At the end of the Summer the Information Commissioner's Office (or the 'ICO') published a report prepared earlier in the year into a number of voluntary data protection audits it conducted with charities.
The ICO had been invited by these charities to review their practices for compliance with the existing data protection legislation before the General Data Protection Regulations ('GDPR') came into force. The report provides helpful guidance to those charities wrestling with GDPR policies and procedures.
Eight charities participated in the voluntary audits, but the ICO has also incorporated comments from 25 'advisory visits' to smaller charities in its guidance. We recommend charities consider the extent to which they follow the applicable 'areas of good practice' and also bear in mind the common 'areas for improvement' identified, particularly:
- Incorporating 'information governance' into broader governance arrangements
- Conducting regular data protection compliance checks and monitoring processing activities
- Providing volunteers with data protection training before access to data is given
- Documenting reporting, retention, confidential waste and records management policies.
- Rating the risk of possible incidents to identify the need for further action
These recommendations and approaches will not be relevant to all charities. However we suggest that where your charity takes a markedly different approach to one identified by the ICO it ensures it is able to demonstrate why and how this is justified under GDPR.