The General Data Protection - Are You Ready?

Data protection is a vital consideration for every charity, and it is important that the impact of the new regulations are considered in advance.

What is the GDPR?

The GDPR is a comprehensive regulation produced by the European Commission, and covers all aspects of data protection. Despite Brexit, the Government has confirmed that the GDPR will apply from 25 May 2018, superseding the current Data Protection Act 1998 (the DPA).

It is unclear precisely how the GDPR will apply in practice as Member States are given a degree of discretion regarding how it will work in practice. In addition, the GDPR anticipates that Member States will work together to ensure a uniform approach to data protection law following its implementation. It is not clear how this will work for the UK in the context of Brexit.  However, enough is currently known for charities to begin preparing for compliance with the GDPR.

How charities should be preparing for the GDPR

The GDPR will apply to all organisations which process personal data.  There is no exemption for charities, nor is there an exemption for volunteers.  In fact, the ICO has fined a number of charities for data protection breaches in the last year, so it is important that charities take their responsibilities under the DPA and the GDPR seriously.

The risks of non-compliance are significantly greater under the GDPR than under the DPA.  For example, maximum fines will increase from £500,000 under the DPA to the higher of £17 million and 4% of turnover for certain breaches under the GDPR.  It is therefore even more important that charities start taking on board the changes and take steps to ensure GDPR compliance in advance of May 2018. 

Key Points that Charities Should Be Considering

Record Keeping

The GDPR imposes extensive requirements around record keeping and being able to show a paper trail of compliance. These records must contain, for example, information about the purposes of processing and a description of the categories of data subject and categories of personal data.

Reporting

The GDPR creates a new obligation to report data breaches to the Information Commissioner's Office (the ICO), which will apply in the majority of cases.  Currently, breach reporting is not mandatory.

Policies and Procedures

The GDPR makes explicit reference to having data protection policies (although in practice this is already a requirement under the DPA). Charities should therefore ensure that they have policies in place which provide practical guidance to staff, particularly around information security.

Privacy Notices

Individuals have a right to be given certain information about how a charity handles their data, which is usually provided in a document known as a privacy notice. The GDPR will require additional information to be included in privacy notices. For example, individuals must be told about their right to complain to the ICO. The GDPR also requires privacy notices to be written in clear and plain language. 

Information Security

Under the current law charities are required to take appropriate technical and organisational measures to keep personal data safe. The GDPR expands on these obligations, for example by referencing specific measures such as encryption, pseudonymisation and privacy by design.

Data Processors

A data processor is anyone who handles personal data on behalf of a charity (e.g. a cloud storage provider). Charities will need to check that their data processors are GDPR compliant. The DPA already requires that there is a written contract in place between the two parties, but the GDPR mandates additional requirements around the wording which must be included in the contract.

Fundraising and Consent

The GDPR sets a higher standard for consent than the DPA.  For example, blanket consents are insufficient, as are pre-ticked boxes and consents 'hidden' in general terms and conditions.  It must also be as easy to withdraw consent as it was to give it.  These changes reflect the idea that consent is not a one-off tick box procedure, but is an ongoing and actively managed choice.  Charities should review all consents as all those not given in line with the GDPR requirements will have to be revisited.  This is particularly relevant for any consents obtained for fundraising. 

In the last year the ICO has issued monetary penalties to multiple charities due to breaches relating to their fundraising practices, which demonstrates the ICO's increased focus on this area.  Examples of practices from which the breaches stemmed are carrying out wealth analysis on supporters to estimate their capacity to make further donations, and swapping the personal data of donors or potential donors with other charities.  Charities should review their data protection and fundraising practices, particularly whether what they are doing requires consent, and if so, whether that consent meets the GDPR standards.

Privacy Impact Assessments (PIAs)

If a charity plans to handle personal data in a way that represents a 'high risk' to individuals then the GDPR will require the charity to carry out what is known as a privacy impact assessment. The requirement to carry out a PIA is subject to further implementation but it is likely that activities such as introducing a new IT system will trigger an obligation to carry out a PIA.

Subject Access Requests (SARs)

The GDPR preserves an individual's right to request a copy of the data held about them (a SAR) with some changes. In most cases, a charity will have just one month to respond to a SAR, rather than the 40 day time period under the DPA. Charities should therefore consider what measures it needs to put in place so as to ensure that SARs will be dealt with in accordance with the shorter statutory timeframe.

New Rights (Such as the Right to Be Forgotten)

Various new rights will be introduced by the GDPR. The right to be forgotten, for example, requires the charity to delete personal data in certain circumstances. Charities should ensure that there are processes in place to allow these rights to be exercised.

 For further advice and support, please contact Andrew Gallie on 0117 314 5623.