I’ve cut and pasted Sandy’s latest legal update….
Not up on her website yet.
Getting sorted for GDPR
The General Data Protection Regulation (GDPR) changes data protection legislation in all EU member states on 25 May 2018. In the UK it will replace the Data Protection Act 1998 (DPA), and will be supplemented by the Data Protection Bill which is currently going through parliament. Many GDPR requirements are the same as or very similar to those under the DPA, but there are also significant changes which will affect all organisations which control or process information about individuals.
If you have been fretting about GDPR for the past two years but still not got around to doing anything about it, or are among the 56% of charities which – according to a Department for Digital, Culture, Media and Sport survey released on 25 January – have never even heard of GDPR, work your way through the basic and detailed resources below and think about what your organisation needs to do in the next 3.5 months. If you’re already aware of GDPR and what it might mean for your organisation, get the Charity Finance Group and TLT publications under ‘For more detail’, below, and use them and the ICO’s self assessment checklist to check your progress.
This update covers resources about the GDPR in general. Another update will follow in a couple of days with specific aspects of GDPR such as fundraising and direct marketing, employees and volunteers, and children.
As one-page starters, attached are:
- Chart showing the key differences between the Data Protection Act and GDPR, from the Charity Finance Group’s General Data Protection Regulation: A guide for charities. Details of this publication are below under ‘For more detail’.
- “Countdown to the General Data Protection Regulation”, 10 starting points from the autumn 2017 Charity and Social Enterprise Update from Bates Wells Braithwaite Solicitors.
For a bit more, Wrigleys Solicitors have a three-page briefing on what charities and social enterprises should be doing to prepare, at https://www.wrigleys.co.uk/news/charity-social-economy/gdpr-what-should-charities-and-social-enterprises-be-doing-to-prepare/.
For a more detailed introductory briefing, I recommend Paul Ticher’s nine-page GDPR roundup from August 2017. Nearly 40 years ago, when Paul and I were joint coordinators at the Campaign Against Arms Trade, I said I wouldn’t fill up my brain with anything that was in his – I would just ask him. Now that he is a leading specialist on data protection for voluntary organisations, this is still the case and he is my go-to person for anything on this topic. His August roundup has clear summaries of the key changes that are likely to affect charities and other voluntary organisations, and actions you need to take now if you haven’t already, in relation to:
- Changes in the definition of consent
- Using legitimate interests as a basis for processing
- Transparency: what you have to tell people about your processing
- Data subject rights
- Processing data on children
- Record keeping
- Data protection by design and by default
- Relations with other organisations
- Changes in your relationship with a data processor
- Breach notification
- Data protection impact assessments
- Whether you will need a data protection officer
- Transfers abroad
- Fines and enforcement
To access Paul’s briefing, click GDPR at http://www.paulticher.com.
Paul’s produces regular data protection updates for subscribers to his data protection support service (details below under ‘Help and advice’); these are also available as free downloads from the Directory of Social Change. The most recent, from December 2017, updates the August briefing and can be accessed via https://www.dsc.org.uk/content/data-protection-roundup-december-2017/.
For more detail
- Extremely highly recommended: Charity Finance Group’s General Data Protection Regulation: A guide for charities, with an introduction to GDPR and colour-coded sections on governance; fundraising; financial data; beneficiary data; employee data; and other useful organisations and resources. Published January 2018, 49pp, free download via http://www.cfg.org.uk/resources/Publications/cfg-publications.aspx#GDPRguide.
- Also highly recommended: TLT Solicitors’ Get Ready: An essential guide to the General Data Protection Regulation. Not specific to the voluntary sector, but more detailed than the CFG guide on some issues. Covers scope, lawful processing and consent; individuals’ rights; data protection by design and default and accountability; international data transfers; breach notification, enforcement and sanctions; and issues that continue to be governed by national law. Published May 2017, 15pp, free download via http://www.tltsolicitors.com/insights-and-events/publications/general-data-protection-regulation-guide/.
The fourth edition of Paul Ticher’s Data Protection for Voluntary Organisations is expected to be published by Directory of Social Change in the autumn.
Information Commissioner’s Office GDPR resources
If you are new to GDPR, you may want to tackle the ICO’s GDPR resources in this order. All via https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/.
- “12 steps to take now” infographic.
- “Guide to the GDPR”: the introduction; the sections on what’s new, key definitions, and principles; and at least the first page in the section on lawful basis for processing. (“Lawful bases” is the new name what are currently called conditions for processing.)
- The page in the lawful basis section on legitimate interests, which will cover many organisations; and the page on consent, which explains when explicit consent is likely to be needed. The ICO expects to update the page on legitimate interests by the end of February, so watch out for this if you are planning to use legitimate interests as a basis for processing data.
- The pages in the lawful basis section on special category data if your organisation holds what is currently called sensitive personal data (race/ethnicity, medical conditions etc).
- Then the other pages in the lawful basis section, to see if they apply to your organisation.
- The section towards the end on international transfers, if your data is transferred to countries outside the EU.
- The page on children at the end of the Guide, if your organisation works with children. The ICO is consulting until the end of February on its guidance on children’s personal data.
- Then the other sections in the guide: Individual rights; accountability and governance; security; personal data breaches; and exemptions.
- GDPR myth busting blogs – these are important for reassurance that some of the horror stories you may have heard are not valid – or at least are not as bad as what you heard.
- “Getting ready for the GDPR self assessment checklist”.
- FAQs for small organisations and charities, and if applicable the FAQs for education and small health organisations. Small is not defined, but it’s probably fewer than 250 employees. The charity FAQs apply equally to non-charitable voluntary organisations, and cover questions on privacy notices, special category personal data (currently called sensitive personal data), consent for marketing, data security, data protection officers, and contacting the ICO. The FAQs for small organisations cover some of the above, as well as subject access requests, the ICO’s criteria for issuing monetary penalties (fines), collecting or processing children’s personal data, data portability, large-scale processing, and the difference between controllers and processors (these are currently called data controllers and data processors, but the word ‘data’ is being dropped from the name).
To keep up to date with new and updated ICO GDPR resources:
- Keep checking the ICO’s ‘What’s new’ page in the GDPR Guide, at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/whats-new/.
- Sign up for the ICO’s e-newsletter at https://ico.org.uk/about-the-ico/news-and-events/e-newsletter/.
What if you get it wrong?
Even if your organisation cannot become not fully GDPR-compliant by 25 May, you should be able to show – if you are required to do so – that you are actively on your way to getting there. The Information Commissioner’s Office is not suddenly on 26 May going to start monitoring every organisation and business to see if the right policies and procedures are in place and are being implemented. Even if your organisation has to report a personal data breach or someone complains to the ICO, the ICO will – according to an ICO spokesperson at a trustee conference in November 2017 – be “proportionate” in how it enforces GDPR and will be pragmatic and “risk-based” if the organisation can show that it is actively working on GDPR and taking it seriously. “It is scaremongering”, Simon Entwitle said, “to suggest that we will be making examples of organisations for minor infringements, or the maximum fine will become the norm.”
Even though potential fines will increase very significantly under GDPR (from the current £500,000 under the DPA, to as much as 4% of global turnover or €20 million/approximately £18 million, whichever is higher, under the GDPR), the Information Commissioner has stated that she does not intend to significantly increase the general level of fees she imposes. As Paul Ticher says in the briefing mentioned above, “The clear intention of GDPR is that the higher amounts should only be applicable to very large – probably multinational – companies for whom the current levels of fine are little deterrent.”
Help and advice
- ICO GDPR hotline for small businesses and organisations (with fewer than 250 employees). Provides advice on preparing for the GDPR, other data protection rules, and other legislation regulated by the ICO including electronic marketing and freedom of information. Tel 0303 123 1113, option 4. The ICO can also be contacted via live chat and email, via the ‘Contact us’ link in the blue band at the bottom of every page of the ICO website.
- Your organisation’s solicitor or legal advisor.
- Paul Ticher’s data protection support service, annual fee £205-£525 depending on organisation size, http://www.paulticher.com/data-protection-services.
- Small Charities Coalition online GDPR portal for organisations with annual income up to £1 million, launched in December 2017, annual portal licence £200 to £600 depending on organisation size. The SCC website at http://www.smallcharities.org.uk/785/ says the online tool will write policies for you and automatically update them when GDPR changes, educational videos will train your staff, and you will get guidance on how to complete a self-certification. But those few words are all that it says about each of those features, and as far as I can tell, there is no way to find out more before clicking the “Buy now” button. There is a bit more on the website of http://clearcomm.org/, the company providing the portal, but not a lot. I am also concerned because the publicity emphasises just the sort of scaremongering about potentially huge fines that is not helpful. I am telling you about this resource because it is designed specifically for small charities and may be very useful, but in the absence of any publicly available further information, I can’t recommend it at the moment.
Another GDPR update will follow soon.
More from Sandy
Getting sorted for GDPR: Forthcoming events + Fundraising & direct marketing
My update 1803 on 13 February provided an overview of General Data Protection Regulation information and resources. (If you did not receive it, contact firstname.lastname@example.org to ask for it to be re-sent.) This update, 1804, gives details of forthcoming GDPR events which I am aware of and recommend. Other solicitors, councils for voluntary service, umbrella organisations etc may also be providing events now and in the coming months.
This update also provides GDPR resources for organisations which carry out fundraising or direct marketing. I had hoped it would also include resources on GDPR in relation to personal data of children, paid staff and volunteers, but if there are too many links in an email, spam filters will reject it. So these topics will be covered in another email in a couple of days.
Forthcoming events about GDPR
Places still available as of midday 15 February.
GDPR: How it affects the charity sector. Tuesday 20 February, 9am-12 noon, London SE1, £80. Civil Society Media, https://www.civilsociety.co.uk/events/gdpr-how-it-affects-the-charity-sectorfeb.html.
GDPR conference. Tuesday 6 March, 9am-5.15pm, London N7, £255-£450. Directory of Social Change in partnership with Russell-Cooke solicitors, https://www.dsc.org.uk/event/gdpr-conference/. With workshops on fundraising and direct marketing; privacy notices; record keeping and security; and accountability and governance. Attendees can attend all workshops – there is no need to choose.
Charities and the GDPR: What do you need to know to be compliant. Tuesday 6 March, 2pm-5pm, Bath, £30. Stone King solicitors. https://www.stoneking.co.uk/event/charities-and-gdpr-what-do-you-need-know-be-compliant-bath-06032018.
GDPR: A practical guide for HR professionals. Webinar, Thursday 29 March, 11.30am-12.30pm, £30. Bates Wells Braithwaite solicitors, https://www.bwbllp.com/events/2018/03/29/gdpr-a-practical-guide-for-hr-professionals.
On-demand webinars. Three webinars from the Institute of Fundraising, available on demand: (1) Introducing GDPR; (2) Building a compliance plan; (3) Focus on fundraising. All three £49 for IoF members, £79 non-members. Details from https://www.institute-of-fundraising.org.uk/events-and-training/events/gdpr-webinars-on-demand/.
Fundraising and direct marketing
Basic and detailed resources:
- “Marketing, marketing, marketing”, a very short (half-page) summary of when you do and do not need consent for fundraising and direct marketing, and what to do now if you need to refresh consent. Attached to this update, and also on the Mills & Reeve charity legal update blog at http://www.charitylegalupdate.co.uk/.
- The Information Commissioner’s Office’s FAQs for charities at https://ico.org.uk/for-organisations/charity/charities-faqs/, in particular the FAQs on consent which make clear that consent is not needed for postal fundraising/marketing, but is needed for some calls and for texts and emails not only under GDPR but also the Privacy and Electronic Communication Regulations 2003 – see the ICO’s guide to PECR at https://ico.org.uk/for-organisations/guide-to-pecr/. The ICO says in its charity FAQs, “if you don’t need consent under PECR you can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object”.
- GDPR: The essentials for fundraising organisations, covering getting to grips with the basics; ‘opt in’ consents vs ‘opt out’; and FAQs. Published May 2017, 19pp, free download via https://www.institute-of-fundraising.org.uk/library/gdpr-the-essentials-for-fundraising-organisations/. For more GDPR resources see https://www.institute-of-fundraising.org.uk/guidance/research/get-ready-for-gdpr/.
- Post-GDPR changes to the Code of Fundraising Practice, added today (15 February) to the Code page on the Fundraising Regulator’s website. Go to https://www.fundraisingregulator.org.uk/code-of-fundraising-practice/code-of-fundraising-practice-v1-4-310717-docx/, and click on Post-GDPR changes on the left-hand side.
- News release summarising the post-GDPR changes at https://www.fundraisingregulator.org.uk/2018/02/15/code-fundraising-practice-updated-data-protection/.
- Fundraising Regulator’s guidance to be published in the next couple of weeks, produced in partnership with the Information Commissioner’s Office, Institute of Fundraising, Charity Commission National Council for Voluntary Organisations, Wales Council for Voluntary Action and Northern Ireland Council for Voluntary Action. Sign up for newsletters at the top of the above page (with the summary post-GDPR changes) to be notified when the Guidance is published. The guidance will be the main source of information for any organisation that uses personal data for fundraising or direct marketing,
For organisations with an OCC contract of any kind, they have been running workshops – last one is this Friday in Abingdon. To book email ProviderDataPro@oxfordshire.gov.uk
In addition to John’s excellent info above, we have a page providing links and a useful checklist – please go to https://oacp.org.uk/gdpr/