Authors:Vicky Ling
Last updated:2023-11-09
The five stages of GDPR
Marc Bloomfield
Vicky Ling shares her experiences of preparing for the new data protection regulation.
I’ve just spent a happy year as interim CEO of the very wonderful London Legal Support Trust (LLST). Next month marks both the coming into force of the new data protection regulation and the London Legal Walk, so now seems like a good time to share our journey towards compliance with the General Data Protection Regulation (Regulation (EU) 2016/679). When depression struck, it occurred to me that there are parallels with the five stages of grief.
1. Denial
As a fundraising charity with thousands of contacts on our database, we knew we couldn’t afford to ignore it. The Fundraising Regulator had made some useful case studies available, kindly offered by large charities, but it was daunting: they had started the previous year.
2. Anger
Although there was some useful material on the Fundraising Regulator and ICO websites, it was hard to apply it to our situation.
LLST is only a small charity; updating data protection would use resources that could have raised money for the front-line legal charities that provide free and pro bono advice. Although there was some useful material on the Fundraising Regulator and Information Commissioner’s Office (ICO) websites, it was hard to apply it to our situation. We went on courses and advice seemed to morph over time, but we just had to get over it!
3. Bargaining
LLST’s marketing and development officer and I rolled up our sleeves and started with a data audit, relying on input from our colleagues with fundraising and finance perspectives. We quickly realised we were holding data on: paid staff (and job applicants); volunteers; trustees; contacts at not-for-profit agencies interested in our work and in our Money Saving Project (which does market research on ‘best buys’ so they don’t have to); donors; supporters; participants in fundraising events; sponsors; suppliers; and third parties. If you are running a legal practice, you might not have such a long list, but, of course, you will also have client data.
We knew we needed a lawful basis on which to hold data: consent; required in anticipation of or to perform contract; legal obligation; to protect vital interests; in the public interest; or legitimate interest. We got quite excited about legitimate interest. We hoped we could justify sending ‘cold call’ emails to people in the legal world on the basis that their colleagues were interested in participating in events to raise money for good causes and maybe they would be too – but then we found out about the Privacy and Electronic Communications (EC Directive) Regulations 2003 SI No 2426. They permit cold telephone calls in principle but ban unsolicited emails. We resigned ourselves to a campaign of getting consent from as many of our existing contacts as possible. A big thank you to everyone who said ‘yes’!
We documented what data we held, what the lawful basis was, where we kept it, who used it, whom we shared it with if relevant, the privacy impact of any breach and the safeguards we had in place. These typically included staff and volunteers being trained in our data protection policies, password protection, and anonymisation (the case studies used for fundraising), as well as the obvious things like locked filing cabinets for any paper documents.
We checked whether any of our data was held outside the EU and found that lots of it was. However, all the big software companies such as Microsoft and Salesforce have clear information showing that they have a compliant EU privacy shield in place. We did, though, have to make individual enquiries of smaller organisations, such as our website provider.
4. Depression
This hit in February. The London Legal Walk was getting into gear: we had more teams and walkers than ever before, which was fantastic but meant there was more ‘business as usual’ and no extra resources. We still had the privacy notices to update, explaining: LLST’s contact details; the type of data and basis of processing; any transfers to non-EU countries and safeguards; how long we would keep the data; the data subject’s rights to withdraw consent; access and correct data; and how to complain to the ICO.
5. Acceptance
We kept going because it was mission-critical. It’s just a small part of all the work that goes into making the London Legal Walk such a phenomenal success. I’ve now handed over to a permanent CEO, so this year I’m walking. You can sign up here. See you on 21 May!