General Data Protection
Regulation 2018

Data compliance for
your organisation

Sarah Hamilton Mike deJong logo Alde Logo Neos Logo Lake Ray logo Greens BC Logo

What is GDPR?

  • New data protection legislation May 2018
  • Affects anyone who holds identifiable personal data on an individual/voter
  • Organizations and the individuals therein found to be in breach of the legislation are open to prosecutions of €20 million or 4% of annual global turnover
  • From now on voters will be able to demand access to any data you hold on them and request it to be deleted or transferred to a third party
  • If you wish to hold identifiable personal data or sensitive data about an individual you will need to gain clear consent from that individual to do so
  • If you hold sensitive personal data, such as voting history, political preferences, or specific issues related to an individual, then you will need to appoint a Data Protection Officer in your organisation

How Ecanvasser can help you become GDPR compliant

  • Outsource the secure data processing of your voter data
  • Focus on your data controller obligations, staff training and permission access
  • Easily import and clean your voter data to ensure compliance
  • Have an easy system for handling access requests
  • Have an easy system for managing a full data audit
  • Have a method of capturing consent from voters for ongoing communication
  • Privacy dashboard allows you to log the record of processing activities to allow your data controller to demonstrate compliance

Here are the steps we took to become GDPR compliant

  • We have updated our terms and conditions
  • Updated our security policies
  • Improved database security and encryption methodology
  • Fireproofed database access protocols
  • Instituted a public privacy policy
  • Initiated the facilitation of digital signature consent
  • Completed our end to end data handling map
  • We have retrofitted all existing functionality according to our privacy by design methods
  • Implemented a privacy dashboard for customers

Follow our 10 step guide to becoming GDPR compliant

  1. Anonymize your data 
  2. Take your existing data and strip out identifiable data points Consider bundling data subjects into groups of 20 or more to further anonymise Consider how anonymised data will sit with your ‘consent based’ data in future
  3. Appoint a Data Protection Officer 
  4. A DPO may not be a requirement for all organisations but the likelihood is if your dealing with sensitive personal data then you will need one. The core activities of the organisation involve data processing operations which “require regular and systematic monitoring of data subjects on a large scale” Internal or external DPO?
  5. Understand ‘legal basis’ for processing data  
  6. The legal basis for processing data on citizens are outlined in the legislation but the likelihood is that Consent will be the one that applies to you as it is likely to be sensitive personal data. Other bases include Employment, Vital Interest, Public Interest and Contractual Necessity, etc
  7. Communicate and train your organization 
  8. Get training for everyone, your chain is only as strong as the weakest link, meaning any volunteers, interns or casual staff will need to be trained just as much as your permanent team. Include permission settings in your staff set-up to avoid data being viewed or managed by the wrong people.
  9. Build protocols around gaining consent 
  10. Figure out a credible, repeatable way of gaining clear consent from voters. This is likely to be digital signature captured face-to-face It could be a credible online method, like an email double opt-in
  11. Review your systems and locations of data storage 
  12. Where do you keep data on voters, on desktop, cloud, excel, scraps of paper? Establish how you are going to capture this from now on and ensure any information you have is not transferred outside of the EU, ie, it must be kept on servers in the EU.
  13. Draw up your data retention policy 
  14. It is critical that communications with voters are deleted once they are ‘done’ or have become unnecessary to keep. A data retention policy is an official document that governs the organization’s procedures around holding data, time limits on this and methods of deletion or archival.
  15. Know how to deal with a Subject Access Requests 
  16. Any voter can request access to the personal data you hold on them at any time, they can request that this data be deleted or transferred to a third party. This request must be dealt with free of charge within one month and you must provide a digital way of making the access request. Ideally, you will have a central repository of all voter information that you can go to to meet this request through a simple search. Otherwise you risk being swamped with SAR’s.
  17. Get a data processor partner 
  18. It would be advisable to outsource the data processor role to a third party system that is set up with ‘privacy by design’ in mind. This avoids your organization having to take responsibility for both data control and data processing. Data encryption, secure servers and controlled access to data are relevant considerations if you do plan on being the data processor yourself.
  19. Establish protocols for data breach reporting 
  20. If you do suffer a data breach you will be obliged to report this to your relevant supervisory authority within 72 hours of discovering it, and the individuals affected if it is of high-risk to them. How do you plan on doing this and how can it be done if it is a weekend or your DPO is away from office for example? You will need to outline the scale of the breach, your DPO’s contact details, and how you are responding to the breach.