GDPR: run! It’s going to destroy us! Mrs Goggins is going to be thrown in prison and lose her house because she used the CC field and not the BCC field and now everyone knows everyone else’s email address! GDPR (what is: a GDPR definition? General Data Protection Regulation). This post is about how to not panic; get the UK government official information and checklist you need for free GDPR advice (no links to paying systems anywhere on this page because it is free), and a short GDPR template to help you get started before you actually go through the self-assessment.
So don’t panic. GDPR is a pain in the backside because it will take you a bit of time to work through. It took me about 3 hours from cold. I hope this document and the template at the bottom will save you about an hour on that. (disclaimer…not an expert on this, so if you ARE an expert I am most happy to hear from you – message me on facebook or someplace)
GDPR IS scaring many of my friends who are reacting in a not unsurprising way and asking for re-optins on emails and all sorts. I am not saying that this is a walk in the park, but it’s not scary either. Before I get into it, I want to first pour the old ‘oil on troubled waters’.
WHATEVER YOU DO, YOU DON’T NEED TO SPEND MONEY ON THE SITES THAT COME UP SAYING ‘PAY US TO ENSURE YOU COMPLY WITH GDPR OTHERWISE ….’ Its all free, and not that hard. Just boring.
(If you get this as an email then you MUST Read right at the bottom for details. If you receive this in the form of an email THEN YOU ARE SUBSCRIBED TO EVERY SINGLE ONE OF THE KIDZMINISTRY UPDATES! In the process of doing GDPR I worked out how to move your email addresses from when you originally subscribed to my assemblyideas.wordpress.com site to the Kidzministry.org site, which is the same thing. You may want to change HOW you subscribe to avoid lots of these duplications of the blog-type emails: that’s at the end. And in line with GDPR requirements!)
The government have provided really easy to understand self-assessment questions (links below) and you only need to dig into the PDF’s if you really need to.
What the government says about GDPR
This is from the ICO site itself (this is the department set up by yon UK government to help us understand things…)
So… Let’s have a look what ICO have to say about their own process for wrist slapping.
…And just look at our record:
Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.
And we have yet to invoke our maximum powers.
Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense.
Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21stcentury world.
But we intend to use those powers proportionately and judiciously.
And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.
(this is from the very useful ICO blog site about myth-busting: https://iconewsblog.org.uk/tag/gdprmyths/
My own experience with GDPR over the last few days…
Before I show you the youtube clip that really helps us calm down from two ace Manchester marketing lads, who are now world-renowned (go UK!!!!!) I just want to say WHY I am writing this blog.
The other day I went to do my own GDPR checking out thing, and came across page after page of ‘free advice’ results from google. They weren’t free. They were full of scare mongering that made things more complicated and wanted me to pay so that I would avoid their fines… Thankfully I remembered something about ICO and typed in ICO Gov and got what I wanted. Don’t worry, all the links I provide here are the official free ones that really do give the free advice from UK gov. And it’s actually not that bad, though lengthy and can be a bit rabbit-hole like. The trick is not to read every single PDF unless you have to… Or better, let someone else do that like your church governing body. So for the Church of England, let diocese do it and then tell you what to do in their training. Much easier.
All those other sites are just trying to both scare you and make you part with your cash.
Why GDPR anyway?
Let’s explain WHY this is happening.
If I said to you that I had a product you could buy which would drastically reduce the amount of rubbish you get in your inbox, and help protect you from spam and cold calls, and give you a sense of security about your information, would you buy it from me? Now, how about if I said I will give it to you for free? And then said that I would sort it all out for you, and you didn’t even need to give me your details? THAT is what GDPR is all about. We are serving people by getting all this in place.
It’s not about making life harder for those of us who store data. And it’s pretty scalable too. So the less you use the data the less you have to worry about.
But being a bit aware before you even go for the training will help it sink in a bit better. (Don’t forget the little quick start rough template for GDPR that I include as a link a the bottom of this post)
So the video below. This is what it is going to say.
- Know why you are collecting data. (data includes images as well BTW)
- Have a typed document about how you collect data, how you store it, how you keep it safe, and how you use it. You will review this on a regular basis (as in yearly most likely).
- You’ll need evidence, so screen grab when you can if you are obtaining information digitally. Useful for signup forms and the like. I put that into my own document.
- Use a mail service when you are sending out lots of emails, as they have systems that make sure that you aren’t sharing emails accidentally. Like in the case of Mrs Goggins above. (don’t you just hate that?).
What isn’t included in the video:
- Check to see if you need to register. If you do any form of pastoral care you will need to register, which affects most of those of you reading this from a church perspective. But there is a series of self-assessment questions which actually together with the data protection self-assessment toolkit (available from https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/ ) is really useful for creating the document you will need to show that you have done everything that you need to be compliant. I’ve written up a quick start GDPR questionnaire which will help you think around the questions on the questionnaire before you start though. Hope it helps a bit! its not perfect, so don’t think this is all you will need to do. You don’t need to use it though and can just get stuck in.
- The fee! It says (on the ICO website, that there is a fee) £40 for those of us with a turnover of less than over half a million pound. And actually, the majority of us are exempt from it anyway which you will find again on the self-assessment documents.
More information that might help you be a bit less worried
Take the following what I say with the usual disclaimer please (that I am not an expert or lawyer and so on…. And if you are someone who is trained in this AND a spokesperson for something like your local diocese or legal body then leave a comment!).
- A company as a regular business who doesn’t deal with data relating to people for anything more than sales will not have to register.
- If you don’t have to register you won’t have to pay a fee
- Anyone who works in the voluntary sector may well not have to pay a fee but will have to register
- CCTV, even home CCTV needs registration. I don’t think you have to pay a fee, but I didn’t go that far.
This does NOT mean that you don’t have to do anything! It just means that you don’t have to register. You still need to do the work to protect data of others and have written down how, why and so on.
So what’s the best thing to do to comply with GDPR process?
Work your way through the self-assessment questionnaires on the government website. Top to bottom. each section. It will take about three hours but each question has a radio button to check, and a helpful information guide alongside it to explain each part. You get to the end and it will actually mark you red, amber or green (is that really amber? looks more flesh colour to me…) as to your compliance level and a reminder of what you will need to do. No information at this point is stored about you, and you can go forward and backward easily through the questionnaire if you change your mind over anything.
At the same time have open on your desktop a document file open and simply type up answers that you would give someone were they asking you the questions. And don’t forget the screen grabs if there are any online sign up things.
Added useful thing…well I think it is!
Rough guide template for starting filling out your GDPR information is right here, if you haven’t already downloaded it.
This little document is something that you might find useful. I have based it around the questions that are asked in the self assessment. It will help you get a feel for the kind of things you need to think about. If you start by answering all the questions on this template, and then go to the self assessment you will have made a really good start. Use the self assessment to tidy things up.
Feel free to email me on the contact page (I won’t add you to a mailing list!) if you spot anything you think would be useful to add or tidy up. It’s just generic starter for 10 to ease the burden a bit.
If you find this information useful please share it using the social sharing buttons at the top of bottom of this post (unless you get it by email…read on!)
The following is important to ASSEMBLYIDEAS.WORDPRESS.COM SUBSCRIBERS! if you got this via email, you are a subscriber! trust me…it’s the only way you could get this directly into your inbox. (normal readers can ignore this bit)
Which you might want. I am, after all, pretty awesome 😉 (this is a joke).
But I personally wouldn’t. I would want only occasional, probably weekly, emails, of highlights and perhaps other useful web links.
So here is my suggestion.
At the foot of this email, there is an unsubscribe button. Use it to unsubscribe….
You can unsubscribe from either system whenever you want to.