Data protection (GDPR)
The new General Data Protection Regulation legislation came into effect on Friday 25 May 2018.
The new legislation
On 25 May 2018, data protection law changed with the introduction of the European General Data Protection Regulation (GDPR). It is a significant change for all organisations that hold and process personal data. Voluntary and community organisations will need to overhaul their privacy and data policies in order to be compliant with the new and more stringent regulatory framework.
Brexit will not affect the introduction of this legislation as the UK was still a member of the European Union (EU) at the date of implementation, and the government incorporated GDPR into UK law through the Data Protection Act 2018.
Impact of GDPR
The GDPR affects voluntary and community organisations in one way or another.
If your organisation holds personal data on anyone, including service users and beneficiaries, members, donors and supporters, employees and volunteers this legislation applies to you.
It includes all types of data whether in the form of contact information or any other sort of personal data e.g. information about ethnicity, religious belief, or bank account or credit card information.
A lot of what’s in the GDPR mirrors current law under the Data Protection Act 1998 and guidance published by the Information Commissioner’s Office (ICO). However, GDPR also introduces some new rights and obligations and makes changes to some existing concepts.
Many of the regulations in the GDPR are designed to promote increased transparency and accountability. The legislation demands more rigorous and accountable data practices. Whilst not an exhaustive list some of the key differences to be aware of are:
- increased enforcement powers: maximum fines of up to €20 million or 4% of total annual worldwide turnover of the preceding year, whichever is higher
- extended geographical scope: non-EU businesses will be subject to the regulation if they provide their service to EU organisations or monitor the behaviour of EU residents
- consent: more rigorous criteria will be applied to obtaining individuals’ consent. It must be freely given, specific, informed and unambiguous eg fundraising consent may not be valid if it is given when grouped with non-fundraising matters
- opt-in: crucially, where consent is involved, you must gain explicit, opt-in consent
- profiling: individuals will have the right to object to profiling, which includes most forms of online tracking and wealth screening
- the right to be forgotten: individuals will have the right to request that you delete all their personal data
- enhanced individual rights: individuals will have enhanced rights with new provisions covering the right to access data (replacing subject access requests), the right to be forgotten (the right to request that an organisation delete all their personal data) and the right to data portability
- reporting obligations: you will also have a duty to report certain types of data breach to the ICO and, in some cases, to the individuals affected
What you need to do
In most cases you will need to review your existing practices and introduce new or enhanced data practices from 25 May 2018 onwards. This may include, for example:
- updating your privacy notices (download ICO’s code for further information) which tell people how and why their data is being collected and what it will be used for
- embedding data protection by design and default as part of day-to-day business as usual will no longer be a nicety but an obligation of GDPR
- conducting data protection privacy impact assessments to identify the most effective way to comply with your data protection obligations
- maintaining records of your data processing activities, including how long data is kept for and security measures you have in place
- appointing a data protection officer, which in some instances will be obligatory but will also be considered good practice
- a review of agreements with any third parties that process personal data on your behalf, such as external payroll providers or IT support companies
Key sources of information
The ICO is the UK regulator responsible for interpreting and enforcing GDPR, so their website is the best place to start if you want more information: ICO online information hub on the GDPR
The ICO has a dedicated helpline for questions about GDPR. People from small organisations should dial the ICO helpline on 0303 123 1113 and select option 4.
NCVO has a dedicated webpage on data protection and GDPR for trustees and senior staff.
Brief overviews and ‘How to’ guides
If you want some short, sharp overviews of GDPR for yourself, or to share as first reading with staff, volunteers or trustees, you might find these resources helpful:
- A plain-English summary of data protection responsibilities for community groups, including how to comply with GDPR from the Resource Centre
- DSC: will GDPR affect charities?
- The Guardian on GDPR: how charities should prepare for data protection changes
- NCVO’s 12 point plan: Getting Ready for GDPR
Training and Advice
- NCVO has guidance and training on GDPR including writing a data protection policy Data Protection Reform: an introduction to GDPR for the voluntary sector
- Directory of Social Change (DSC) are running charged for training: upcoming dates
- Protecture has produced a 60 minute online video available on youtube on clearing the haze around the GDPR maze
GDPR and Criminal Records Information
- Read our briefing on the impact of the GDPR on the way you collect, process and store criminal records data
Data Retention and Subject Access Requests
- Charity Digital News offer a helpful overview on what you need to consider in terms of data retention and subject access requests
GDPR will mean changes to consent that will affect how you go about your fundraising and donor based activities. If you raise funds directly from individuals, the following guides look specifically at this:
- IT Governance have written a Compliance Guide which can be downloaded for free
- Charity Digital News, working with Access (a commercial concern who provide CRM software), have written a free 5 step plan, with a particular focus on how your CRM system should be compliant with GDPR
Key bodies, laws and acronyms to be aware of:
- Data Protection Act (DPA)
- Privacy and Electronic Communications Regulations (PECR)
- General Data Protection Regulation (GDPR)
- Information Commissioners Office (ICO), the UK regulator responsible for interpreting and enforcing GDPR
- The Fundraising Regulator (FR)