Your compliance journey: What to know

The regulatory landscape is changing, and it’s our responsibility to keep up. Organisations need to make sure they’re meeting their compliance requirements and consider what steps need to be taken to prepare for the changes.


Discover the steps that you should consider

The GDPR brings with it a shift in mindset. It introduces several principles that previously underpinned data protection law, and encourages organisations to take more responsibility for protecting the personal data they handle.

EU-based organisations, as well as anyone processing the personal data of EU citizens, will likely be affected by the GDPR. If you ever collect, record, store, use, or erase personal data from volunteers or contacts in the EU, the GDPR should be on your radar. This new law will have a significant impact on organisations around the world.

Many organisations, large and small, have been assessing their readiness now that the deadline has passed. It is recommended you seek legal advice to determine what may be required for your organisation. However, there are a number of factors that all organisations should be considering.



GDPR: The basics

If you’re new to the GDPR, here’s a bit of background: On 25th May, 2018 the GDPR officially became a law that strengthens the fundamental right to privacy for people living in the EU. We’ve highlighted some points below to help you get on your way.

Personal data

According to the European Commission, the personal data in question is defined as “any information relating to an individual, whether it relates to his or her private, professional or public life. Anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

Identify personal data

With GDPR now in effect, knowing what personal data you have and where you have it has become a necessity. Locate systems where personal data is collected and stored.

Your data

Protecting data properly means understanding how it’s treated in your organisation - how your personal data is handled, shared and used. With this information, you can build your GDPR strategy in a way that works for your organisation, and allows you to use your data the way your organisation needs to.

Breach management

You’ll want to review and update your data breach management policies and processes. Detecting and reporting breaches to the correct authorities in a timely manner will be critical as fines can be levied for reporting failures as well as for breaches (up to 10 million Euros or 2 per cent of your global turnover). A personal data breach is classed as a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Ownership and accountability

It’s important to identify a responsible owner for data protection compliance. For some organisations, this will mean appointing a data protection officer. In addition, you may need to develop internal data protection policies and provide staff training.

Ensuring a legal basis for processing

It makes sense to start determining and documenting what legal grounds you’re using for processing the different types of personal data you handle. If you’re using consent as a basis for processing, for example, you’ll need to consider how you obtain it and be able to clearly demonstrate how and when it has been given.

The rights of data subjects

To ensure your procedures accommodate data subjects, you will want to make sure you understand the new rights that people have in relation to their personal data. For example, data subjects will have the right to access their personal data as well as have it corrected, erased, or ported electronically.

Communicating essential information

Reviewing your online privacy policies and other notices has become increasingly important. New requirements include detailing the legal basis for your processing and making users aware of the authority they can complain to if there’s a problem.

Working with your providers

Fulfilling GDPR obligations goes beyond your organisations own policies. Any third parties processing personal data on your behalf will also need to meet the necessary standards for data protection. It’s important to determine if they have robust practices for network and information security, privacy, and data protection. Make sure they conform to internationally accepted standards and verify their compliance. See how Assemble prepared for the GDPR here.


Still using
spreadsheets to manage
your volunteers?

Spreadsheets, which are widely used in organisations for storing and managing volunteer data, pose one of the biggest risks to GDPR compliance:

  • Poor audit trail
  • No access controls
  • Poor versioning
  • Easily duplicated and modified without owner's knowledge
  • Using spreadsheets to track and manage volunteer data increases the risk of non-compliance with GDPR and could prove costly.

Next steps

Even with a well thought out approach, satisfying GDPR requirements is a major responsibility which requires a lot of preparation throughout the organisation. Resources and support from all teams is needed to implement any changes successfully. From our own experience and from working alongside our customers, we appreciate the scale of the exercise. Organisations should not underestimate the risks and impacts to reputation and volunteer trust that GDPR can cause.

GDPR is not to be taken lightly, but at the same time it’s important not to get overwhelmed. Take the opportunity to make sure there are plans in place to make any changes to ensure you’re compliant. As an organisation, you’ll need to be prepared but it’s integral to also establish close supply chain relationships with any third-party products you use — making sure they are GDPR compliant is just as important. You can rest easy knowing that we take the responsibility of protecting your information seriously.


Looking for more information?

If you have any further questions, feel free to reach out to us

Contact us



Please note that this information is intended to provide helpful guidance to customers on the GDPR and not as a solution or legal advice. We encourage each organisation to undertake their own steps to ensure compliance.