Protecting our supporters’ data
From 25 May 2018, a new data protection law called General Data Protection Regulation (GDPR) comes into force in the UK, Ireland, Channel Islands and the Isle of Man, and this new law will impact the way many of us carry out our roles.
Data protection – what are the main changes?
- Maximum fines for non-compliance with data protection regulations are rising from £500,000 to €20 million
- People will now be able to ask for compensation if they are the victim of a data breach
- People will have additional rights including the right for all personal data on them to be deleted
- We will only 72 hours to report a data breach to the regulator
- We must be clear and open with people about how their personal data is stored and used.
What does this mean for you?
- If you process any personal data as part of your role for the RNLI you need to make sure this is carried out in line with the new GDPR rules
- Personal data includes names, email addresses, home addresses, telephone numbers, medical information and bank details. ‘Processing’ data includes collecting it, storing it, and sharing it with others
- This includes electronic personal data (for example, in emails and online systems etc.) but also hardcopies of personal data (for example, print outs or handwritten forms and letters).
What should you be doing?
- Only collecting and processing personal data that we really need
- Storing personal data securely and making sure people can only see it if they need to for their roles
- Deleting or anonymising personal data once we don’t need it any more
- Reporting data breaches or suspected data breaches within 72 hours (please see below for how to do this).
What is a data breach and how do I report one?
- A data breach means a breach of security leading to personal data being destroyed, lost, altered, disclosed or inappropriately accessed. Examples of data breaches include:
- Sending an email containing personal data to the wrong person
- Leaving a list of event attendee names and phone numbers in a public place
- Sending a group email to personal email addresses and not using the bcc field
- If you think there has been a breach, send an email to our Data Protection Team (data_protection@RNLI.org.uk) with as much information as possible about what has happened.
Why is this important?
- There are consequences for the RNLI if we don’t meet the new regulations, for example large fines as well as a loss of supporter trust and damage to the reputation of our charity
- Individuals processing personal data on behalf of the RNLI can also be liable if something goes wrong. Recently a charity worker was prosecuted and fined nearly £2,000 for emailing personal data from a work email address to his own email address.
Where can you find out more or get support?
- You can contact our Data Governance Team directly if you have any concerns or want more information by emailing: firstname.lastname@example.org
- For those with access to Horizon, you can find more information there, including more detail about GDPR, as well as relevant policies, procedures and forms
- The relevant policies, procedures and forms can also be found on the Volunteer Zone.
And finally … four top tips for GDPR:
- Make sure there is no RNLI personal data on notice boards and walls (email addresses, home addresses, telephone numbers, medical information)
- Always lock your computer screen when not using it – press Ctrl, Alt, Delete to do this
- When you need to dispose of RNLI personal data, use a confidential shredder
- If you access any RNLI systems, use strong, long and unique passwords.
Thank you for helping us to make sure that we are all keeping to the new law and protecting our supporters’ data.