« New requirements around the processing of personal data need to be understood
or charities risk damaging the reputation of the sector as a whole.”
La dernière Newsletter de l’EFA (European Fundraisers Association) propose un article concernant l’impact du Réglement Général 'Protection des Données' (GDRP) sur les acteurs de la collecte de fonds, et ce dans l'ensemble des pays de l'Union européenne.
Nous listons ci-dessous les principaux défis que Jitty van Doodewaerd, compliance consultant pour le compte de DMCC Netherlands, décrit plus en détail dans sa contribution :
- What data do you collect ?
If you can provide the same service or product without collecting certain personal data, you are not allowed to collect or store that data.
This is the principle of data minimization. - What records do you need to keep ?
GDPR obliges organisations to maintain a record of processing activities.
Charities must set up a “privacy administration” comparable to their financial administration.
A single customer view or central overview of all data processing activities is often not in place. However, starting May 2018 this is a requirement.
And your data protection authority can ask for your records of processing activities. - Who should take responsibility for your data ?
GDPR states that organisations that systematically monitor citizens are required to appoint a Data Protection Officer (DPO). - How can you retain care and control when working with third parties ?
Accountability also means regularly checking your suppliers.
First of all by entering into a data processor agreement. That is not just a paragraph in the sales level agreement or contract, but a full-fledged document detailing your data processing; the type(s) of data, data retention periods and security measures.
Secondly, by actually monitoring the data processors. - What do you need to tell supporters ?
GDPR still allows for data collection. But under the condition that citizens are comprehensively and understandably informed about your personal data collection and are offered a meaningful choice.
It is not enough to provide this information with a hyperlink to the terms and conditions or the privacy statement. The information must be provided clearly where a consumer registers. - When should you delete data ?
GDPR states that personal data can be kept no longer than necessary for its collection purposes.
If someone receives your email newsletter and they opt out, it is not enough to deactivate their account.
If the data is no longer needed, it should - at some point - be deleted or anonymised.
Keeping personal data longer is permitted, if required by law.
L'article fait état d'un récent sondage réalisé à l'initiative de la European Fundraisers Association, dont il ressort qu'une grande majorité d'associations actives en collecte de fonds n'ont pas encore entamé les procédures de mise en conformité des traitements de données personnelles concernant leurs donateurs.
Source:
'CHARITIES UNPREPARED FOR EU DATA PROTECTION REGULATIONS (GDPR)' - Jitty van Doodewaerd, compliance consultant DMCC Netherlands - EFA Newsletter, 20 juillet 2017.
Autres articles d'actualité sur le même thème:
- Réglementation européenne RGPD: votre association est-elle prête ?
- RGPD et collecte de fonds: documents et liens utiles
Le prochain workshop du Fundraisers Forum (jeudi 31 août) proposera plusieurs interventions sur ce thème (lien).
