Inspired by, and faithful to, its Christian values, ONE YMCA creates supportive and energising communities that are open to all, where young people can truly belong, contribute and thrive. Working with all ages, faiths and backgrounds, ONE YMCA is part of a global network of 14,000 YMCAs and has served communities in Hertfordshire for more than 127 years, reaching 1000s of people each day.
“The work we do at One YMCA is varied and exceptionally rewarding. We work with families and young people across Hertfordshire and support them in a number of ways – through our children’s centres, housing initiatives, family centres, youth work, nurseries, gyms and community hubs. We also help families affected by sexual and emotional abuse. One of our primary goals is to provide a supportive community for our young people and their families, ultimately enabling them to be part of that community, contribute to it and thrive within it,” Guy Foxell, CEO, One YMCA.
The Challenge
One YMCA is an organisation that is centred on people. It is committed to safeguarding individuals and families, and supports them when facing abusive, damaging and challenging situations. The impact of the Covid-19 pandemic has meant that more families than ever have found themselves under pressure, due to economic difficulties, school closures and restrictions on social interactions. Those suffering physical, emotional and sexual abuse have been particularly vulnerable during this period resulting in increased demand for support from organisations like One YMCA. In addition, One YMCA was one of the charities operating on the frontline of the Government’s Everyone In scheme – with the goal of providing safe and sanitary accommodation to rough sleepers and homeless people during the pandemic, and indeed beyond.
Like many charities, One YMCA focuses its efforts primarily on the frontline of helping people and meeting their immediate, day-to-day needs. As part of its safeguarding efforts, the team recognises that protecting the data it holds about people is a fundamental part of the services it provides. By its very nature, the charity needs access to sensitive and personal information – for example medical and mental health records, financial data, information relating to personal circumstances, criminal history and data relating to children – in order to help people. Some of this data is considered special category data, and should it become publicly available or fall into the wrong hands, it could have serious consequences.
“Protecting people and safeguarding their wellbeing has to be a universal effort,” continues Guy. “As part of our work we engage with people of all backgrounds, faiths and ages, many of whom are struggling to cope in difficult circumstances. We are privy to that information, and often work with local authorities, law enforcement bodies and other bodies to provide support. Some of the data we hold is highly sensitive, and if compromised could have a serious impact on an individual’s wellbeing and future prospects.”
As a charitable organisation, One YMCA is also obligated to ensure that its resources are directed towards providing direct support to those most in need. Managing internal costs and making sure that the majority of its funding is used to finance community projects is a key priority.
The Solution
The team at One YMCA knew that they needed someone with in-depth knowledge of data protection law and best practices to help safeguard the data of the people it helps. Given the variety and amount of data the organisation holds, it also necessitated someone with experience of working with many different data types and subjects. Not only this, but the charity also works with different suppliers, volunteers, fundraisers and community groups as part of its work. The need to appoint a Data Protection Officer (DPO) was clear, but the team had different options to evaluate.
Jonathan Kalemera, Director of Corporate Services, picks up the story. “Like a lot of organisations, we operate in a “mixed economy” – which means that some services are managed in-house, and others are outsourced. When it came to selecting a Data Protection Officer, we considered an internal hire but knew it was going to be difficult to find someone with the necessary skills and expertise across such a broad set of requirements. We also knew that it was going to be expensive, and that although we needed support across different areas, there probably wasn’t enough work to justify a full-time headcount.”
It was at this time that an associate of the charity recommended that the executive team speak to NormCyber, a specialist in cyber security and data protection services, about their virtual DPO offering.
Led by a fully qualified data protection lawyer, the norm. Data Protection as a Service solution is a subscription-based service providing on-demand guidance and support on all GDPR and data privacy related matters. In addition to advising on GDPR compliance, Data Protection Impact Assessments (DPIAs) and Subject Access Requests (SARs), the service also includes an analysis of current personal data processing operations and access to template policies such as Data Protection Policies, Privacy Policies, Data Retention Policies and Breach Management Policies.
“What we really liked about the norm. DPaaS offering was that it wasn’t just a single person, but a whole team that we could call upon as and when needed,” continues Jonathan. “A virtual DPO is also completely independent, and has the benefit of working with other organisations who are likely to have faced similar challenges. We can scale up the level of service we need as required, safe in the knowledge that an expert with years of experience will be able to support us.”
The team at NormCyber has also been able to facilitate educating staff and volunteers about their data protection responsibilities and why it matters as part of the entire safeguarding effort.
Should it be required, norm.’s data protection specialists can also advise on breach notification and communication procedures, including liaising with the Information Commissioner’s Office (ICO) and other EEA Data Protection Authorities.
The Benefits
Having appointed NormCyber as its virtual DPO, One YMCA has benefitted from support on a number of topics, including:
- Reviewing existing data protection procedures and policies to ensure compliance with the GDPR
- Reviewing supplier contacts and making relevant data protection related recommendations
- Advice on the sharing and transfer of personal data relating to vulnerable individuals
- Delivering data protection training and assisting with awareness initiatives
- Responding to Subject Access Requests (SARs)
- Conducting Data Protection Impact Assessments (DPIAs)
- An annual review of data protection and privacy governance frameworks, including an annual Board report
- Guidance and interpretation of emerging data protection and privacy laws
“One YMCA exists solely to support people and help them to live happy, secure and fulfilled lives,” summarises Guy Foxell. “An important part of that is safeguarding an individual’s data and making sure that the information we have is used in a transparent and respectful way. The people we support need to be able to trust us to keep them safe – in every way. Norm’s virtual DPO service gives us the expertise we need, when we need it, at around a third of the cost of an in-house hire. Ultimately, that means peace of mind for us and for the people we help.”