BEST GDPR PROGRAMME - DATA CONTROLLER
In partnership with
Business planning and processes team, Comic Relief
Who are they?
Comic Relief is a UK-based charity founded in 1985 with a vision of a just world, free from poverty. Every two years it runs Red Nose Day to raise money for people facing difficulties in the UK and Africa. The 2017 event raised over £73 million. Bi-annual fundraiser Sport Relief raised nearly the same amount in 2016 at £72.5 million.
Within the charity, the business planning and processes team (BPP) has been responsible for the organisation’s understanding of how it should handle personal information. A meeting of the data stewards group in November 2015 led to awareness raising around the General Data Protection Regulation (GDPR) from June 2016 onwards, resulting in the entire staff having been trained on GDPR and regular updates being provided to the board.
What do they do?
Comic Relief set itself the target of being GDPR compliant for the 2018 Sport Relief campaign by September 2017. The work began when the charity’s data protection officer, who is head of BPP, set up the data steward working group in November 2015. With representatives from each team in the organisation, it holds monthly meetings at which any changes to policy and data retention periods are reviewed and approved. The intention is to ensure that Comic Relief conforms to all legislation as well as best practice in its use of data, defending against loss or misuse so its reputation is protected.
A data audit established what personal information it holds, who has responsibility for it and how it should be protected. Working with legal, business and IT, BPP has examined all of the charity’s policies to ensure they are fit for purpose and also put together a data retention schedule. All new projects are subject to a mandatory Privacy Impact Assessment and a shortened timescale for Subject Access Requests has been introduced to meet the demands of GDPR.
Staff training has been central to the GDPR programme, from the executive board and trustees downwards. Training has been provided on how to respond in the event of a data incident as well as on safe data sharing. A staff intranet hosts all policies and information on processes. This extended to a Data Awareness Week for all staff in September 2016, covering mandatory sessions on data protection and disposal, as well as “lunch and learn” sessions ranging from data science to protecting your digital footprint.
What did the judges say?
A comprehensive plan that was aligned with the brand brought approval from the judges. In particular, they were impressed by the focus gained through setting an early deadline for compliance. “A brilliant use of external perspectives and a very robust staff engagement programme” was applaued by one. Another noted simply: “I wish we were doing it this well.”