The GDPR (General Data Protection Regulation) is the new legal framework for data protection in the EU. It comes into force on 25th May 2018. It is similar to the existing Data Protection Act 1998 but adds some new and different requirements. The Information Commissioners Office is an excellent source of advice and guidance on the GDPR. They have a dedicated helpline for small organisations and resources specifically for charities.
If you are not doing so already, you will need to think about whether you need to update any of your practises to ensure that you will meet the requirements. As one example, do you seek consent from data subjects (your clients), and will it meet the standard – freely given, specific, informed and unambiguous? If not, do you have a lawful basis for processing their data?
Once you have reviewed your obligations and processes under the GDPR, then you need to be sure that your database system will allow you to meet the duties that you have. Lamplight will help you to do this in a number of ways.
Lawful Basis of Processing
- Lamplight is highly flexible and customisable. There are a number of built in fields which allow you to restrict how information is used by the system (e.g. prevent emails or mail-outs). It is also possible to add custom fields to capture more fine-grained consent information.
Right of Access
- If a client or service user makes a subject access request then it is possible to download information held about the client in various ways. How this is done using your system depends on how it is set up and the type of work you do. We will be providing a factsheet with more details on how to do this shortly.
Right to Rectification
- If you receive a request to rectify the data you hold on a client, then it is easy to find and edit that client’s details provided you have the right access levels to the system to make those changes. Those requests can be logged in the system as communications if you have the communications module or in custom fields in work records. We are currently working on a module that will log all the actions you take in Lamplight so you can track these changes and we will update this page once it is available. If you are looking at Cyber Essentials, you may well need this module when it is launched.
Right to Erasure
- It is possible to archive data and permanently delete data from the system. When deleting data you can choose how much or what types of data to delete from those profiles. For example, just delete names and addresses while leaving the details of the work that has been done or referrals that have been made.
Right to Restrict Processing
- You can restrict processing for a particular profile through their profile page. More information can be found in our information sheet on restricting processing. Please email firstname.lastname@example.org to request a copy.
Right to Data Portability
- Profile information can be downloaded from Lamplight in a CSV format either directly from the relevant table or using data views of a single profile. We will make a factsheet available with more information on this process.
- You can find more information on how your data is stored and backed up on the system security page.
How Lamplight is Preparing for the GDPR
Lamplight has been making a number of changes as we get ready for the GDPR so that both we and you can feel confident that Lamplight will aid you in your compliance.
We will be:
- training key staff
- working towards Cyber Essentials certification
- seeking ISO27001:2013 certification
- updating the implementation workbook and producing some advice about your use of Lamplight
- updating support materials to help you use the functionality that’s already there in Lamplight to enable you to fulfil your responsibilities
We are aware that compliance with the GDPR is an on-going process and will be keeping the guidance and changes to legislation under review.
For you, the GDPR will extend beyond your use of Lamplight, and we’d strongly recommend that your Trustees start to consider it soon.
– NCVO KnowHow NonProfit gives a good overview and links to resources (e.g. sample policies etc). They also offer training on “Data Protections Reform – an Introduction to the GDPR for the Voluntary Sector”
– For a fundraising take, the Institute of Fundraising have an information page on Get Ready for GDPR
– Your local CVS (if you’re still lucky enough to have one!) or Local Authority may also be able to help you.
Take a look at our frequently asked questions on GDPR