GDPR Resources

Blackbaud - Webinar FAQ GDPR

Issue link:

Contents of this Issue


Page 1 of 3

2 A: To be clear, you only need to update your privacy statements when your practices change. It's always a good practice to audit your privacy statements annually to ensure they are accurate and that you haven't failed to reflect a change in your practices. Q: How do I deliver a privacy notice to a data subject when I am collecting his/her personal data from a third party (according to Art. 14 of GDPR)? A: GDPR doesn't specify how you are to do this, and it ultimately depends on how you will use the data. The privacy notice must be given within a "reasonable period" after you receive the information from a third party, but in no event longer than one month. And if you contact the constituent before the month is over, you need to include a link to your privacy notice at the time of that first communication with the constituent. There are some exceptions to Article 14 too, such as if giving constituents your privacy notice would be impossible or would involve disproportionate effort. In most cases for our customers, you're likely receiving data to enrich constituent records you already have and with whom you already have a relationship (so presumably you have already delivered your privacy notice to such constituents) so you will not need to re-provide them with your notice unless it has changed since you originally provided it to constituents. Q: Can you direct someone to your privacy notice held online in an offline document i.e. paper document? A: Again, remember that the method of delivering the notice needs to be appropriate in light of how you're collecting information from your constituent. Make access convenient for your constituents! There is no hard-line rule about this, but pay attention to the identity of your constituents. If you cater primarily to constituents without access to the internet or who are unfamiliar with technology, it is best not to include online links in printed materials. Q: The information for a privacy policy is geared towards donors. Do we need a separate privacy policy for keeping service users' information or should we have one policy that covers everything possible use of the client information? A: You can include all the information in one policy or separate into two. It doesn't matter which you choose as long as the differences are made apparent which policies apply to which audiences. And if including both audiences in a notice makes it too cumbersome or confusing, use two. Remember, your privacy notice needs to be concise, transparent and intelligible! Q: For some of our organisation's services, we need to disclose personal information to third parties. Would this need to form part of our Privacy Policy? A: Absolutely! Q: How do we address our practices with respect to sensitive information which people cannot be identified from? A: GDPR does not apply to data that doesn't identify natural persons, so you aren't required to address it in your privacy notice. Q: Are you suggesting we have to list absolutely everything we might do with donor data? And what happens if we start doing something new? And therefore we have to amend/ change our Privacy Policy. Do we then need to re inform all donors? A: Yes, yes, yes and yes. Q: A recent training course on GDPR I attended said that we should not use the word 'right' whenever possible. The Data subject rights screen uses it a lot, would you agree with the training I received? A: Both GDPR and the European Commission's Article 29 Working Party guidance use the term "right" throughout. Perhaps the trainer hopes that avoiding use of the word "right" will lower constituents' exercise of their rights, but nothing in law or guidance suggests the use of the word is not advisable or is prohibited.

Articles in this issue

Links on this page

view archives of GDPR Resources - Blackbaud - Webinar FAQ GDPR