The high drama of recent events engulfing Facebook, Cambridge Analytica and the billions wiped off share values may seem a world away from the mundane issue of charities preparing for the General Data Protection Regulation, but the implications should concern us all.
Whether the scandal really will prove to be a watershed in how our personal data is used and abused by the giants of the tech world remains to be seen. But the very public humbling of the Information Commissioner, Elizabeth Denham, kept waiting for four critical days before she was granted a warrant to search Cambridge Analytica’s offices, is likely to see a strengthening of her powers under the Data Protection Bill, currently wending its way through Parliament.
As pertinent is the question I am frequently asked when advising on data protection, “How come I keep getting all of these unsolicited emails, adverts and calls? If my consent is required, what’s going on?”
The answers (there are two of them) are simple; Firstly, while we all strive to be on the right side of the law, doing what we must to do protect and secure data, use it lawfully and not share is with all and sundry, not everyone (shock, horror) demonstrates the same degree of integrity. Secondly, did you actually read the terms and conditions when you downloaded that app? You quite possible did agree to calls from double glazing companies, or at least gave someone, somewhere, enough of a license to use your data for them to argue that you did agree.
Facebook’s own radio silence for two days this week was quite probably in part due to the time it took their own lawyers to pore through their privacy policies, which run to tens of thousands of words - coincidentally, the length of George Orwell’s dystopian novel about the control of information and freedom of thought, ‘1984’.
So, what does this have to do with you apart from, perhaps, your and your charity’s own use of Facebook?
Well, GDPR requires organisations to explain clearly and in plain English what they do with people’s personal data. More specifically, your legal basis for ‘processing’ it, what you do with it, for how long you will keep it and each individual’s rights in respect of it. Whilst you shouldn’t be producing something the length of novel, you do need comprehensive and comprehensible Privacy Policy, agreements with third parties with whom you legitimately share data, and a fully trained staff (not forgetting other volunteers that might handle data on your behalf too). You may well also need other policies dealing specifically with retention periods or the use of personal devices for accessing data.
Thinking of other recent scandals affecting the not-for-profit sector, don’t neglect to do now what you may wish in the future you’d done when you had the chance.
As the Facebook debacle shows, when things go wrong, the loss of public trust for even the biggest companies in the world can have a huge reputational impact, and a catastrophic impact on income, whether through advertising or, for charities, donations.