Does your Not-For-Profit have the right data privacy policy?

by | Mar 7, 2022 | Not for Profits

Data privacy is now a hot topic in NZ.

This was driven by three main factors:

1. The GDPR (General Data Protection Regulation) which came into effect in Europe in May 2018. This introduced strict regulations on what private information is, how to get consent from users, how to deal with breaches, and when personal information must be deleted. The fines for not complying were large; €20 million or up to 4% of the annual worldwide turnover. Although it is a European regulation,

 it applies to any company that stores personal information for EU citizens so potentially impacts all companies world-wide.

2. Updates to the Australian Privacy Act, which makes data breach notification compulsory as of February 2018. This means that if an individual’s personal information is leaked and likely to result in serious harm the company is required by law to notify the individual(s). Again, the fines for not complying were increased to up to AU$2 million.

3. The New Zealand Privacy Act changes in 2020, introducing mandatory reporting requirements and tougher fines.

Updated privacy regulations aim primarily to give control to citizens of their personal data. It means that citizens are more aware of how their personal data will be stored, used and shared.

We recommend that a data privacy policy is created based on best practice and research performed across the industry. Staff should be trained on the privacy policy and it should be included in the staff induction process.

NZ Not for Profits have particular challenges with data privacy.

It is hard enough to manage data privacy in a commercial business, but take that into an environment supported by lots of well-meaning volunteers and it gets a lot harder.

For example, members often need lists of other members :

  • to invite them to events
  • to send news updates
  • to call ‘lapsed’ members and arrange renewals

Ultimately that means sharing information with some volunteers that is technically ‘personal’ and needs to be protected.    Do your volunteers understand their obligations and how to do you manage them?

How can you create your own data privacy policy?

To create a data privacy policy the following areas and questions need to be answered:

  • What data do we hold?
  • We don’t tend to delete data – why do we hold it?
  • When, if at all, should we purge it?  Why?
  • If someone asks us, what is our process on checking that they are who they say they are?
  • How would we know if it were stolen or leaked? Who would we notify?
  • What is our obligation to the clients and their staff?  Is it different?
  • Who do we notify?

You can use this generator to help create your own, but we recommend a more thorough approach

 

A Kinetics FlightPlan is the structured process to easily help you find the answers to these questions, and more.

For more information, contact us today.

If you aren’t sure who in your organiusatin is best to answer these questions, it is probably time you tried a contract part-time IT Manager, to help you manage ALL your valuable IT.  Check out ourstructured, programmatic “IT Manager as a Service” approach to help you.

Your First Name (required)
Your Last Name (required)
Your Email (required)
Telephone (required)
Mobile
Your Message