Any organisation that deals with people, whether they are customers, supporters, donors, even employees, handles personal data that, under GDPR, must be protected.

But what exactly does the term ‘personal data’ cover?

It’s more than just a name and address. Personal data is information that relates to an identified or identifiable individual. This could be as simple as a name or a number but could also include other identifiers such as an IP address or a cookie ID.

In a business context for example, personal identifiers often include, but are not restricted to:

• Name and address

• Mobile phone

• Landline

• Email

• Customer number

• Transactional ID

• Cookie ID

Essentially if it is possible to identify an individual directly from the information you are processing, then that information could fall under personal data. But even if you cannot directly identify an individual, because it’s a transactional or cookie ID for example, you still need to consider whether the individual can be identified in some way from it.  

And remember, personal information can change over time so it’s important to keep on top of it. For example an individual may also have several (or even change) phone numbers, emails, or cookie IDs at the same time.

So, how to protect all this?

The GDPR is not specific on what security measures you should have in place. However, organisations need to take ‘appropriate technical and organisational measures’ when processing personal data, meaning you must have adequate security and safeguards in place to prevent it being compromised, whether accidentally or deliberately.

Here are some tips:

1)   First, know what data you hold and where, ensure it is accessible but restrict this access purely to those who actually need it. Remember you may have personal data in an email, or in an excel spreadsheet, not just in a database.

2)   Have a very clear and accessible privacy policy in which you are transparent with customers and supporters about what you want to do with their data.

3)   Be clear and open when seeking consent to use their data and give them every opportunity to opt out, after the event.

4)   Staff need to be fully trained on your data protection and privacy procedures and compliant.

5)   When collecting data, only gather what you need, and don’t keep it for any longer than you need to, as this also helps to minimise risk.

6)   On the more techy side, if you‘re taking payments, ensure those payments are authenticated and that you‘re PCI Compliant.

7)   Protect your computers with antivirus software, use spam filters and ensure you stay on top of software updates.

Putting these safeguards in place will go a long way to reducing the risk of a data breach and will also help you with other aspects of GDPR compliancy, such as responding to subject access requests and opt out wishes.

For more help and advice on any aspect of this, contact Suzanne on suzanne@arc-data.co.uk.