Data protection (GDPR)
The new General Data Protection Regulation legislation came into effect on Friday 25 May 2018.
The new legislation
On 25 May 2018, data protection law changed with the introduction of the European General Data Protection Regulation (GDPR). It is a significant change for all organisations that hold and process personal data. Voluntary and community organisations will need to overhaul their privacy and data policies in order to be compliant with the new and more stringent regulatory framework.
Brexit will not affect the introduction of this legislation as the UK will still be a member of the European Union (EU) at the date of implementation, and the government plans to use the new Data Protection Bill to incorporate the GDPR into UK law.
Impact of GDPR
The GDPR affects voluntary and community organisations in one way or another.
If your organisation holds personal data on anyone, including service users and beneficiaries, members, donors and supporters, employees and volunteers this legislation applies to you.
It includes all types of data whether in the form of contact information or any other sort of personal data e.g. information about ethnicity, religious belief, or bank account or credit card information.
What will change
A lot of what’s in the GDPR mirrors current law under the Data Protection Act 1998 and guidance published by the Information Commissioner’s Office (ICO). However, GDPR also introduces some new rights and obligations and makes changes to some existing concepts.
Many of the regulations in the GDPR are designed to promote increased transparency and accountability. The legislation demands more rigorous and accountable data practices. Whilst not an exhaustive list some of the key differences to be aware of are:
- increased enforcement powers: maximum fines of up to €20 million or 4% of total annual worldwide turnover of the preceding year, whichever is higher
- extended geographical scope: non-EU businesses will be subject to the regulation if they provide their service to EU organisations or monitor the behaviour of EU residents
- consent: more rigorous criteria will be applied to obtaining individuals’ consent. It must be freely given, specific, informed and unambiguous eg fundraising consent may not be valid if it is given when grouped with non-fundraising matters
- opt-in: crucially, where consent is involved, you must gain explicit, opt-in consent
- profiling: individuals will have the right to object to profiling, which includes most forms of online tracking and wealth screening
- the right to be forgotten: individuals will have the right to request that you delete all their personal data
- enhanced individual rights: individuals will have enhanced rights with new provisions covering the right to access data (replacing subject access requests), the right to be forgotten (the right to request that an organisation delete all their personal data) and the right to data portability
- reporting obligations: you will also have a duty to report certain types of data breach to the ICO and, in some cases, to the individuals affected
What you will need to do
In most cases you will need to review your existing practices and introduce new or enhanced data practices from 25 May 2018 onwards. This may include, for example:
- updating your privacy notices (download ICO’s code for further information) which tell people how and why their data is being collected and what it will be used for
- embedding data protection by design and default as part of day-to-day business as usual will no longer be a nicety but an obligation of GDPR
- conducting data protection privacy impact assessments to identify the most effective way to comply with your data protection obligations
- maintaining records of your data processing activities, including how long data is kept for and security measures you have in place
- appointing a data protection officer, which in some instances will be obligatory but will also be considered good practice
- a review of agreements with any third parties that process personal data on your behalf, such as external payroll providers or IT support companies
Getting ready for GDPR
Key sources of information
The ICO is the UK regulator responsible for interpreting and enforcing GDPR. Their website is the best place to start if you want more information about the GDPR. It’s regularly updated as new materials become available and it contains links to other sources, including guidelines from the Article 29 Working Party of European Data Protection Authorities. For more information visit their dedicated ICO online information hub on the GDPR
The ICO have now launched a dedicated helpline for small groups who have questions on GDPR. People from small organisations should dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support.
NCVO has a dedicated webpage on data protection and GDPR for trustees and senior staff.
If you want some short, sharp overviews of GDPR for yourself, or to share as first reading with staff, volunteers or trustees, you might find these resources helpful:
- A plain-English summary of data protection responsibilities for community groups, including how to comply with GDPR from the Resource Centre
- ICO: data protection reform and overview of the GDPR
- DSC: will GDPR affect charities?
- Blackbaud: important impacts of GDPR
- Third Sector News on GDPR: should you be afraid?
- BBC News: could new data laws end up bankrupting your company?
- The Guardian on GDPR: how charities should prepare for data protection changes
How to guides
- the ICO: a 12 step guide to preparing for the GDPR is an accessible first tool to get your head around what you need to consider
- the ICO self-assessment toolkit will help you work out where you are and what you need to do next
- NCVO’s 12 point plan: Getting Ready for GDPR provides a good overview of what to do with links to more detailed information and resources
Training and Advice
- Join us for GDPR discussion groups facilitated by Dr Mary Darking 13 June, 12, 17 and 20 July, 13 September
- NCVO is running charged-for training on GDPR: upcoming dates are listed here Data Protection Reform: an introduction to GDPR for the voluntary sector
- Directory of Social Change (DSC) are running charged for training: upcoming dates
- Protecture has produced a 60 minute online video available on youtube on clearing the haze around the GDPR maze
Data Retention and Subject Access Requests
- Charity Digital News offer a helpful overview on what you need to consider in terms of data retention and subject access requests
The GDPR will mean changes to consent that will affect how you go about your fundraising and donor based activities. If you raise funds directly from individuals, there are changes which you will need to prepare for. The following guides look specifically at this aspect of GDPR:
- Institute of Fundraising: GDPR essentials
- NCVO: Fundraising and the new data protection legislation
- The guardian: Fundraising and consent, getting ready for GDPR
- Civil society: a survival guide to GDPR
- IT Governance have written a Compliance Guide which can be downloaded for free
- Charity Digital News, working with Access (a commercial concern who provide CRM software), have written a free 5 step plan, with a particular focus on how your CRM system should be compliant with GDPR
Key bodies, laws and acronyms to be aware of:
- Data Protection Act (DPA) 1998, EU law
- Privacy and Electronic Communications Regulations (PECR) 2003, EU law
- General Data Protection Regulation (GDPR) 2018, EU law
- Information Commissioners Office (ICO), the UK regulator responsible for interpreting and enforcing GDPR
- Public Fundraising Regulatory Association (PFRA), now replaced by Fundraising Regulator
- Fundraising Standards Board (FRSB), now replaced by Fundraising Regulator
- The Fundraising Regulator (FR)