Data protection (GDPR)

The new General Data Protection Regulation legislation comes into effect on Friday 25 May 2018

 

The new legislation

On 25 May 2018, data protection law will change with the introduction of the European General Data Protection Regulation (GDPR). It is a significant change for all organisations that hold and process personal data. Voluntary and community organisations will need to overhaul their privacy and data policies in order to be compliant with the new and more stringent regulatory framework.

Brexit will not affect the introduction of this legislation as the UK will still be a member of the European Union (EU) at the date of implementation, and the government plans to use the new Data Protection Bill to incorporate the GDPR into UK law.

 

Impact of GDPR

The GDPR will affect voluntary and community organisations in one way or another.

If your organisation holds personal data on anyone, including service users and beneficiaries, members, donors and supporters, employees and volunteers this legislation applies to you.

It includes all types of data whether in the form of contact information or any other sort of personal data eg information about ethnicity, religious belief, or bank account or credit card information.

 

What will change

A lot of what’s in the GDPR mirrors current law under the Data Protection Act 1998 and guidance published by the Information Commissioner’s Office (ICO). However, GDPR also introduces some new rights and obligations and makes changes to some existing concepts.

Many of the regulations in the GDPR are designed to promote increased transparency and accountability. The legislation demands more rigorous and accountable data practices. Whilst not an exhaustive list some of the key differences to be aware of are:

  • increased enforcement powers: maximum fines of up to €20 million or 4% of total annual worldwide turnover of the preceding year, whichever is higher
  • extended geographical scope: non-EU businesses will be subject to the regulation if they provide their service to EU organisations or monitor the behaviour of EU residents
  • consent: more rigorous criteria will be applied to obtaining individuals’ consent. It must be freely given, specific, informed and unambiguous eg fundraising consent may not be valid if it is given when grouped with non-fundraising matters
  • opt-in: crucially, where consent is involved, you must gain explicit, opt-in consent
  • profiling: individuals will have the right to object to profiling, which includes most forms of online tracking and wealth screening
  • the right to be forgotten: individuals will have the right to request that you delete all their personal data
  • enhanced individual rights: individuals will have enhanced rights with new provisions covering the right to access data (replacing subject access requests), the right to be forgotten (the right to request that an organisation delete all their personal data) and the right to data portability
  • reporting obligations: you will also have a duty to report certain types of data breach to the ICO and, in some cases, to the individuals affected

 

What you will need to do

In most cases you will need to review your existing practices and introduce new or enhanced data practices from 25 May 2018 onwards. This may include, for example:

  • updating your privacy notices (download ICO’s code for further information) which tell people how and why their data is being collected and what it will be used for
  • embedding data protection by design and default as part of day-to-day business as usual will no longer be a nicety but an obligation of GDPR
  • conducting data protection privacy impact assessments to identify the most effective way to comply with your data protection obligations
  • maintaining records of your data processing activities, including how long data is kept for and security measures you have in place
  • appointing a data protection officer, which in some instances will be obligatory but will also be considered good practice
  • a review of agreements with any third parties that process personal data on your behalf, such as external payroll providers or IT support companies

 

Getting ready for GDPR

Key sources of information

The ICO is the UK regulator responsible for interpreting and enforcing GDPR. Their website is the best place to start if you want more information about the GDPR. It’s regularly updated as new materials become available and it contains links to other sources, including guidelines from the Article 29 Working Party of European Data Protection Authorities. For more information visit their dedicated ICO online information hub on the GDPR

The ICO have now launched a dedicated helpline for small groups who have questions on GDPR. People from small organisations should dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support.

NCVO has a dedicated webpage on data protection and GDPR for trustees and senior staff.

 

Brief overviews

If you want some short, sharp overviews of GDPR for yourself, or to share as first reading with staff, volunteers or trustees, you might find these resources helpful:

 

How to guides

 

Training and Advice

Data Retention and Subject Access Requests

Fundraising

The GDPR will mean changes to consent that will affect how you go about your fundraising and donor based activities. If you raise funds directly from individuals, there are changes which you will need to prepare for.  The following guides look specifically at this aspect of GDPR:

 

IT

  • IT Governance have written a Compliance Guide which can be downloaded for free
  • Charity Digital News, working with Access (a commercial concern who provide CRM software), have written a free 5 step plan, with a particular focus on how your CRM system should be compliant with GDPR

 

Jargon buster

Key bodies, laws and acronyms to be aware of:

  • Data Protection Act (DPA) 1998, EU law
  • Privacy and Electronic Communications Regulations (PECR) 2003, EU law
  • General Data Protection Regulation (GDPR) 2018, EU law
  • Information Commissioners Office (ICO), the UK regulator responsible for interpreting and enforcing GDPR
  • Public Fundraising Regulatory Association (PFRA), now replaced by Fundraising Regulator
  • Fundraising Standards Board (FRSB), now replaced by Fundraising Regulator
  • The Fundraising Regulator (FR)