The General Data Protection Regulations (GDPR)
The GDPR is at the forefront of current discussions within the legal sector with the Regulations set to come into force in the UK on 28th May 2018.
The Information Commissioner’s Office (ICO) will regulate the GDPR in the UK and will be given the power to fine organisations, including charities, up to 20 million euros or 4% of their annual global turnover where they have made a serious breach of the GDPR.
It is therefore fundamental that trustees are aware of any policies or procedures that they need to put in place in order for their charity to become compliant with the GDPR ahead of 28th May.
There will be a new requirement for public authorities, organisations with large scale data processing, and organisations which process a large amount of sensitive data, to appoint a Data Protection Officer (DPO). If your charity does not fit into one of these categories, then you are under no obligation to appoint a DPO. However, many charities will process sensitive personal data due to the nature of the sector, and it is advisable to appoint a DPO in any case to avoid a situation in which you may have to defend a decision not to appoint a DPO.
It is essential that every charity has a data protection policy in place before the GDPR is implemented. The policy should include a list of all the data which the charity collates, and the purposes for doing so. Data risks faced by the charity should be identified as should be any measures the charity has in place to minimise those risks and keep data protected. The policy should also explain how individuals can ask to see their data and when their data will be deleted from the system.
One example of a key area relating specifically to charities which may be affected by the GDPR, is that of fundraising. Charities must be able to demonstrate why they have a requirement to collect and store data relating to their donors, and they must not keep the data for an unreasonable amount of time.
Donors must have freely given their unambiguous, specific and informed consent to the charity to process their data, and the charity should ensure that they are able to prove that this consent has been obtained. Consequently, it is advisable to gain written consent rather than attempt to rely on verbal communication of consent.
The same issues arise in relation to charities’ beneficiaries, employees and volunteers. Essentially, any personal data from any individual which is processed by the charity will be subject to the provisions of the GDPR.
Charities should also make sure that they have the correct procedures in place to detect report and investigate a personal data breach. There should be a clear understanding of when breaches should be reported to the ICO and the individuals affected.
For further information on how your charity can become GDPR-compliant, there is detailed guidance on the ICO’s website.