Does your organisation hold an email list or a service-user contact list?

If you hold any data lists within your organisation then you need to be aware that data protection regulation is changing.

On 25 May 2018 new data protection guidelines are being introduced by the Information Commissioner’s Office (ICO) – the General Data Protection Regulation (GDPR) will replace the Data Protection Act. As these guidelines are rolled out, the public will be increasingly aware of how their data is being held and used by organisations, so charities large and small need to be prepared.

Understandably, smaller charities often have no data protection officer role within their organisation, so responsibility for monitoring data protection is not clearly defined and it is hard to stay up to date. A good place to start is to ensure that a staff member is trained in the latest data protection law and given responsibility for keeping abreast of any changes.

The ICO have released a report Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now – here’s a brief overview of their checklist to get you started so you can plan your approach:

  1. Awareness

Make sure that key people in your organisation are aware that data protection law is changing. Identify areas that could cause compliance problems. Avoid leaving this until the last minute, as these changes may take time to implement.

  1. Information you hold

You need to document what personal data you hold, including where it came from and who you share it with. Organise an information audit. You’ll need to show how you comply with the data protection principles – what policies and procedures you have in place.

  1. Communicating privacy information

Review your current privacy notices and put a plan in place to update it. Under the GDPR your privacy notice will need to include additional information, such as explaining your legal basis for processing the data, your data retention periods and outlining the ICO complaints procedure for any concerns about the way you are handling their data. Privacy information should be provided in concise, clear and easy to understand language.

  1. Individuals’ rights

Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. Would your systems help you to locate and delete someone’s data if requested? Who will make the decisions about deletion?

The right to data portability is new under the GDPR. You’ll need to provide the data electronically and in a commonly used format. If you use paper print-outs or an unusual electronic format, now is a good time to revise your procedures and make any necessary changes.

  1. Subject access requests

Update your procedures and plan how you will handle requests within the new timescales. The rules for dealing with subject access requests will change under the GDPR. In most cases you will not be able to charge for a request and the time limit for complying will reduce to one month rather than the current 40 days.

If you want to refuse a request, you will need to have policies and procedures in place to demonstrate why the request is unfounded or excessive. You will also need to provide some additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected.

  1. Legal basis for processing personal data

Take a look at the data processing you currently carry out – identify your legal basis for carrying it out and document it. People will have a stronger right to have their data deleted where you use consent as your legal basis for processing. You will have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request.

  1. Consent

Review how you are seeking, obtaining and recording consent. Consent must be freely given, specific, informed and unambiguous. Consent cannot be inferred from silence, pre-ticked boxes or inactivity. You must be able to demonstrate that consent was given. You should review the systems you have for recording consent to ensure you have an effective audit trail.

  1. Children

Do you have systems in place to verify ages and to gather parental or guardian consent? If your organisation collects information about children then you will need a parent or guardian’s consent to process their personal data lawfully. This could have significant implications if your organisation aims services at children and collects their personal data.

  1. Data breaches

Do you have the right procedures in place to detect, report and investigate a personal data breach? If not, you should start now. This could involve assessing the types of data you hold and documenting which ones would fall within the notification requirement if there was a breach. Note that a failure to report a breach when required to do so could result in a fine.

  1. Data Protection by design and Data Protection Impact Assessments

Take a look at the guidance the ICO has produced on Privacy Impact Assessments (PIAs) and work out how to implement them in your organisation. Start to assess the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally?

A privacy by design and data minimisation approach has always been an implicit requirement of the data protection principles. However, the GDPR will make this an express legal requirement.

  1. Data Protection Officer

Designate a Data Protection Officer or someone to take responsibility for data protection compliance. Assess where this role will sit within your organisation’s structure and governance. Make sure that they have the knowledge, support and authority to do this effectively.

  1. International

Does your organisation operate internationally? If so, you should determine which data protection supervisory authority you come under. It would be helpful for you to map out where your organisation makes its most significant decisions about data processing. This will help to determine your lead supervisory authority.

We know this list is a little daunting but don’t be put off! We’ll keep our blog updated with any developments in this area as well as sharing useful info from data specialists. If you have any specific questions relating to data protection for your organisation, do get in touch.