What do charities need to know and do in order to comply with GDPR.
What is the GDPR?
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It is a harmonisation of and update to existing data protection legislation in the EU, in response to the immense technological changes in the way data is now accessed and used. These changes aim to increase protection for consumers by placing the onus on individuals and organisations to handle personal data correctly and securely. If they do not, they run the risk of reputational damage, sanctions and fines.
Does it apply to my charity?
In short, yes. The GDPR applies to the processing of all personal data where the controller or processor:
- is in the EU; and/or
- offers goods and services to (even if free) or monitors EU data subjects. This means any individual or organisation operating within the EEA is covered, irrespective of their size or location.
The government has now confirmed that a Data Protection Bill will be introduced later this year to bring the UK’s legislation into line with the GDPR. So, Brexit or not, the GDPR is here to stay.
What does this mean for charities?
All charities will have to ensure they are GDPR compliant by 25 May 2018, in the same way that they have to currently comply with the Data Protection Act (DPA). This will not necessarily mean wholesale changes. The basic principles of the GDPR are the same as the DPA, but there will be changes. At the very least, a “Privacy by Design” approach needs to be embraced.
Privacy by Design?
This means you must always implement technical and organisational measures to show that you have considered and integrated privacy and data protection into your processing activities. You should do this throughout the lifecycle of any particular project, not just when it is first implemented. It should inform your approach when installing a new IT system or using data for new purposes, for example. You must also apply it when you change working practices or reconfigure your office space, as these can have privacy implications regarding, for example, the storing and disposal of data.
What is the same?
- The GDPR still applies to “personal” data. However, what constitutes personal data has been expanded to include, for example, IP addresses.
- The definition of “processor” and “controller” are unchanged, but the responsibilities of each will be expanded.
- The ICO will remain as the UK’s lead supervisory authority.
- The principles of data processing (as enshrined in the Data Protection Act 1998) still apply, but there is now a new principle of “accountability”.
- If data is transferred outside of the EU, organisations will still need to prove “equivalence” to ensure such transfers are lawful.
What are the main changes?
Most of these are just “tweaks”, but the potential sanctions for non-compliance means they cannot be ignored.
- Data processors must maintain records of their processing activities and can be liable if responsible for a breach.
- Data controllers must review, amend if necessary and document contracts with processors to ensure they are GDPR complaint.
- The “Accountability Principle” means that you must document what you have done and why.
- There must be greater focus on the legal basis for processing data, ie, organisations must document the legal basis for their data processing activities. These include legitimate interest and consent, if necessary for the performance of a contract. The rights of the data subject vary according to the legal basis for processing.
- “Privacy Impact Assessments” are required to evaluate the risk to individuals’ rights when using new technology or changing procedures.
- There are stricter rules on what constitutes “consent”.
- There are enhanced rights for individuals: the right to be informed, object and be forgotten, as well as rights regarding access, rectification, erasure, restrictions on processing, data portability and automated decision making.
- In relation to “Subject Access Requests”, there should be a quicker response time and no charges allowed.
- The Data Protection Officer is a new and senior role, but not mandatory for all organisations.
- Breaches must be reported to the ICO within 72 hours by both processors and controllers. Failure to report will result in a fine. Only those breaches that could cause harm to data subjects need to be reported, but all breaches should be recorded by the organisation concerned.
- Increase in maximum fines (greater than 20 million euro or 4% of global annual turnover).
What do I need to do?
The ICO and the EU are finalising guidance on how to implement the GDPR (expected early 2018), but the following is what charities should do now.
1. Raise awareness
- Senior management, including the Board, need to understand the changes required by the GDPR and the budgetary implications. They will need to develop a plan for implementing the changes and to monitor progress.
- It is not just a matter for the IT department. HR, for example, will need to review employment contracts and their job application process; procurement departments will need to review their contracts with processors or cloud providers; and marketing departments will need to review how they obtain consent. All must be GDPR compliant.
- All staff will need some training but this can be tailored to their role. Most staff will not need an in depth analysis of the GDPR. However, they will benefit from a brief introduction and tips on how to prevent breaches by following simple security measures such as password safety and the disposal of data, including paper records. Most breaches are caused by human error and can be easily prevented.
- The responsibilities of data controllers and data processors will change. They need to be very clear on their status and how this will impact on their compliance with the GDPR.
- A Data Protection Officer will need to be appointed. This is only applicable for some organisations, but the person appointed must be of sufficient seniority, independence and appropriately resourced to ensure GDPR compliance is taken seriously throughout the organisation.
2. Review and assess any personal data held by the organisation
- Organisations should undertake a review of the personal data they hold, what they do with it, how long it is held, where it is held and who else has access to it. This can be used as part of a “Privacy Impact Assessment” (required under the GDPR) to assess any risk areas or gaps.
- Review who else holds your data (eg, cloud providers or organisations outside the EU) and check they are GDPR compliant.
3. Draft Data Protection policies and procedures
- As part of the “accountability” principle organisations must draft and document their data protection policies and procedures to include:
o policies to deal with the increased rights of data subjects;
o reporting lines and areas of responsibility; and
o what to do in the case of a breach.
- Privacy notices must be written or rewritten to make sure they are easily understood. They must also be readily available to all, including employees, customers and suppliers.
4. Review security and plan for the worst
- The best way to avoid fines and sanctions is to prevent breaches in the first place. Now is a good time to review and improve your cyber security. You can do simple things such as reviewing the policy on staff using their own devices, encryption, installing firewalls or a more comprehensive overhaul.
- Document how you maintain security over your data. In the case of a breach, the fact that you have tried to prevent breaches will be a mitigating factor.
- If a breach does occur you will need to have response plan in place so you can alert the ICO and deal with any affected data within 72 hours of the breach. This plan needs to be documented and tested before a breach occurs.
5. Stay informed
Although the final guidance from the ICO has yet to be published, there is still plenty of information available: