The New General Data Protection Regulation: What Should Charities Be Doing Now?

Blog

27 Mar, 2017

The Government has confirmed that the new EU General Data Protection Regulation 2016 (‘GDPR‘) will become a reality for the UK on 25 May 2018. This will replace the current Data Protection Act 1998 (‘Act‘) and bring significant changes to the data protection framework across the EU, to bring the law up to date with the digital economy. There will be no further grace period following the GDPR’s implementation and the Information Commissioner’s Office (‘ICO‘), the data protection regulator for the UK, expects all organisations, including charities, to hit the ground running.

Personal data is fundamental to the work of many charities and critical to fundraising campaigns, relationships with service-users and all communications with beneficiaries, supporters, donors and members. The new rules regarding the collection, use and retention of personal data represent a major change. However, our overriding message to charities is not to panic but, in view of your responsibilities over that valuable data, to start planning for GDPR compliance now by:

Identifying gaps between the current requirements and those in the GDPR, and prioritising the areas where the GDPR is likely to have the greatest impact on your charity; and
Gaining ‘buy-in’ from key people and decision makers in your charity so they appreciate the law is changing and the impact and resource implications this is likely to have.

In this note, we provide a high-level snapshot of some of the key changes, together with our recommended action points, to help you get to grips with the GDPR:

KEY CHANGES AND CONCEPTS	ACTION POINTS
New definition of personal data to include online identifiers (such as an IP address) and location data.	Ensure you are treating such information as personal data.
New definition of “special categories of data” (which replace sensitive data under the Act) to include genetic and biometric data. Information about criminal convictions which was previously included in the definition is however now treated separately and subject to tighter controls.	Ensure you process such information in accordance with the higher level of protection afforded to it in the GDPR e.g. with the explicit consent of individuals.
Registration: As an overarching theme of the GDPR is the principle of accountability, you will no longer need to register with the ICO. Instead, if you employ over 250 employees, process “special categories of data” (e.g. health related information) or your data processing activities are likely to result in high risk to individuals, you will need to maintain detailed documentation recording your processing activities as specified in the GDPR, and make these available to the ICO on request.	Undertake a data audit and data mapping exercise (to help you understand what data you hold and why and where such data flows from, within and to) to help you develop a plan for GDPR compliance. Establish a framework and culture for accountability by ensuring you have clear policies in place and raising staff awareness through training. Decide what records you need to keep of your data processing activities to demonstrate compliance and start maintaining them.
It will be mandatory to appoint a Data Protection Officer (‘DPO‘) in certain cases, in particular where your core activities involve the processing of large volumes of personal data, or you process large volumes of “special categories of data” or information about criminal convictions. The DPO will need sufficient expert knowledge and the role will have specific functions as set out in the GDPR.	Decide whether you need to appoint a DPO and if you do, clearly document and explain their role. Even if you do not need a DPO, designate someone to take proper responsibility for the important task of data protection compliance and support them in acquiring appropriate knowledge so they can help you stay on the right side of the law.
Mandatory breach notification for data controllers[1]: You must report any breach of personal data to the ICO without undue delay (where feasible within 72 hours) unless it is considered unlikely to result in a risk to the rights of individuals. In addition, you will be required to notify individuals affected by a breach where it is likely to result in a high risk to them.	Develop and implement a data response plan (including a clear policy, staff training and preparing template notifications for both notifications to the ICO and affected individuals), to enable you to react quickly if a breach occurs. Eliminate potential risks to individuals by rendering data unintelligible to any person not authorised to access it e.g. by encryption. Minimise breaches by constantly monitoring security measures, policies and procedures put in place to prevent breaches.
Increased fines for non-compliance: The maximum fines of the ICO will increase from £500,000 to up to 20 million euros.	Even though the ICO’s recent fines on charities for breaking data protection law were reduced by 90%, it will no longer be possible to regard non-compliance as a low-risk issue (if you ever did), especially combined with the likely damage to your reputation if things go wrong.
Direct obligations on data processors[2] for the first time e.g. to maintain records of processing activities and implement adequate security measures to protect personal data. As a result, the ICO will also be able to impose fines on a data processor for breach of their obligations.	Identify your agreements with data processors as their new status will impact how data protection matters are addressed in them. Review and amend such agreements to cover the new mandatory terms e.g. an obligation to report data breaches to you and permit you to undertake an audit (to assist you in ensuring compliance), and to allocate liability in the event of a data breach. Consider if you are acting as a data processor on behalf of anyone else and if so, comply with the new obligations.
Greater transparency with individuals: You will need to give more information to individuals at the time their personal data is collected in your privacy notices. This will include information about your data retention periods and their rights to withdraw consent at any time (and how to do this) and to complain to the ICO if they think there is a problem with how their data is handled. The GDPR also requires information to be provided in concise, easy to understand and clear language.	Review your existing privacy notices to ensure they are clear enough for an individual to reasonably foresee how and why you will use their data. – e.g. if you are wealth-screening (analysing donor personal data to see whether they might be able to give more), you must inform donors of this and seek their consent to it or stop such processing. You must also update your privacy notices to add the extra details that are required under the GDPR.
A higher standard for consent where consent is used as the basis for processing personal data[3] (which will be the case in relation to e.g. your direct fundraising campaigns): In addition to the existing requirement for consent to be freely given, specific and informed, consent will need to be “unambiguous” and given “by a statement or clear affirmative action”. Other key new points[4] are that: Consent requests must be prominent and separate from other terms and conditions You must use un-ticked boxes or similar opt-in methods e.g. signing a consent form – say good-bye to all pre-ticked or opt-out boxes and similar default settings or inactivity. Granular options should be given so individuals can consent separately to different types of processing (unless this would be unduly disruptive or confusing). Third parties who will be relying on consent should be clearly named – even precisely defined categories of third parties will not be sufficient. Records must be kept to show what an individual was told, what they consented to and when and how consent was given – spread sheets summarising when consent was given will not be enough. The process for withdrawing consent should be an easily accessible one-step process, if possible using the same method as was used to collect the consent. You should consider refreshing consent at appropriate intervals e.g. every two years as it is likely to degrade over time but how long it lasts will depend on the context.	You are not required to automatically ‘repaper’ all existing consents in preparation for the GDPR but you should review your existing consents to check if you are comfortable that they satisfy the GDPR. If existing consents do not meet the GDPR’s standards or are poorly documented, you will need to seek fresh GDPR compliant consents e.g. from your donor pool to ensure you can continue with your fundraising campaigns and do not lose out on potential fundraising. In the absence of consent, you will need to stop the relevant processing activity and delete the data which is considered non-compliant, unless it is possible to identify a different lawful basis for the processing. Keep records to evidence consent. Put proper consent withdrawal procedures in place. Build regular consent reviews into your processes and refresh consent as appropriate, including if anything changes.
Enhanced subject access rights: You will no longer be able a charge a fee to respond to a subject access request (‘SAR‘). You must also: Supply extra information e.g. the envisaged period for which the subject’s data will be stored and inform them of their rights to erasure and rectification. Respond within one month instead of 40 days. Provide information in an electronic form (unless the individual requests otherwise).	Consider if you need to update your SAR communications to individuals. Review your existing process for responding to SARs to assess and determine how the one-month response deadline will be met.
In addition to the retention of the right to object to direct marketing, new rights for individuals will include: The “right to be forgotten”: the right to require erasure of information without undue delay. The “right of data portability”: the right to have a copy of personal data in a commonly used electronic and structured format that allows for further use.	Review your internal processes and IT systems and consider how you will give effect to the new rights. Make any changes necessary to ensure data can be easily captured and deleted. Maintain suppression lists of individuals who have objected to direct marketing.
Profiling (any automated processing examining personal data intended to evaluate certain personal aspects of an individual e.g. a donor’s behaviours and preferences) is now a discrete data processing activity: The GDPR includes enhanced information and consent requirements where profiling takes place and a duty to honour an individual’s right to object.	If you conduct profiling, the prior consent of individuals is likely to be required.
Privacy by design and default and mandatory privacy impact assessments (‘PIAs’): A running theme throughout the GDPR is that privacy of personal data should be considered at the very early stages of projects and not simply as an afterthought. You will need to conduct a PIA before embarking on any major new projects or policy changes e.g. a fundraising campaign, new service, IT restructure or privacy policy update.	Develop a template PIA to be used in any upcoming major projects from the outset.
Children: Specific rules will apply to children (which in the UK is likely to be defined for data protection purposes as those under 13). Processing of their data will only be lawful if a parent or guardian consents to it.	If you collect information about children, you will need to make reasonable efforts to verify that consent was in fact given by a child’s parent or guardian.

Contact our charity law experts today

We appreciate that there is a lot to consider and the new features of the GDPR will bring compliance challenges on top of the already increasingly tough stance towards data protection enforcement being taken by the ICO, Charity Commission and new Fundraising Regulator. We would be very happy to support you by examining how the GDPR may affect your charity and assisting you to gear up for the GDPR in relation to any areas of potential vulnerability.

If you would like to learn more about our data protection work for charities, please contact our charity law solicitors on 01895 207862 or email charities@ibblaw.co.uk.

References

[1] Any person who (either alone or jointly or in common with others) determines the purposes for which and the manner in which any personal data is to be processed.

[2] Any person (other than an employee of the data controller) who processes personal data on behalf of the data controller.

[3] Remember you do not always need consent – alternative lawful grounds for processing personal data include that the processing is necessary for the performance of a contract or to comply with a legal obligation, or if you have a genuine and legitimate reason.

[4] Included in the ICO’s draft guidance on consent under the GDPR published on 2 March 2017. The consultation in respect of it is open until 31 March 2017 and the ICO expects to publish its finalised guidance in May 2017. Please note that whilst this is only draft guidance, it is unlikely to change much before it is finalised.