It was hard to hold our nerve under the onslaught of so many GDPR emails in May… Maybe we should be sending one? Maybe we will be breaking the law if we email anyone after 25 May and we haven’t sent one?
But we did hold our nerve, so thought it was important to explain why.
We researched what the new data protection rules meant for us, which included going to a conference and reading this very helpful article, as well as speaking to the chair of our board who is a data protection lawyer. We then went through a process of noting down all the data we keep, our reasons for keeping it, our security provisions, how long we intend to keep it and which GDPR condition for processing we were using to justify keeping it. A bit like a risk assessment but for data.
We based decisions about our data on a number of acceptable conditions for processing data within the new guidelines:
– For staff/freelancer details etc. we used ‘performance of a contract and compliance with legal requirements’.
– For the app data we used ‘legitimate interest’ – where it is in the interest of the data controller to hold the data, and that interest is not outweighed by the interest of the third party.
– For our mailing list (not used for fundraising) we used PECR (Privacy and Electronic Communications Regulations), which is another data protection regulation that runs concurrently with GDPR and deals specifically with email, phone and text communications. As a result we believe that nothing in GDPR or PECR means that we need to obtain renewed consent from customers who likely expect to keep hearing from us, as long as we are only communicating about our own work, or that of very close associates. And as long as there is always an unsubscribe link on the email.
So, if you did happen to be wondering why you didn’t get one of those emails from us I hope the above explains it all. Do get in touch if you have any questions.