The General Data Protection Regulation (GDPR) is Coming Our Way - Are You Ready?
From the 25th of May the current Data Protection Act will be replaced with the General Data Protection Regulation (GDPR). The GDPR is intending to revise data protection legislation and everyone, including charities, will have to meet these new standards.
Whilst much of the legislation from the DPA will remain, GDPR looks to reinforce certain elements. The key changes from the DPA include:
- Evidencing compliance: the most significant change from the previous regulations is evidencing compliance. The new GDPR requires that it is shown how all processes around data have been considered and recorded. That means keeping a record of what you are doing and when.
- Individual rights: previously, individuals were able to ask to see all data an organisation held about them, and ask for any inaccuracies to be corrected. This process incurred a fee. Now it’s free and individuals can also request to have their data removed, to withdraw their consent, or to have their data given to them in a portable manner.
- Categories of data: the new regulations have altered the ways in which organisations need to categorise personal and sensitive personal data.
One of the other key changes has been how non-compliance will be managed. Non-compliance can now result in fines of 4% of annual turnover (or up to €20m - whichever is higher). So, with 93 days to go at the time of writing this (there is a handy, if somewhat ominous countdown clock here), we’ve drawn together some of the most useful starting points.
Firstly, who does the GDPR apply to?
- The GDPR applies to ‘controllers’ and ‘processors’.
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
- And if you are a controller the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
- The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
To find out more about definitions and key legal principles, follow the link above or click here.
Chances are if you are reading this you are a charity and first thoughts may have turned to the implications of the GDPR on fundraising and reaching new supporters. However, the requirements will apply across the board, to campaigning, marketing, managing volunteers and recording information about service users – anything that involves processing an individual’s personal data.
The broad scope of ‘anything that involves processing an individual’s personal data’ can be broken down into the following 6 principles.
Personal data should be:
- Processed fairly, lawfully and in a transparent manner.
- Used for specified, explicit and legitimate purposes.
- Used in a way that is adequate, relevant and limited.
- Accurate and kept up to date.
- Kept no longer than is necessary.
- Processed in a manner that ensures appropriate security of the data.
The scope of this Regulation really does mean that an organisation-wide approach will be needed and, importantly, volunteers as well as paid staff must be trained and equipped to protect data. To help with this process the Information Commissioner’s Office has produced a 12-step guide to preparing for the GDPR (below), for further detail on each of the bullet points click here.
- Awareness: You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
- Information you hold: You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
- Communicating privacy information: You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals’ rights: You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject access requests: You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
- Lawful basis for processing personal data: You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
- Consent: You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
- Children: You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
- Data breaches: You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection by Design and Data Protection Impact Assessments: You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
- Data Protection Officers: You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
- International: If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
This has been a general introduction to familiarising oneself with the GDPR, using information from some of the main sources covering this change in legislation. However, if you have read or used anything else that has been useful to getting to grips with the GDPR please do comment on the blog/add to the forum or email it to the Flourishing Lives team!