their data before we receive it. To help our charity partners with GDPR compliance we have documented our advice on how to do this. However for some types of data, especially free text data, it can be difficult to fully anonymise, so we have put in place procedures for volunteers to check with partners whether we can process that personal data and made sure we can act as a data processor when need be.

Internal to DataKind, we process personal data on our volunteers, paid staff and partners who we provide a service to. We needed to ensure we tell people what we do with their data and why in a clear and accessible way. We revised our privacy policy so that anyone signing up to be involved with DataKind via our website can understand what we do with their data, and agrees that our data processing is fair. To ensure people don’t bypass our policy and just tick agree, we changed our form so that you have to scroll through the whole policy and tick to approve it before you can sign up. We have a dedicated email address for people to ask questions or request the data that DataKind holds on them.

We have also worked on embedding GDPR within our organisation. We have updated our data management handbook and reviewed permissions on all folders to ensure only people who needed access to personal data were permitted use. We also redefined the data relationship between us at DataKind UK and DataKind HQ. Although DataKind UK is an independent UK registered charity, we are a chapter of the US-based DataKind HQ and we do share data about our volunteers and the charity partners we work with who sign up through our shared website.

 

  1. Work in progress

We have come a long way in our journey to be GDPR compliant, but there are still areas we need to work on so that data protection comes naturally to everyone who works at DataKind UK. We are working on implementing staff training, and ensuring that policies are easily accessible through a ‘mini website’ for all volunteers so they can be consulted regularly. Although May 25th 2018 was the deadline all organisations were working towards to be GDPR compliant, we know that compliance goes beyond that date, and we will need to revisit and refresh our work and procedures.

 

We’ve shown ours!

Implementing GDPR has required a lot of internal discussions and time to figure out what our approach should be. At times it has felt like a never-ending chore, but our focus has always been to act fairly and legally with people’s personal data. It is a big responsibility, and so we’re committed to making sure we do it right. We will be continuously learning and adjusting as we hear how the spirit of this new regulation translates into real world practices. At DataKind UK we think it will be a lot easier to do if we all join the discussion, share what we’ve learned, and help each other along the way. So there you go - we’ve shown you ours. We’d love to see yours!