We recently held a seminar for SCVO members on the big data protection issues that third sector organisations face.
Looming over all discussions on data protection, is the fact that from 25 May 2018 there will be a new regime rolled out across the EU. Known as the EU General Data Protection Regulation (GDPR) it marks the biggest change in data protection legislation for over 25 years – and even Brexit is unlikely to stop it from affecting you.
Are you affected by the regime?
The first thing you need to know is whether your organisation is a ‘data controller’ for the purposes of the current Data Protection Act (DPA) and the GDPR. If your organisation decides how and why personal data is processed, then it is. Personal data is information that can identify a living individual either on its own or in conjunction with other information the data controller holds or is likely to hold.
Another key definition is ‘processing’, which includes obtaining, recording or holding data or carrying out any operation(s) on the data. Third sector organisations often process large quantities of personal data by virtue of their activities.
Get ready – our top 10 tips
For all the Data Controllers among you, here are our Top 10 Tips to get ready for the GDPR:
- Undertake DPA audit and identify shortcomings – identifying any shortcomings early will allow you to put in place measures or policies so you are compliant when the GDPR applies.
- Ensure 100% compliance with the DPA – the GDPR goes further than the DPA so, as a minimum, you should ensure that your organisation complies with the DPA in full. This includes things like adhering to the 8 principles set out in the DPA; identifying the personal data you hold, particularly any sensitive personal data; and ensuring any personal data is not disclosed in breach of the DPA.
- Roll out DP training – anyone in your organisation who has access to or handles personal data should be able to identify that it is personal data and be aware of the basic principles which govern their activities.
- Review existing forms, correspondence, websites, DP statements – the GDPR sets down new requirements for consents and fair processing notices. You will need to check that your current wording complies.
- Establish an accountability framework – there are onerous accountability obligations on data controllers under the GDPR, including: maintaining specific documentation and conducting an impact assessment before undertaking any risky processing (e.g. profiling via wearable technology). Data controllers will need to adopt policies and implement measures to demonstrate compliance.
- Adopt higher standards of data security – the GDPR requires data controllers to undertake a risk assessment for all the data they hold.
- Implement a DP breach management policy – there will be a new requirement to notify the Information Commissioner’s Office (ICO – the regulator for data protection in the UK) of any breaches within 72 hours.
- Be prepared for data subjects to exercise their rights – appropriate procedures for handling subject access requests should be put in place before 2018 as the length of time data controllers will have to respond is reduced from 40 days under the DPA to within one month or without “undue delay” under the GDPR.
- Consider cyber insurance – with added responsibility and liability, cyber insurance should be considered for organisations processing personal data electronically – i.e. website fundraising, social media activities, etc.
- Don’t wait until 2018 – even with Brexit looming, the UK will most likely adopt similar requirements and the GDPR will be directly applicable before Brexit takes effect. It’s not worth being fined – don’t wait until it’s too late!
Kelly Sleight is a solicitor at Harper Macleod LLP who advises clients in the third and public sectors on a range of issues, including information law matters.