Charities: are you GDPR ready?
By Elizabeth Scholes – Independent Employment Law and HR Consultant and one of BVSC’s third sector trainers.
Are you compliant with data protection law and prepared for the new General Data Protection Regulation (GDPR) which comes into force in May 2018? There are a number of steps that you need to take in order to ensure that you are compliant.
This article summarises the main changes you need to make in your organisation.
Make sure that key people in your organisation know the law is changing. Implementing the GDPR could have significant resource implications. Compliance could be difficult if you leave your preparations until the last minute.
2. Information you hold
Document what personal data you hold, where it came from and who you share it with. Organise an information audit across your organisation. This will help you to comply with the GDPR’s accountability principle, which requires organisations to show how they comply with the GDPR. If you don’t know what information you hold, how will you know if your consents, privacy notices, lawful bases for processing etc are lawful?
The GDPR also requires you to maintain records of your processing activities. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records.
3. Communicating privacy information
Review your privacy notices and make any necessary changes before GDPR implementation. When you collect personal data you already have to give people certain information, such as how you intend to use their information.
Under the GDPR you must give people additional information, for example, your lawful basis for processing the data (see below), your data retention periods, the individual’s ability to withdraw consent and that individuals have a right to complain to the ICO.
The information must be provided in concise, easy to understand and clear language, usually in a Privacy Notice.
4. Individuals’ rights
The GDPR includes the following rights for individuals:
This is a good time to check your procedures and to work out how you would respond to a request, for example, to someone asking to have their personal data deleted.
5. Subject access requests
The rules for an individual asking to see data on themselves have changed: Organisations may not generally charge for a request.
6. Lawful basis for processing personal data
Many organisations will not have thought about their lawful basis for processing personal data.
However, under the GDPR, organisations must set this out in their Privacy Notices (and in any subject access request). You should therefore identify the lawful basis for your processing activity, document it and update your privacy notice to explain it.
The lawful bases in the GDPR are as follows:
The law on consent is also changing.
You do not need automatically to obtain new consent in preparation for the GDPR. But it must meet the new GDPR standard set out below.
If not, obtain new, GDPR-compliant consent, or find a different lawful basis for processing to consent.
Consent must be a genuine choice –
If the individual has no real choice or if consent is bundled as a condition as service or if there is a significant imbalance of power between the organisation and the individual, this will not be consent.
Consent must be informed –
When requesting consent, the organisation must identify both itself and also name any third parties who rely on the consent. It is not enough to ask for consent to pass the information on to ‘partners of our choice’.
Consent must be specific –
Where the organisation is seeking consent for multiple purposes or multiple processing activities you must provide separate consent for each.
Consent must be given by a clear statement or action –
You cannot rely on silence, inactivity, default settings or pre-ticked boxes as the basis for consent.
Consent degrades over time –
The time that consent lasts will depend on the specific circumstances. For instance, consent given for a summer offer would expire in the autumn.
Consent can be withdrawn –
Consent should be able to be withdrawn at any time and must be as easy to withdraw as it was to give.
You must keep records of consent
For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking.
If your organisation offers online services to children and relies on consent then you may need a parent or guardian’s consent in order to process their personal data lawfully.
The GDPR sets the age when a child can give their own consent to this processing at 16 (which the Government intends to lower to 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.
9. Data Breaches
Organisations will need to notify more data breaches to the Information Commissioner under GDPR, without undue delay and, where feasible, within 72 hours of awareness. In some cases, organisations must also notify the affected data subjects without undue delay.
You should therefore put procedures in place to effectively detect, report and investigate all personal data breaches. Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
10. Data Protection by Design and Data Protection Impact Assessments
It has always been good practice to adopt a privacy by design approach and to carry out a privacy impact assessment as part of this. However, the GDPR makes privacy by design an express legal requirement. It also makes Data Protection Impact Assessments mandatory where data processing is likely to result in high risk to individuals, for example:
11. Data Protection Officers (DPO)
Under the GDPR you must appoint a DPO in certain circumstances. However, it is always a good idea to appoint a DPO, even if not legally required, especially since the GDPR makes organisations directly accountable for compliance with the GDPR principles. The DPO must have sufficient expert knowledge to carry out the role properly.
Finally, the GDPR applies to organisations which offer goods and services in the EU even if they are not based in the EU.
What you need to do next:
You need to take the following steps: