On 25th May the new General Data Protection Regulation (GDPR) comes into force, totally replacing the existing Data Protection Act from way back in 1998. Public bodies, private companies, charities, social enterprises, voluntary groups – pretty much any organisation – needs to comply with GDPR from May and ensure it is processing personal data properly. That means you.
This is probably the largest legislative change that is relevant to your organisation for the past decade! Of course some people won’t like it, and there’s the usual arguments about ‘red tape’ and ‘legislative burdens’ and we can debate the pros and cons, but that won’t make it disappear. You need to ensure your organisation is ready. So if you’re a trustee, director, committee member or part of the management team you really need to start preparing now.
If you’re a really small group with extremely narrow uses of data then you might well be able to claim yourself exempt. But to do that you’re still going to need to investigate, confirm that and categorically record evidence that you are indeed exempt (should anyone ask or challenge you). And if you ever change the ways you process information you’ll need to keep an eye on whether your exemption remains valid. Even in these cases you’ll need to be preparing now. And of course the Information Commissioners Office (ICO) likes to assume you’ll be following good practice in handling personal data anyway even if you’re not legally obliged to. (And why wouldn’t you?)
What is GDPR about?
GDPR brings data protection into the 21st century. Technology, social media and digital ways of working have changed the types of personal data that is collected and how it is stored and processed. And the ongoing issues around privacy and personal information have introduced new challenges. GDPR tackles these issues and gives a lot more rights to us as individuals to control our own data.
New aspects such as the so called “right to be forgotten” will now be in law. And if you collect something as simple as an IP address through your website then that can count as sufficient to personally identify an individual going forward. (Not sure what an IP address is? You better check).
An individual who gives their consent to an organisation now has eight clear ‘rights’ – each of which an organisation needs to comply with, uphold or maintain. And of course if you’re not getting that consent from the individual and making it clear enough (there are much stricter rules on consent in the new GDPR) then you could be breaking the law.
As individuals these rights are valuable. As an organisation you need to know you can deal with them. So can your charity identify ALL information you hold about an individual quick enough to respond to a request for their data? What will you do if they ask you to delete their data? You need to have answers for these exciting questions and many more!
And now GDPR requires you to maintain evidence. If you say you have consent from an individual in order to be able to contact them about certain things then how can you prove that? A quick chat face to face at an event might seem like consent is being given, but how can you evidence that six months later when they question why you are sending them ‘spam’ about something they didn’t consent to. All these challenges arise from GDPR.
Of course GDPR doesn’t stop you doing everything. You have a right to carry out marketing and other activities as part of the ‘legitimate purposes’ of your organisation. But you certainly can’t assume to be as simple as ‘business as usual’. Until you’ve checked, how will you know?
Help – what do I do to prepare?
No 1. Don’t ignore it. Start doing something. Do it together – as a board, committee or team. Get someone to lead on it (but help them). But essentially decide you’re going to do something. Getting started is probably the hardest step.
No 2. Seek out advice. You may have professionals you can turn to – solicitors, membership bodies etc. There are loads of training courses out there. The internet is full of information and advice. And of course bodies such as the Information Commissioners Office (ICO) and the Charity Commission and others are giving out formal advice regularly. (If you’re VANEL members, why not talk to us to get started too).
No 3. Make a plan.
No 4. Carry out the plan.
No 5. Relax.
No 6. Keep doing the plan forever more…
But seriously – here is the overall guide to GDPR. It’s very useful.
And here is a 12 step plan to implementing GDPR. I took this and adapted it for VANEL (into a 10 step plan) and started work on it.
First step on VANEL’s plan is about awareness raising. You need to ensure all of your trustees, board members, staff, volunteers and everyone else is informed about GDPR, data protection in general and of course starts understanding what it takes to manage data properly (and legally).
The second step that’s useful is to really understand what you do with data already. What personal data do you collect? How do you collect it? Why? Where do you store it? Who collects it? When do you get rid of it? Who do you share it with? And again – why – why do you need that data?
This mapping exercise hopefully then allows you to see what you need to start changing.
That’s just a few steps we’re starting to take. There are many more – but if you start on the GDPR guides mentioned above you need to start putting your own plan together.
Things to know
What is personal data? Here’s a definition I found:
Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
So that can mean quite a lot!
What are the rights an individual has? If someone gives consent (as a legal base for capturing data) then they have these 8 rights:
The right to be informed
The right of access
The right to rectification
The right to erase
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling.
What is a legal base?
You can only collect and store data if there is a legal basis for doing so. The obvious one is consent. Someone opts-in to receive information or a service from you and thus gives you consent. Another basis might be a contractual arrangement. They buy a service from you and you need to collect their data for that purpose – that’s not the same as consent, but it is a legal basis.
Another relationship might be a ‘legitimate reason’ – you might be marketing to someone to promote your services and you have some personal information from them for this. This can be valid too – be careful – and remember you should still be taking into account systems such as the Telephone Preference Service anyway.
Once you know your legal bases for all the different types of data you are collecting then you’ll understand better what you are allowed to collect and what to do with it. So make an effort to explore this.
Opting in consent
Consent now has to be pretty clear. There’s none of this ‘assumed consent’ or ‘you didn’t say you didn’t want our information’! You need to be exact, specific, clear, unambiguous and so on. It might mean taking a very good look at all your forms, paperwork, websites and more.
One of the biggest things about GDPR will be proving with evidence that you have a legal basis or have consent. The argument that “I met him and he said it was ok and we put his data on the system” will not be good enough. How can you prove that this consent was given and was adequate. Of course a very simple piece of paper with a name, signature, date and wording that indicates what consent is given will be much better evidence. Have a look at all your systems to decide how good they are.
At this stage I’m bringing some pointers to your attention. It’s now up to you to get working on GDPR implementation for your organisation. Use some of the resources below to help you.
We’ll continue to share information about GDPR via our e-newsletter’s over the coming months. And if you are a Member organisation then please contact us to see if we can point you in the right direction.
The ICO website has the overall Guide to GDPR here
Every section describes something useful. Use it as your guide.
12 steps to take now is very useful – https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
As is ‘getting ready’ checklist https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/