The New General Data Protection Regulation: What Should Charities Be Doing Now?
The Government has confirmed that the new EU General Data Protection Regulation 2016 (‘GDPR‘) will become a reality for the UK on 25 May 2018. This will replace the current Data Protection Act 1998 (‘Act‘) and bring significant changes to the data protection framework across the EU, to bring the law up to date with the digital economy. There will be no further grace period following the GDPR’s implementation and the Information Commissioner’s Office (‘ICO‘), the data protection regulator for the UK, expects all organisations, including charities, to hit the ground running.
Personal data is fundamental to the work of many charities and critical to fundraising campaigns, relationships with service-users and all communications with beneficiaries, supporters, donors and members. The new rules regarding the collection, use and retention of personal data represent a major change. However, our overriding message to charities is not to panic but, in view of your responsibilities over that valuable data, to start planning for GDPR compliance now by:
- Identifying gaps between the current requirements and those in the GDPR, and prioritising the areas where the GDPR is likely to have the greatest impact on your charity; and
- Gaining ‘buy-in’ from key people and decision makers in your charity so they appreciate the law is changing and the impact and resource implications this is likely to have.
In this note, we provide a high-level snapshot of some of the key changes, together with our recommended action points, to help you get to grips with the GDPR:
KEY CHANGES AND CONCEPTS
New definition of personal data to include online identifiers (such as an IP address) and location data.
Ensure you are treating such information as personal data.
New definition of “special categories of data” (which replace sensitive data under the Act) to include genetic and biometric data. Information about criminal convictions which was previously included in the definition is however now treated separately and subject to tighter controls.
Ensure you process such information in accordance with the higher level of protection afforded to it in the GDPR e.g. with the explicit consent of individuals.
Registration: As an overarching theme of the GDPR is the principle of accountability, you will no longer need to register with the ICO. Instead, if you employ over 250 employees, process “special categories of data” (e.g. health related information) or your data processing activities are likely to result in high risk to individuals, you will need to maintain detailed documentation recording your processing activities as specified in the GDPR, and make these available to the ICO on request.
It will be mandatory to appoint a Data Protection Officer (‘DPO‘) in certain cases, in particular where your core activities involve the processing of large volumes of personal data, or you process large volumes of “special categories of data” or information about criminal convictions. The DPO will need sufficient expert knowledge and the role will have specific functions as set out in the GDPR.
Mandatory breach notification for data controllers: You must report any breach of personal data to the ICO without undue delay (where feasible within 72 hours) unless it is considered unlikely to result in a risk to the rights of individuals. In addition, you will be required to notify individuals affected by a breach where it is likely to result in a high risk to them.
Increased fines for non-compliance: The maximum fines of the ICO will increase from £500,000 to up to 20 million euros.
Even though the ICO’s recent fines on charities for breaking data protection law were reduced by 90%, it will no longer be possible to regard non-compliance as a low-risk issue (if you ever did), especially combined with the likely damage to your reputation if things go wrong.
Direct obligations on data processors for the first time e.g. to maintain records of processing activities and implement adequate security measures to protect personal data. As a result, the ICO will also be able to impose fines on a data processor for breach of their obligations.
Greater transparency with individuals: You will need to give more information to individuals at the time their personal data is collected in your privacy notices. This will include information about your data retention periods and their rights to withdraw consent at any time (and how to do this) and to complain to the ICO if they think there is a problem with how their data is handled. The GDPR also requires information to be provided in concise, easy to understand and clear language.
A higher standard for consent where consent is used as the basis for processing personal data (which will be the case in relation to e.g. your direct fundraising campaigns): In addition to the existing requirement for consent to be freely given, specific and informed, consent will need to be “unambiguous” and given “by a statement or clear affirmative action”. Other key new points are that:
Enhanced subject access rights: You will no longer be able a charge a fee to respond to a subject access request (‘SAR‘). You must also:
In addition to the retention of the right to object to direct marketing, new rights for individuals will include:
Profiling (any automated processing examining personal data intended to evaluate certain personal aspects of an individual e.g. a donor’s behaviours and preferences) is now a discrete data processing activity: The GDPR includes enhanced information and consent requirements where profiling takes place and a duty to honour an individual’s right to object.
If you conduct profiling, the prior consent of individuals is likely to be required.
Develop a template PIA to be used in any upcoming major projects from the outset.
Children: Specific rules will apply to children (which in the UK is likely to be defined for data protection purposes as those under 13). Processing of their data will only be lawful if a parent or guardian consents to it.
If you collect information about children, you will need to make reasonable efforts to verify that consent was in fact given by a child’s parent or guardian.
Contact our charity law experts today
We appreciate that there is a lot to consider and the new features of the GDPR will bring compliance challenges on top of the already increasingly tough stance towards data protection enforcement being taken by the ICO, Charity Commission and new Fundraising Regulator. We would be very happy to support you by examining how the GDPR may affect your charity and assisting you to gear up for the GDPR in relation to any areas of potential vulnerability.
 Any person who (either alone or jointly or in common with others) determines the purposes for which and the manner in which any personal data is to be processed.
 Any person (other than an employee of the data controller) who processes personal data on behalf of the data controller.
 Remember you do not always need consent – alternative lawful grounds for processing personal data include that the processing is necessary for the performance of a contract or to comply with a legal obligation, or if you have a genuine and legitimate reason.
 Included in the ICO’s draft guidance on consent under the GDPR published on 2 March 2017. The consultation in respect of it is open until 31 March 2017 and the ICO expects to publish its finalised guidance in May 2017. Please note that whilst this is only draft guidance, it is unlikely to change much before it is finalised.
Contact our office
Make an enquiry