GDPR Resources

Blackbaud - Webinar FAQ GDPR

Issue link:

Contents of this Issue


Page 0 of 3

1 The following FAQ features questions submitted during the webinar "Communicating Privacy Practices to Donors," which aired live on 5 December, 2017. While the information provided herein is reliable, it does not constitute legal advice and should not be construed as legal advice or legal opinion on any specific fact or circumstances. Q: What is the difference between a Data Protection Policy and privacy notices? Are the privacy notices simply part of a bigger DP policy? A: Likely we're using different terminology for the same thing. GDPR and the European Commission use the terms "privacy statement," "privacy notice," "privacy policy," and "data protection notice" all to describe the same thing: a public-facing document that describes the organisation's data protection practices to data subjects. There are also internal data protection policies that organisations should have that are not public-facing and describe the organisation's goals, practices and procedures relating to data protection. Q: If you are speaking to a donor on the phone and collecting their data for the first time, how do you communicate your privacy policy to them then in the best and easiest way? A: GDPR's default position for the provision of information is that it be given in writing, or by electronic means, but you also need to determine whether the method of delivering the information is appropriate to the circumstances, like how you typically interact with your donors. Likely a hard-copy of your policy sent via post or an email to the donor with a link to the online policy would be appropriate. The Article 29 Working Party also suggests, for telephone communications, "oral explanations by a real person to allow interaction and questions to be answered, automated or pre-recorded information with options to hear further detailed information." Q: If someone donates via post for the first time, would we include a printed copy of the privacy policy with the acknowledgement letter? A: That could be an appropriate way to deliver the information. Q: Do you have an example of under-promising? A: Here's an example of under-promising on security: "While no website can guarantee security, we maintain appropriate physical, electronic and procedural safeguards to protect your personal information collected via the website." Q: What do we need to include about data retention period/criteria? How specific do we need to be? A: The Article 29 Working Party has released guidance since the webinar stating that: "The storage period (or criteria to determine it) may be dictated by factors such as statutory requirements or industry guidelines but should be phrased in a way that allows the data subject to assess, on the basis of his or her own situation, what the retention period will be for specific data/ purposes. It is not sufficient for the data controller to generically state that personal data will be kept as long as necessary for the legitimate purposes of the processing. Where relevant, the different storage periods should be stipulated for different categories of personal data and/or different processing purposes, including where appropriate, archiving periods." Q: How regularly should you be updating privacy statements to ensure you're keeping up to date with any additional changes? FAQ Webinar: Communicating Privacy Practices to Donors

Articles in this issue

Links on this page

view archives of GDPR Resources - Blackbaud - Webinar FAQ GDPR