Skip to content

Best practices

Recommended reading for the Red Cross Red Crescent movement users:

  • IFRC Practical Guidance for Data Protection in Cash and Voucher Assistance
  • IFRC Data Protection overview and general best practices

Recommended reading to all Organisations:

  • General Data Protection Regulation (GDPR)

  • Module 3 (Data and Digital responsibility) of the Data and Digital Literacy Introduction Course

Additional recommendations:

  • Do Not collect more data than is necessary for the purpose of the specific program.
  • Do Not keep data for longer than necessary.
  • Performing monthly/bi-monthly access review.
  • Handle responsibly any excel files exported from EspoCRM.

This is strongly advised to delete the files after doing the duplication check in way that cannot be easily recovered. The User may apply additional measures such as protecting the workbook with a password. In Microsoft Excel, this can be done following this steps:

  • Select File > Info.
  • Select the Protect Workbook box and choose Encrypt with Password.
  • Enter a password in the Password box, and then select OK.
  • Confirm the password in the Reenter Password box, and then select OK.
  • Update the initial password shared with you to access the platform and choose a robust new password (e.g., use passphrases containing capital letters, numbers and symbols).
  • Use a digital password manager (e.g., Bitwarden)

Non-exhaustive list of user responsibilities:

  • Ensure adherence to applicable legislation.
  • Ensure that anyone with access to the system under the NS or organization must maintain the confidentiality of their account and password.
  • Ensure that all personnel involved, including new staff, are adequately trained for their roles and understand their responsibilities and the importance of data protection.
  • Evaluate if a data protection impact assessment (DPIA) is required for the specific use-case and context. A DPIA assesses privacy risks associated with the processing of personal data and determines necessary measures to mitigate the identified risks effectively. An outline of DPIAs can be found here (this link is only to provide information about the general DPIA process, your NS or organization may be subject to a different set of requirements).
  • Establish and adhere to a data retention policy that accurately reflects the nature and sensitivity of the personal data processed.
  • Provide adequate and understandable information about personal data processing and any related rights to the data subjects in local language(s), in line with the applicable legislation requirements.
  • Ensure that data subjects can effectively exercise their rights, such as their access, rectification, erasure, and objection rights, or any additional rights granted under the applicable legislation.
  • Have a data breach protocol in place.

Consider any other requirements that may be imposed by applicable legislation.