The transparency and compliance challenge
Make-A-Wish Ireland is ‘triple locked’ by Charities Institute Ireland for best practice in transparency and accountability. As an organisation that processes very sensitive and high-risk data about children who are ill, Make-A-Wish places a lot of importance in complying with the EU General Data Protection Regulation. But tackling this is a daunting task, since the data it collects fits into a lot of different functions and categories.
Other challenges include overseeing consent for marketing activities and managing high-value fundraising. Make-A-Wish also relies on large numbers of volunteers to carry out its work, and they would need to be trained to handle personal information appropriately under GDPR.
Although it’s not under external pressure as other organisations might be, the importance of safeguarding personal information has been at the forefront for Make-A-Wish, even before GDPR came in to force. At the same time, it has a lot of areas to focus on in its core functions alone: the logistics involved in providing the wishes, together with raising the necessary funds to make the wishes come true. This meant it proved to be difficult to get the time and internal expertise to deal with GDPR compliance.
Why work with an external DPO?
The role of a data protection officer (DPO) is to provide oversight for this activity. Their job is to make sure the organisation is complying with the GDPR, by gathering information about its data processing activities; analysing these activities and checking they’re compliant. Lastly, the DPO is responsible for informing, advising, and making recommendations to the organisation that’s processing personal data.
Make-A-Wish’s charitable status means it needs to manage its budget carefully. Working with an external group on an as-needed basis was a more cost-effective option than hiring a full-time data protection officer (DPO).
How BH Consulting helped
Make-A-Wish Ireland engaged BH Consulting, the specialist data protection and information security consultancy, to provide its DPO as a service offering. As an independent agency, BH Consulting could provide a vital “external expert eye” to assess the charity’s processes and ensure it was following best practice in GDPR compliance.
Building relationships with all stakeholders was a critical part of this process. Make-A-Wish wanted someone who would fit in with the ethos of the organisation and who would fit well into the team. BH Consulting’s Tracy Elliott was that individual. A highly experienced senior data protection consultant, Tracy put a structure around the charity’s compliance programme. As part of her role as external DPO, she also carried out these tasks:
Outcome
Trust is essential for a charity like Make-A-Wish Ireland. It needs all donors, children, and their families to be confident that it’s doing everything in its power to protect their data. With BH Consulting providing its DPO function, Make-A-Wish is sure in the knowledge that it has good processes and proper marketing consents, together with a skilled resource looking after its data protection responsibilities and handling complex issues.
Make-A-Wish Ireland has been working with BH Consulting for three years and have found them to be incredibly supportive.
GDPR can be extremely challenging and yet, for an organisation like ours, it is critical to be on top of everything at all times as we deal with such highly sensitive data. The support we have been given is practical, logical, and most importantly calming. They have demystified the complexities and have done repeated training with our team in order for everyone to be comfortable with all aspects. We would highly recommend any company to work with BH Consulting. A special thanks must go to Tracy Elliott who has worked with us since the start.
Susan McQuaid O’Dywer, CEO
