It’s nearly one whole year since GDPR came into force, shortly followed by the Data Protection Act 2018 and things seem to have calmed down after the flurry of enquiries SCVO received in the weeks leading up to 25th May last year. But, to be honest – I’m a bit concerned, surely everyone is still on their Data Protection ‘journey’?
So, what have we been doing here at SCVO? Well, I took on the role of Information Assurance Officer in June 2018 so all of our Data Audits had already been undertaken. First things first, I reviewed all of these to get myself up to speed and to chase any outstanding action points highlighted on the audits – planning the journey, if you like!
SCVO is a large organisation with staff based across Scotland, there are differences across departments and offices, and a myriad of projects and programmes. The most difficult part of this role so far has been getting to grips with what everyone is doing and all the different requirements of funders – the junctions on our journey! But it’s also been the best part too, getting out to meet colleagues and trying to come up with practical solutions, such as a retention policy that covers everything (an ongoing piece of work!).
There was a brief outline included in our Data Protection policy about what to do in the case of a suspected data breach or subject access requests, but I felt that words sitting in a policy don’t really get the message across. With the help of our communications team, we produced two very short animations which illustrate the process and these have been well received (‘signposts’ on our journey).
As well as getting buy in from all staff, Data Protection needs to come from the top down. I’m still struggling with getting people (some, not all) to think about DP at the start of a new piece of work, (also known as ‘data protection by design and default’) but people are getting in touch more to ask questions, which I have encouraged from the beginning of taking on this role.
Just because the legislation is now in place doesn’t mean you can rest on your laurels, in the words of Elizabeth Denholm (the Information Commissioner) “compliance is a journey”. I’m afraid it’s not always an entirely straight path, but here at SCVO we’re encouraging an open culture and everyone is responsible for keeping personal data safe – I sometimes see myself as the bus conductor on the SCVO Data Protection journey!
If you need some help with your journey, we’ve got a great Data Protection course coming up, the trainer explains things in plain language and has loads of great examples from our sector. All SCVO events can be found on our website.
- GDPR: Subject access requests and direct marketing for charities – 25th June, Edinburgh