{"id":17713,"date":"2018-01-18T16:46:49","date_gmt":"2018-01-18T16:46:49","guid":{"rendered":"http:\/\/vanel.org.uk\/va\/?p=17713"},"modified":"2018-03-23T09:25:18","modified_gmt":"2018-03-23T09:25:18","slug":"data-protection-and-gdpr-your-challenge-for-2018","status":"publish","type":"post","link":"http:\/\/vanel.org.uk\/va\/2018\/01\/data-protection-and-gdpr-your-challenge-for-2018\/","title":{"rendered":"Data Protection and GDPR. Your challenge for 2018"},"content":{"rendered":"

On 25th May<\/span> the new General Data Protection Regulation (GDPR) comes into force, totally replacing the existing Data Protection Act from way back in 1998. Public bodies, private companies, charities, social enterprises, voluntary groups – pretty much any organisation – needs to comply with GDPR from May and ensure it is processing personal data properly. That means you.<\/span><\/strong><\/p>\n

This is probably the largest legislative change that is relevant to your organisation for the past decade! Of course some people won\u2019t like it, and there\u2019s the usual arguments about \u2018red tape\u2019 and \u2018legislative burdens\u2019 and we can debate the pros and cons, but that won\u2019t make it disappear. You need to ensure your organisation is ready. So if you\u2019re a trustee, director, committee member or part of the management team you really need to start preparing now.<\/span><\/p>\n

Exemptions<\/span><\/strong><\/p>\n

If you\u2019re a really small group with extremely narrow uses of data then you might well be able to claim yourself exempt. But to do that you\u2019re still going to need to investigate, confirm that and categorically record evidence that you are indeed exempt (should anyone ask or challenge you). And if you ever change the ways you process information you\u2019ll need to keep an eye on whether your exemption remains valid. Even in these cases you\u2019ll need to be preparing now. And of course the Information Commissioners Office (ICO) likes to assume you\u2019ll be following good practice in handling personal data anyway even if you\u2019re not legally obliged to. (And why wouldn\u2019t you?)<\/span><\/p>\n

What is GDPR about?<\/span><\/strong><\/p>\n

GDPR brings data protection into the 21st<\/span> century. Technology, social media and digital ways of working have changed the types of personal data that is collected and how it is stored and processed. And the ongoing issues around privacy and personal information have introduced new challenges. GDPR tackles these issues and gives a lot more rights to us as individuals to control our own data.<\/span><\/p>\n

New aspects such as the so called \u201cright to be forgotten\u201d will now be in law. And if you collect something as simple as an IP address through your website then that can count as sufficient to personally identify an individual going forward. (Not sure what an IP address is? You better check).<\/span><\/p>\n

An individual who gives their consent to an organisation now has eight clear \u2018rights\u2019 – each of which an organisation needs to comply with, uphold or maintain. And of course if you\u2019re not getting that consent from the individual and making it clear enough (there are much stricter rules on consent in the new GDPR) then you could be breaking the law.<\/span><\/p>\n

As individuals these rights are valuable. As an organisation you need to know you can deal with them. So can your charity identify ALL information you hold about an individual quick enough to respond to a request for their data? What will you do if they ask you to delete their data? You need to have answers for these exciting questions and many more!<\/span><\/p>\n

And now GDPR requires you to maintain evidence. If you say you have consent from an individual in order to be able to contact them about certain things then how can you prove that? A quick chat face to face at an event might seem like consent is being given, but how can you evidence that six months later when they question why you are sending them \u2018spam\u2019 about something they didn\u2019t consent to. All these challenges arise from GDPR.<\/span><\/p>\n

Of course GDPR doesn\u2019t stop you doing everything. You have a right to carry out marketing and other activities as part of the \u2018legitimate purposes\u2019 of your organisation. But you certainly can\u2019t assume to be as simple as \u2018business as usual\u2019. Until you\u2019ve checked, how will you know?<\/span><\/p>\n

Help – what do I do to prepare?<\/span><\/strong><\/p>\n

No 1. Don\u2019t ignore it. Start doing something. Do it together – as a board, committee or team. Get someone to lead on it (but help them). But essentially decide you\u2019re going to do something. Getting started is probably the hardest step.<\/span><\/p>\n

No 2. Seek out advice. You may have professionals you can turn to – solicitors, membership bodies etc. There are loads of training courses out there. The internet is full of information and advice. And of course bodies such as the Information Commissioners Office (ICO) and the Charity Commission and others are giving out formal advice regularly. (If you\u2019re VANEL members, why not talk to us to get started too).<\/span><\/p>\n

No 3. Make a plan.<\/span><\/p>\n

No 4. Carry out the plan.<\/span><\/p>\n

No 5. Relax.<\/span><\/p>\n

No 6. Keep doing the plan forever more…<\/span><\/p>\n

But seriously – here is the overall guide to GDPR. It\u2019s very useful<\/a>. <\/span><\/p>\n

And here is a 12 step plan to implementing GDPR<\/a>. I took this and adapted it for VANEL (into a 10 step plan) and started work on it.<\/span><\/p>\n

First step on VANEL\u2019s plan is about awareness raising. You need to ensure all of your trustees, board members, staff, volunteers and everyone else is informed about GDPR, data protection in general and of course starts understanding what it takes to manage data properly (and legally).<\/span><\/p>\n

The second step that\u2019s useful is to really understand what you do with data already. What personal data do you collect? How do you collect it? Why? Where do you store it? Who collects it? When do you get rid of it? Who do you share it with? And again – why – why do you need that data?<\/span><\/p>\n

This mapping exercise hopefully then allows you to see what you need to start changing.<\/span><\/p>\n

Other tangible steps we\u2019re taking at VANEL is to look at our privacy policy and also to look at each of the rights individuals have (all 8 of them) and work out how we will deal with each right in turn.<\/span><\/p>\n

That\u2019s just a few steps we\u2019re starting to take. There are many more – but if you start on the GDPR guides mentioned above you need to start putting your own plan together.<\/span><\/p>\n

Things to know<\/span><\/strong><\/p>\n

What is personal data? Here\u2019s a definition I found:<\/span><\/p>\n

Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.<\/span><\/p>\n

So that can mean quite a lot!<\/span><\/p>\n

What are the rights an individual has? If someone gives consent (as a legal base for capturing data) then they have these 8 rights:<\/span><\/p>\n

The right to be informed
\n<\/span>The right of access
\n<\/span>The right to rectification
\n<\/span>The right to erase
\n<\/span>The right to restrict processing
\n<\/span>The right to data portability
\n<\/span>The right to object<\/span><\/p>\n

Rights in relation to automated decision making and profiling.<\/span><\/p>\n

What is a legal base?<\/span><\/strong><\/p>\n

You can only collect and store data if there is a legal basis for doing so. The obvious one is consent. Someone opts-in to receive information or a service from you and thus gives you consent. Another basis might be a contractual arrangement. They buy a service from you and you need to collect their data for that purpose – that\u2019s not the same as consent, but it is a legal basis. <\/span><\/p>\n

Another relationship might be a \u2018legitimate reason\u2019 – you might be marketing to someone to promote your services and you have some personal information from them for this. This can be valid too – be careful – and remember you should still be taking into account systems such as the Telephone Preference Service anyway.<\/span><\/p>\n

Once you know your legal bases for all the different types of data you are collecting then you\u2019ll understand better what you are allowed to collect and what to do with it. So make an effort to explore this.<\/span><\/p>\n

Opting in consent<\/span><\/strong><\/p>\n

Consent now has to be pretty clear. There\u2019s none of this \u2018assumed consent\u2019 or \u2018you didn\u2019t say you didn\u2019t want our information\u2019! You need to be exact, specific, clear, unambiguous and so on. It might mean taking a very good look at all your forms, paperwork, websites and more. <\/span><\/p>\n

Evidence<\/span><\/strong><\/p>\n

One of the biggest things about GDPR will be proving with evidence that you have a legal basis or have consent. The argument that \u201cI met him and he said it was ok and we put his data on the system\u201d will not be good enough. How can you prove that this consent was given and was adequate. Of course a very simple piece of paper with a name, signature, date and wording that indicates what consent is given will be much better evidence. Have a look at all your systems to decide how good they are.<\/span><\/p>\n

Conclusions<\/span><\/strong><\/p>\n

At this stage I\u2019m bringing some pointers to your attention. It\u2019s now up to you to get working on GDPR implementation for your organisation. Use some of the resources below to help you.<\/span><\/p>\n

We\u2019ll continue to share information about GDPR via our e-newsletter\u2019s over the coming months. And if you are a Member organisation then please contact us to see if we can point you in the right direction. <\/span><\/p>\n

Karl Elliott
\n<\/span>Development Manager
\n<\/span>January 2018
\n<\/span>Karl@vanel.org.uk<\/a><\/span><\/p>\n

Resources<\/span><\/strong><\/p>\n

The ICO website has the overall Guide to GDPR here<\/span><\/p>\n

https:\/\/ico.org.uk\/for-organisations\/guide-to-the-general-data-protection-regulation-gdpr\/<\/a><\/span><\/p>\n

Every section describes something useful. Use it as your guide.<\/span><\/p>\n

12 steps to take now is very useful – https:\/\/ico.org.uk\/media\/1624219\/preparing-for-the-gdpr-12-steps.pdf<\/a><\/span><\/p>\n

As is \u2018getting ready\u2019 checklist https:\/\/ico.org.uk\/for-organisations\/resources-and-support\/data-protection-self-assessment\/getting-ready-for-the-gdpr\/<\/a><\/span><\/p>\n\n

\n <\/div>\n\n","protected":false},"excerpt":{"rendered":"

In this article I explore the very important upcoming GDPR legislation that will affect the way every organisation deals with data protection. Everyone should be looking at GDPR. Are you? Have a read of my overview.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"xn-wppe-expiration":[],"xn-wppe-expiration-action":[],"xn-wppe-expiration-prefix":[],"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[546,11],"tags":[547,522],"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_shortlink":"https:\/\/wp.me\/p3cThd-4BH","jetpack_sharing_enabled":true,"amp_enabled":true,"_links":{"self":[{"href":"http:\/\/vanel.org.uk\/va\/wp-json\/wp\/v2\/posts\/17713"}],"collection":[{"href":"http:\/\/vanel.org.uk\/va\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/vanel.org.uk\/va\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/vanel.org.uk\/va\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/vanel.org.uk\/va\/wp-json\/wp\/v2\/comments?post=17713"}],"version-history":[{"count":6,"href":"http:\/\/vanel.org.uk\/va\/wp-json\/wp\/v2\/posts\/17713\/revisions"}],"predecessor-version":[{"id":18832,"href":"http:\/\/vanel.org.uk\/va\/wp-json\/wp\/v2\/posts\/17713\/revisions\/18832"}],"wp:attachment":[{"href":"http:\/\/vanel.org.uk\/va\/wp-json\/wp\/v2\/media?parent=17713"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/vanel.org.uk\/va\/wp-json\/wp\/v2\/categories?post=17713"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/vanel.org.uk\/va\/wp-json\/wp\/v2\/tags?post=17713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}