Over the past 18 months, the ICO and NICVA have been working together as part of our #DataFridays project to make organisations operating in the voluntary and community sector aware of the changes to data protection law that are being brought in next year through the General Data Protection Regulation, or GDPR as it is more commonly known.
We now know that the changes will be effected through a Data Protection Bill which will become law in the UK on 25 May 2018 and will replace the current Data Protection Act 1998.
So what changes are coming? What difference will they make to your charity and the way that you collect and use personal information? What can you do to prepare for the changes? The aim of this blog is to work through the answers to these key questions.
Here are 10 key changes arising out of GDPR that your charity needs to know about.
1. Personal data – definitions
GDPR still applies to “personal data”, which is information which relates to and identifies a living person. GDPR provides a clearer definition of personal data and will now include location data, such as Fitbits or GPS trackers on our phones, as well as online identifiers such as IP addresses.
The current law refers to “sensitive personal data”, which includes information on someone’s ethnic origin, political opinion, and religious beliefs, to name a few. These categories all broadly transfer over under GDPR but they are renamed as “special categories” of data and have more protection than personal data.
2. Data controllers and data processor liability
Don’t be put off by the terminology used in the legislation. A data controller is simply an organisation that says how and why personal data will be collected and used and most, if not all, charities will be data controllers.
A data processor is an organisation which acts on behalf of your charity, like a third party operating under a contract or other agreement. If your charity uses a shredding company to dispose of its confidential waste, for example, your charity would be the data controller and the shredding company would be the data processor. Currently only your charity, as a data controller, is liable for a data protection breach. Under GDPR, however, your third party contractors such as a shredding company can be held liable for a breach of data protection.
3. Data protection principles
The eight current principles of data protection all transfer over to GDPR in some form or another. There is a new addition, however, which is known as the “accountability principle”. This requires a data controller to be responsible for and be able to demonstrate compliance with the principles of data protection. This might involve your charity holding additional records of the personal information that it holds and processes, appointing a data protection officer or verifying how and where you obtained consent from an individual to process their information (if you are relying on consent, that is).
4. Privacy notices
Under GDPR, the obligation to provide fair processing information is part of a new right called the right to be informed. GDPR compliant privacy notices must now be concise, intelligible, easily accessible, clear and presented in plain language. The new requirements also set out exactly what information needs to be included in a privacy notice.
A key pillar of GDPR is to enhance the protection of children’s personal data. If your charity collects and uses children’s information, privacy notices must be given to the children in a clear and plain way that they will understand. GDPR also requires your charity to obtain consent from a parent or guardian to process a child’s information if “information society services” are targeted at children. These are internet services provided at a user’s request and for a form of remuneration and will include social media accounts.
6. Lawful processing
For processing to be lawful, your charity needs to identify a legal basis before you can process personal data. Under the current law, these are known as “conditions for processing” but under GDPR they will be known as “bases for processing”. The bases are largely consistent with the current ones and the main thing for your organisation is to know and understand what basis you are relying on to process personal data, and for this to be documented.
Consent is the basis for processing that will change most significantly through GDPR. The new law states that consent must be a freely given, specific, informed and unambiguous indication of an individual’s wishes, given by a clear statement or other affirmative action, to signify agreement. If you are processing special categories of data within your charity, you will need to obtain “explicit consent” and the ICO will be producing further guidance on the threshold for this level of consent.
8. Enhanced rights for individuals
As is the case with the current law, GDPR place obligations on organisations and provides rights to individuals. At its heart, GDPR is very much a rights based law and is all about giving individuals back control over their information. The rights under the current law will all continue, but some will be enhanced, such as the right of access, and some are brand new, such as the right to erasure or the ‘right to be forgotten’ as it is also known. Your charity should be aware of how the current rights change under GDPR and what new rights are being brought into play.
9. Breach reporting
Currently, your charity is not legally obliged to report data protection breaches to the ICO, although most organisations do. Under GDPR, you will be obliged to tell the ICO about data breaches that are likely to have significant detrimental effect on individuals, and will include damage to someone’s reputation, discrimination or financial loss. Breaches will also have to be reported to the ICO within 72 hours of your charity having become aware of them, and the individuals affected will need to be notified also.
The maximum level of fines for breaching the new data protection requirements will increase. The lower tier fine is for failing to meet organisational obligations, such as not appointing a data protection officer if your organisation was supposed to, and this can amount to €10,000,000 or 2% of an organisation’s turnover. The higher tier fine is for infringements, such as not meeting the new threshold of consent, and can amount to €20,000,000 or 4% of turnover. Don’t panic – very few breaches reported to the ICO will result in a fine and this is unlikely to change under GDPR. Only the most serious breaches will result in the ICO issuing a fine.
To help your organisation prepare for these changes between now and May 2018, the ICO has developed a 12 step guide for organisations to take in preparation for GDPR, ranging from raising awareness of the changes within your organisation to implementing new policies or amending existing ones to prepare for the changes. We have also developed a Getting ready for the GDPR toolkit to assess how ready you are as an organisation for the new regulations. Our data protection reform website contains all the guidance we have produced to date on GDPR.
You can find out more about the changes that are coming by attending the Preparing for GDPR session organised by the ICO and NICVA scheduled for 20 October and you can book your free place here.
You can also contact the ICO with queries in relation to GDPR via the helpline 0303 123 1113 or via email to [email protected].