Migration 3: What Happens When Your GDPR Officer Opens Pandora’s Box
The Audit That Changes Everything
More charities and voluntary organisations across Ireland and the UK are now hiring GDPR officers or undergoing external GDPR audits as a condition of funding or accreditation.
For most organisations, the day-to-day systems seem fine. The website has a privacy policy. Staff understand the basics of data handling. Email is managed appropriately.
And then the auditor looks at the database.
What They Typically Find
In legacy systems – Access databases, FoxPro, and bespoke systems built in the 1990s or 2000s – GDPR officers often find several serious problems.
1. Data Stored in Plain Text
FoxPro databases in particular often store data in plain text. There is no encryption. Anyone with access to the file can open it and read every record: names, addresses, dates of birth, medical notes, and financial records, all sitting there unprotected.
GDPR requires personal data to be stored securely. Plain text storage does not meet that standard.
2. Records Kept Far Beyond Retention Limits
GDPR is clear that personal data should not be kept longer than necessary for the purpose for which it was collected. In legacy databases, it is common to find records going back 15 or 20 years: people who left the organisation long ago, former members, former clients, and people who may not even realise their data is still being held.
There is often no clean way to delete individual records. The database was never designed with retention rules in mind.
3. No Practical Way to Honour Subject Access Requests
Under the GDPR, any individual can submit a Subject Access Request, a formal request for all the data an organisation holds about them. The organisation has one month to respond.
In a legacy database, that can be very difficult in practice. The data may be spread across multiple tables, linked by relationships that are no longer fully intact. Producing a complete picture of everything held about one person may require weeks of manual effort.
4. No Practical Way to Honour the Right to Erasure
Individuals also have the right to request that their data be deleted. In a modern system, that is usually a defined process. In a legacy database, deleting one person’s records while keeping related records intact – and preserving data integrity – may be genuinely difficult or impossible.
The Funding Connection
This is where the issue becomes especially serious for charities.
Government funding for voluntary organisations in Ireland and the UK increasingly comes with conditions around governance and data protection. A GDPR officer who cannot sign off on a system is not a minor inconvenience. It is a finding that goes into an audit report. That report goes to the board, and the board may be required to disclose it to funders.
Funders, particularly statutory bodies, take governance seriously. An organisation that cannot demonstrate GDPR compliance may find its funding reviewed, reduced, or in more serious cases, withdrawn.
At that point, the legacy database is no longer just an IT problem. It is a governance problem, and governance problems have financial consequences.
What the GDPR Officer Actually Needs
A GDPR officer who flags a legacy database is not asking you to fix everything overnight. They usually need to see a plan – evidence that the organisation has recognised the problem and is taking steps to address it.
A written quote from a reputable developer, a timeline, and a commitment to migrate the data to a GDPR compliant system are often enough to satisfy an auditor in the short term while the work is being carried out.
That is exactly the kind of plan we can help you put together, at no cost and with no obligation.
Ready to Have a Conversation?
If you have read this series and recognised your organisation in it, the next step is simple. Get in touch. We will have a chat, ask a few questions, and give you an honest view of what is involved. No charge. No obligation.
Back to: Legacy Database Migration Series
