Legal Updates 1803
Getting sorted for GDPR
The General Data Protection Regulation (GDPR) changes data protection legislation in all EU member states on 25 May 2018. In the UK it will replace the Data Protection Act 1998 (DPA), and will be supplemented by the Data Protection Bill which is currently going through parliament. Many GDPR requirements are the same as or very similar to those under the DPA, but there are also significant changes which will affect all organisations which control or process information about individuals.
If you have been fretting about GDPR for the past two years but still not got around to doing anything about it, or are among the 56% of charities which – according to a Department for Digital, Culture, Media and Sport survey released on 25 January – have never even heard of GDPR, work your way through the basic and detailed resources below and think about what your organisation needs to do in the next 3.5 months. If you're already aware of GDPR and what it might mean for your organisation, get the Charity Finance Group and TLT publications under 'For more detail', below, and use them and the ICO's self assessment checklist to check your progress.
This update covers resources about the GDPR in general.
Key differences between the Data Protection Act and GDPR
(from the Charity Finance Group's General Data Protection Regulation: A guide for charities)
Countdown to the General Data Protection Regulation
(Update from Bates Wells Braithwaite Solicitors).
Briefing on Preparation - Charities and Social Enterprises
For a more detailed introductory briefing:
Paul Ticher's nine-page GDPR roundup from August 2017. This has clear summaries of the key changes that are likely to affect charities and other voluntary organisations, and actions you need to take now if you haven't already, in relation to:
- Changes in the definition of consent
- Using legitimate interests as a basis for processing
- Transparency: what you have to tell people about your processing
- Data subject rights
- Processing data on children
- Record keeping
- Data protection by design and by default
- Relations with other organisations
- Changes in your relationship with a data processor
- Breach notification
- Data protection impact assessments
- Whether you will need a data protection officer
- Transfers abroad
- Fines and enforcement
(Paul's produces regular data protection updates for subscribers to his data protection support service - details below under 'Help and advice'- these are also available as free downloads from the Directory of Social Change)
The most recent, from December 2017, updates the August briefing and can be accessed via https://www.dsc.org.uk/content/data-protection-roundup-december-2017/
For more detail:
Extremely highly recommended: Charity Finance Group's General Data Protection Regulation: A guide for charities, with an introduction to GDPR and colour-coded sections on governance; fundraising; financial data; beneficiary data; employee data; and other useful organisations and resources. Published January 2018. http://www.cfg.org.uk/resources/Publications/cfg-publications.aspx#GDPRguide.
Also highly recommended: TLT Solicitors' Get Ready: An essential guide to the General Data Protection Regulation. Not specific to the voluntary sector, but more detailed than the CFG guide on some issues. Covers scope, lawful processing and consent; individuals' rights; data protection by design and default and accountability; international data transfers; breach notification, enforcement and sanctions; and issues that continue to be governed by national law. Published May 2017.
(The fourth edition of Paul Ticher's Data Protection for Voluntary Organisations is expected to be published by Directory of Social Change in the autumn)
Information Commissioner's Office GDPR resources:
If you are new to GDPR, you may want to tackle the ICO's GDPR resources in this order.
- "12 steps to take now" infographic.
- "Guide to the GDPR": the introduction; the sections on what's new, key definitions, and principles; and at least the first page in the section on lawful basis for processing. ("Lawful bases" is the new name what are currently called conditions for processing.)
- The page in the lawful basis section on legitimate interests, which will cover many organisations; and the page on consent, which explains when explicit consent is likely to be needed. The ICO expects to update the page on legitimate interests by the end of February, so watch out for this if you are planning to use legitimate interests as a basis for processing data.
- The pages in the lawful basis section on special category data if your organisation holds what is currently called sensitive personal data (race/ethnicity, medical conditions etc).
- Then the other pages in the lawful basis section, to see if they apply to your organisation.
- The section towards the end on international transfers, if your data is transferred to countries outside the EU.
- The page on children at the end of the Guide, if your organisation works with children. The ICO is consulting until the end of February on its guidance on children's personal data.
- Then the other sections in the guide: Individual rights; accountability and governance; security; personal data breaches; and exemptions.
- GDPR myth busting blogs – these are important for reassurance that some of the horror stories you may have heard are not valid – or at least are not as bad as what you heard.
- "Getting ready for the GDPR self assessment checklist".
- FAQs for small organisations and charities, and if applicable the FAQs for education and small health organisations. Small is not defined, but it's probably fewer than 250 employees. The charity FAQs apply equally to non-charitable voluntary organisations, and cover questions on privacy notices, special category personal data (currently called sensitive personal data), consent for marketing, data security, data protection officers, and contacting the ICO. The FAQs for small organisations cover some of the above, as well as subject access requests, the ICO's criteria for issuing monetary penalties (fines), collecting or processing children's personal data, data portability, large-scale processing, and the difference between controllers and processors (these are currently called data controllers and data processors, but the word 'data' is being dropped from the name).
To keep up to date with new and updated ICO GDPR resources:
Keep checking the ICO's 'What's new' page in the GDPR Guide
Sign up for the ICO's e-newsletter
What if you get it wrong?
Even if your organisation cannot become not fully GDPR-compliant by 25 May, you should be able to show – if you are required to do so – that you are actively on your way to getting there. The Information Commissioner's Office is not suddenly on 26 May going to start monitoring every organisation and business to see if the right policies and procedures are in place and are being implemented. Even if your organisation has to report a personal data breach or someone complains to the ICO, the ICO will – according to an ICO spokesperson at a trustee conference in November 2017 – be "proportionate" in how it enforces GDPR and will be pragmatic and "risk-based" if the organisation can show that it is actively working on GDPR and taking it seriously. "It is scaremongering", Simon Entwitle said, "to suggest that we will be making examples of organisations for minor infringements, or the maximum fine will become the norm."
Even though potential fines will increase very significantly under GDPR (from the current £500,000 under the DPA, to as much as 4% of global turnover or €20 million/approximately £18 million, whichever is higher, under the GDPR), the Information Commissioner has stated that she does not intend to significantly increase the general level of fees she imposes. As Paul Ticher says in the briefing mentioned above, "The clear intention of GDPR is that the higher amounts should only be applicable to very large – probably multinational – companies for whom the current levels of fine are little deterrent."
Help and advice:
ICO GDPR hotline for small businesses and organisations (with fewer than 250 employees).
Provides advice on preparing for the GDPR, other data protection rules, and other legislation regulated by the ICO including electronic marketing and freedom of information.
Tel 0303 123 1113, option 4.
(The ICO can also be contacted via live chat and email, via the 'Contact us' link in the blue band at the bottom of every page of the ICO website.)
Your organisation's solicitor or legal advisor.
Paul Ticher's data protection support service, annual fee £205-£525 depending on organisation size, http://www.paulticher.com/data-protection-services.
Small Charities Coalition online GDPR portal for organisations with annual income up to £1 million, launched in December 2017, annual portal licence £200 to £600 depending on organisation size.
The SCC website at http://www.smallcharities.org.uk/785/ says the online tool will write policies for you and automatically update them when GDPR changes, educational videos will train your staff, and you will get guidance on how to complete a self-certification. But those few words are all that it says about each of those features, and as far as I can tell, there is no way to find out more before clicking the "Buy now" button.