find out more
When approaching data protection there are two risks to consider:
1. The risk to the individuals whose data you hold
Ultimately data protection is about protecting the privacy, rights and freedoms of individuals. Some organisations will hold data on individuals that could pose a serious risk to this, whilst others will hold data that poses a much lower risk. For example, data about an individual’s race or sexual orientation could be high risk as it puts them at risk of unlawful discrimination. Similarly, genetic or health data carries a greater risk to a person’s privacy than an email address.
We suspect that the data which most of our groups hold will be towards the lower end of the risk spectrum. That doesn’t mean you shouldn’t take it seriously, just that what constitutes reasonable and sensible measures might be different.
2. The risk to your organisation
Not being compliant with data protection laws carries risks for your organisation (e.g. reputation and, in theory, financially). So, policies and procedures are about minimising these risks too. However, you might also consider balancing this against what is realistic and practical.
The Spirit of the law
You don’t need to get bogged down in the legislation and regulation. Whilst it does all technically apply to you, it will not all affect you. Rules around automatic processing of data (where decisions are taken based on data processing without any human interaction) are unlikely to affect our groups, for example.
It might be useful to think about the spirit of the law. The overarching aim and spirit of data protection laws is that individuals’ data is treated fairly, reasonably and transparently. You may be faced with a situation where there is a choice to make between the absolute letter of the law and acting within the spirit of the law. If acting within the spirt reduces the risk, then you might decide that approach is in the best interests of individuals and your group.
We are not saying ignore data protection – in fact we think you should embrace it and use it as an opportunity to improve your organisation. But at the same time there are different approaches with relative merits and risks. It can be easy to get bogged down in the detail when a common-sense approach and a bigger picture view could be taken.
The Information Commissioner Office (ICO) is the regulator for data protection in the UK and can fine organisations for data breaches. This is unlikely to happen to our groups. The ICO’s approach with small not for profit organisations is one of education rather than punishment. If you were to cause a data breach and come to the attention of the ICO, but you could demonstrate that you take data protection seriously and have reasonable and sensible measures in place to keep the data you hold safe, they would be much more likely to help you improve and avoid further breaches, than punish you for the one that happened.
