Data protection law is changing. Are you ready?
With the General Data Protection Regulation (Regulation) expected to come into force in mid-2018, charities and social enterprises will need to ensure they are ready to meet their compliance obligations concerning data protection. Failure to prepare now may result in the inconvenience of a last minute rush, or worse, a fine for non-compliance.
How does this affect you?
Every year large amounts of personal data is collected and stored by charities and social enterprises, in particular details relating to members, donors, staff and service users. As “data controllers”, charities and social enterprises will be required to comply with the data protection laws concerning personal information, including those within the Regulation when it comes into force.
What do you need to be aware of?
The majority of the principles and requirements of the Regulation are the same as those currently in the Data Protection Act 1998 (DPA). If charities and social enterprises are compliant with the requirements of the DPA, they are in a good position for the arrival of the Regulation and the changes it will bring. Some of the key areas which will affect charities and social enterprises under the Regulation are:
- Increased obligation to notify for Data Breaches
The Regulation will require the Information Commissioner’s Office (ICO) to be notified of serious personal data breaches. Personal data breaches are broadly defined and these extend to accidental loss or destruction of personal data. Notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.” However, where charities and social enterprises hold any sensitive personal data (soon to be called special categories of data), the application of this exclusion will be limited.
Failing to report a beach could result in a fine for the charity or social enterprise, in addition to the fine for the breach itself.
- Introduction of mandatory risk assessments
The Regulation makes it a legal requirement for certain organisations to carry out a Privacy Impact Assessment (PIA) to identify the most effective ways to comply with their data protection obligations, and the ICO will provide a list of organisations who will be subject to this requirement. Although it is not certain that this requirement will apply to charities and social enterprises, compliance is highly recommended by the ICO as a way to analyse how your organisation deals with the privacy of personal data and would highlight areas for improvement – in the event of security breaches, the ICO always asks for a copy of your PIA.
- Consent required for children
You will need to obtain a parent or guardian’s consent to process personal data concerning children; (in the UK this is likely to be anyone under 13). This will be very important for charities and social enterprises working with young children.
- Communicating privacy information
Charities and social enterprises will now be required to tell individuals the legal basis for processing their data, how long they will keep the data for, and that individuals have a right to complain to the ICO if they think there is a problem with the way their data is being handled.
- Rights of individuals
Individuals will have the right to have inaccurate personal data corrected, prevent direct marketing and request that companies which store their data provide them with a copy of all stored data. Going forward, there will be a maximum of 30 days in which to respond to an individual’s data subject access request, and the data must be provided in a commonly used format. These requests could easily be costly and time-consuming, especially if you deal with regular requests, and the shorter timescale will make it even harder.
What can you do to be ready?
- Raise awareness: Ensure that your organisation’s management, teachers, lecturers and support staff are aware of the changes brought about by the Regulation and what the impact is likely to be.
- Carry out a Privacy Impact Assessment: A PIA will allow you to identify and reduce privacy risks and highlight what action needs to be taken to comply with data protection obligations.
- Amend your procedures: Ensure that your organisation is able to meet its new obligations, (for example that you have the systems in place to verify individual’s ages, gather parental or guardian consent, deal with requests by individuals within the timescales, detect, report and investigate data breaches etc.).
- Train staff and volunteers: Committee members, coaches and volunteers should be given effective training on the requirements of the Regulation and how it affects their roles.
- Review data protection systems: Ensure that personal data is adequately protected by making sure it is properly encrypted and that the IT and security systems are proficient. Avoid keeping physical copies of personal data as it is harder to protect them, keep track of who they have been disclosed to and where they are located.
- Budget for the changes: Training, ensuring data management and IT systems are effective, carrying out a PIA and dealing with requests for copies of data are likely to be time consuming and costly. If these matters are ignored until 2018, you may struggle to allocate the necessary resource at short notice.
The Information Commissioner’s Office (ICO) has recently published guidance to help organisations prepare for the changes the Regulation will bring, which is available here.