Anonymize your data
Take your existing data and strip out identifiable data points
Consider bundling data subjects into groups of 20 or more to further anonymise
Consider how anonymised data will sit with your ‘consent based’ data in future
Appoint a Data Protection Officer
A DPO may not be a requirement for all organisations but the likelihood is if your dealing with sensitive personal data then you will need one.
The core activities of the organisation involve data processing operations which “require regular and systematic monitoring of data subjects on a large scale”
Internal or external DPO?
Understand ‘legal basis’ for processing data
The legal basis for processing data on citizens are outlined in the legislation but the likelihood is that Consent will be the one that applies to you as it is likely to be sensitive personal data.
Other bases include Employment, Vital Interest, Public Interest and Contractual Necessity, etc
Communicate and train your organization
Get training for everyone, your chain is only as strong as the weakest link, meaning any volunteers, interns or casual staff will need to be trained just as much as your permanent team.
Include permission settings in your staff set-up to avoid data being viewed or managed by the wrong people.
Build protocols around gaining consent
Figure out a credible, repeatable way of gaining clear consent from voters.
This is likely to be digital signature captured face-to-face
It could be a credible online method, like an email double opt-in
Review your systems and locations of data storage
Where do you keep data on voters, on desktop, cloud, excel, scraps of paper?
Establish how you are going to capture this from now on and ensure any information you have is not transferred outside of the EU, ie, it must be kept on servers in the EU.
Draw up your data retention policy
It is critical that communications with voters are deleted once they are ‘done’ or have become unnecessary to keep.
A data retention policy is an official document that governs the organization’s procedures around holding data, time limits on this and methods of deletion or archival.
Know how to deal with a Subject Access Requests
Any voter can request access to the personal data you hold on them at any time, they can request that this data be deleted or transferred to a third party.
This request must be dealt with free of charge within one month and you must provide a digital way of making the access request.
Ideally, you will have a central repository of all voter information that you can go to to meet this request through a simple search. Otherwise you risk being swamped with SAR’s.
Get a data processor partner
It would be advisable to outsource the data processor role to a third party system that is set up with ‘privacy by design’ in mind.
This avoids your organization having to take responsibility for both data control and data processing.
Data encryption, secure servers and controlled access to data are relevant considerations if you do plan on being the data processor yourself.
Establish protocols for data breach reporting
If you do suffer a data breach you will be obliged to report this to your relevant supervisory authority within 72 hours of discovering it, and the individuals affected if it is of high-risk to them.
How do you plan on doing this and how can it be done if it is a weekend or your DPO is away from office for example?
You will need to outline the scale of the breach, your DPO’s contact details, and how you are responding to the breach.