General Data Protection Regulation (GDPR)
Charities must act now to get ready for new data protection law coming into effect in May 2018.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new law which is part of a wider package of reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018.
What information does the GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to a person who can be directly or indirectly identified in particular by reference to an identifier. You can find more detail in the Information Commissioner’s Office’s Guide to the GDPR.
As a small charity what do we have to do?
The ICO has also created a number of tools aimed at small and micro organisations, and charities including:
- Getting Ready for the GDPR – a practical self-assessment tool
- 12 Steps to Take Now
- Dedicated Advice Line - 0303 123 1114
Why is this important?
The GDPR is an evolution of the existing law to strengthen consumer protections. If you are already complying with the principles of the Data Protection Act 1998 and have an effective data governance programme in place, then you are already well on the way to being ready for the GDPR.
The new legislation will need charities to look carefully at the way they do things. GDPR places more obligations on organisations to be accountable for their use of personal data, for example with strengthened rules regarding consent and duties about reporting data breaches. GPDR also requires greater transparency regarding the way in which people’s information is used.
Citizens will have more rights in areas such as being better informed about what organisations are doing with their data and having greater access and control over their data. For example, in certain circumstances people will have the right to request that data about them is erased. GDPR means bigger fines for those organisations that get it wrong. Failure to comply can have both reputational and financial costs.
To get an idea of what is involved, read through this list of things to do from the ICO and then click through to their website for more information.
12 Things to Do Now:
- Awareness - You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
- Information you hold - You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
- Communicating privacy information - You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals’ rights - You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject access requests - You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
- Lawful basis for processing personal data - You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
- Consent - You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
- Children - You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
- Data breaches - You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection by Design and Data Protection Impact Assessments - You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
- Data Protection Officers - You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
- International - If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.