The General Data Protection Regulation (GDPR) will take effect in the UK and across the EU on 25 May 2018 – in a little under 240 days’ time. To help focus the mind we have christened this “DP-Day”. Information Commissioner Elizabeth Denham has told organisations that there’s no time to delay in preparing for “the biggest change to data protection law for a generation”.
The basic structure of data protection law will remain the same after DP-Day, but the compliance burden will increase significantly on data controllers, including charities (and some data processors – including your IT providers). There are plenty of professional scaremongers about GDPR out there, but just as many data controllers still hiding their heads in the sand. There is no doubt that the new regulatory environment brings new compliance challenges, on top of an already clear trend of stricter enforcement. To date, independent charities may have avoided the harshest forms of penalty, cushioned perhaps by charitable status, but many will have noted with concern that since December last year the ICO (Information Commissioner’s Office, the relevant regulator) has embarked on a new course of issuing fines to charities and its monitoring and enforcement activity is not likely to lessen.
Therefore, charities should be using the diminishing window to get ready well before the new law applies. We are already well into the two-year transition, and have been since 25 May 2016, and there is no further grace period for adjustment once DP-Day hits: the ICO expects you to hit the ground running. This very quick summary of action points is aimed at those who have perhaps been slower out of the blocks.
• Identify a compliance lead within your organisation, and raise awareness. Even if you do not require a Data Protection Officer by law under the GDPR (and the position is still unclear with charities). You will need someone within your organisation to take responsibility and know their stuff – whatever their job title. This does not have to be a standalone role (it may fit well into the existing role of someone with the necessary skills) but it is important not to silo this as an IT issue. Data protection compliance is a top-down issue and goes far beyond your cyber set-up.
• Ensure you are on top of the ICO guidance. There is some GDPR material already available on its website, although far less than was expected at this stage. The diversion of Brexit was perhaps to blame for this backlog, but since government confirmation that the GDPR will take effect as planned, a busier programme of new ICO guidance is underway in 2017.
• Carry out a mini-audit of the personal data you hold and use, and why. We can provide a simple matrix for this if required. Questions include: What nature of information do you hold on individuals? Where does it come from? What do you use it for? Do you share it with others? Are all your stakeholders fully aware of what you are doing with their data? Where you are relying on consent, will your existing consents be valid under the GDPR?
• Identify any areas of potential vulnerability or gaps in your organisational knowledge. Focus on these with the relevant people at the charity, or external advisers if you have particular concerns.
• Table a review of your data collection forms and contracts. Consider also whether changes are needed to these (to capture better consents) and the wording of your information collection documents as well as your contracts with third parties where there may be a data security aspect (IT services, hard copy and digital storage, even cleaning contractors). Where the terms of these contracts run beyond 25 May 2018, then the effect of the new law will already be relevant.
• Work on your privacy policies (if you have not done so recently already). Providing relevant individuals with full, GDPR-compliant, details of your data processing activities will be very important. It may also require consideration in the context of IT policies, CCTV and use of images, staff training and safeguarding / bullying policies (namely in safe and responsible information sharing protocols). That is not to say that GDPR will make any of these harder or more impractical, but (noting especially the additional rights granted to individuals to control how organisations use their data) it does emphasise the need to think about all these issues in the context of the new law.
• Get familiar with new or changing concepts:
- Registration. The need to notify your activities on a central register will be abolished as a requirement of European law, but may be replaced by a levy.
- Applicability. For the first time, data processors such as cloud storage providers or intranet hosts will have direct obligations under the law (and your contracts with them will need updating).
- Consent as a basis of processing: tougher rules on what constitutes legal consent (including for marketing). The ICO has put back publication of final “post-GDPR Consent” guidance to December, but encourages data controllers to start working from its existing guidance.
- Legitimate interests as a basis of processing: tougher rules apply here too. Under GDPR, an individual will be able to challenge your reasons for using their data and prevent further processing unless you show “compelling” legitimate interests – so the burden is on the charity. Recent ICO decisions about how charities use data make for a clear indicator that enforcement of the existing law is already heading in this direction.
- New and expanded data subject rights: We will not set these out in detail here, but they increase the imperative for getting your business GDPR-ready. Charities already used to dealing with intrusive data subject access requests will find these rights are supported by an additional cluster of other rights enabling a person to object to certain ways in which his or her data is used.
- Transparency and accountability. These buzzwords occur throughout the GDPR. Much fuller information is required from data controllers about what they do with data and what people can do to stop them. On demand, the burden lies with data controllers to demonstrate compliance with the data protection principles.
We appreciate this is already a lot to take in, but specific updates on the GDPR and information law are available via Farrer & Co’s newsletters and briefings at www.farrer.co.uk; at the Information Commissioner’s Office at www.ico.org.uk and www.civilsociety.co.uk. For those involved in fundraising, the Institute of Fundraising also has guidance.
Farrer & Co
This article is a general summary of the law. It should not replace legal advice tailored to your specific circumstances. The opinions expressed in this document are not necessarily the views held throughout Brewin Dolphin Ltd.