The General Data Protection Regulation (GDPR) coming into force in May 2018 introduces additional compliance requirements for all organisations, including charities and not for profit organisations.
GDPR is the replacement to the Data Protection Act 1998 and is the first major overhaul of data protection law for 20 years. The world has changed a lot in that time and the new rules have been written to take account of data processing in a modern age.
GDPR covers the use of “personal data” by entities that control or process such data. Personal data is any information related to a person that can be used to identify them. This includes names, addresses, email addresses and phone numbers, as well as more sensitive data such as bank details, medical records or employment history.
The new rules apply to all organisations processing personal data and make no distinction between commercial entities, such as recruitment companies, and not for profit organisations and charities.
A key initial step is to carry out an audit of the information the organisation holds, to understand what personal data is held, where it is held, why it is required, how it is used, and whether it is up to date. Once you have audited the information held, you can identify the risk level of the data and look to implement appropriate protection.
It is a good idea to designate someone within the charity to have responsibility for data protection. Whilst a requirement only for larger organisations, having a named person ensures accountability and responsibility for complying with the requirements.
Key new requirements of GDPR
Consent must be obtained to use or process personal data. All consent requests must be prominent, nonambiguous and not form part of general terms and conditions. Crucially, the concept of ‘implied consent’ will no longer exist.
You will need to obtain confirmation from donors/ members that the organisation can use their data, for example by asking them to tick a box on your website. This can be done when new members join or at the time of renewal for existing members. Ensure procedures are in place for retaining records that evidence consent as you may be required to prove that you have it. You must also tell them what you will be using their data for.
The right to be forgotten is another new requirement, meaning people can request their data to be deleted. This process should be an easy, one-step process; it will no longer be enough just to supress those records.
GDPR also reinforces and expands on some existing requirements, such as the right of access by the individual to the personal data held about them. Also, it makes a more explicit demand that data must only be used for the purposes for which the person has given consent.
Organisations will need to put processes in place to manage the personal data, along with compliance plans to ensure the appropriate controls and procedures are in place.
Enforcement and risks
Personal data breaches (a breach of security leading to the accidental or unlawful access to, destruction or misuse of personal data), will have serious consequences for organisations under the GDPR. If a data breach occurs, the organisation will need to inform the Information Commissioner’s Office without delay (ideally within 72 hours). In addition, it will be required to inform the affected subjects of the nature of the data breach and recommend what actions they should take to mitigate the negative impact. Charities may also need to inform the Charity Commission.
This may lead to negative publicity, damage to reputation impacting on the income of your organisation and, in severe cases, its viability. Data breaches caused by serious non-compliance with the GDPR will be punishable by fines of up to 4% of worldwide annual turnover or €20 million, whichever is higher.
Make sure you have a plan in place so you know what to do in the event of a data breach. Such a plan should include a policy to be followed in the event of a breach and staff training on what to do in such circumstances.
What to do now
It is important that charities and not for profit organisations start planning for GDPR compliance now so that they can ensure key people and decision makers understand the requirements and the impact GDPR may have on the organisation, its policies and procedures and its training requirements. The ICO has published a guide of 12 Steps you can take now to prepare for GDPR, and this is available for download from their web site.
4Cambridge provide a wide range of data compliance and security advice, and this includes helping prepare for GDPR. For more information you can call 01223 728 205 or email
hello@4cambridge.co.uk.