This post is an overview of the GDPR regulation (now called Data Protection Act 2018), signposting to useful resources.
We also have a series of blog posts sharing our own GDPR preparation experience which you may be interested in.
The Data Protection Act 2018 strengthens the rights of individuals to access and amend their personal data; places greater emphasis on an organisation’s accountability; and introduces more serious consequences for non-compliance, including fines.
It is a 'values based' regulation which means there is no 'one size fits all' answer as to how to implement it for your organisation.
Key definitions
- The Data controller is the company, organisation or individual who holds personal data and determines the purposes and manner in which it will be processed. For example an organisation or charity.
- The Data processor is any person (other than an employee of the data controller) who processes the data on behalf of the data controller. For example an IT support or payroll contractor.
The ICO has some guidance on contracts and liabilities between controllers and processors.
Lawful Basis
In order to use personal data you need to identify a lawful basis, also called ‘condition for processing’, and document it in your Data Protection policy. There are six lawful bases for processing data and you will need to decide which one covers each type of data you collect.
ICO guidance on Lawful Basis also includes a checklist for organisations.
Legitimate Interest may be the lawful basis which you decide to use to process personal data. The ICO have published guidance on legitimate interest and this is available on their website.
Privacy Notices
Privacy notices need to be specific, not one catch all, and should be displayed at the point at which someone hands over their personal information. They need to be clear, concise and easy to understand. The short version should state what you are going to do with the data, who will see it, how long you'll keep it for and who to contact with queries. It should also link to a longer version which goes into a lot more detail. Guidance on what should be included in your privacy policy is available on the ICO website.
Data Rentention
How long does your organisation keep data for? If you're receiving funding for delivered services there might be contractual reasons for you to keep data for a certain amount of time. HR policies may also provide guidance in this area. Otherwise think about how long you reasonably need to keep personal data for, document this in your Data Protection policy, and ensure you schedule time to go back and delete it when it's no longer needed.
Subject Access Requests
Under the new regulation individuals have more control over their personal data, in line with eight keys principles of GDPR. Any individual has a right to see what data you hold on them, have it corrected if wrong, and have it deleted if they choose. You will need to have a process and train your staff team to know what to do if someone makes this request (and they may not call it a 'Subject Access Request'). Write this process into your Data Protection policy and have a named person responsible for ensuring requests are responded to as soon as possible (and within one month) and for free.
What should my organisation be doing to be compliant?
You will need to have policies and processes in place relating to personal data and make sure all staff are trained. In particular you should:
- Have a named person responsible for personal data in your organisation
- Do a data map: identify what personal data you hold and where it came from. Sefton CVS have created a Information Audit template and other resources which can be amended to suit your organisation
- Document your lawful basis for storing and using personal data
- Put systems in place to respond to requests for access or updates to personal data or for the data to be deleted (called ‘subject access requests’)
- Make sure your privacy notices are written clearly and are easily accessible.
- Review and update how you seek and manage consent (an opt out option is no longer good enough!)
- Put procedures in place to report a data breach to the ICO within 72 hours if necessary, and make sure all staff understand what constitutes a data breach. Further guidance on data breaches is on the ICO website.
- Think about extra protections for under 16s
Further Resources
Information Commissioner's Office (ICO)
The ICO is the independent authority set up to uphold information rights. It is the ICO who will take action if your organisation is not complying with Data Protection law. The ICO website contains all the information relating to data protection and regularly update the guidance. In particular they have published:
- Guidance for not-for-profit organisations including for direct marketing, a list of FAQs for charities and an advice line for small organisations
- A self assessment 'Getting ready for the GDPR' checklist for organisations
- A full Guide to the GDPR including information on key definitions; lawful basis for processing; the increased rights of the individual and data breaches
- A series of GDPR myth busting blogs
VCSE sector resources
NCVO have produced guidance and resources specific to the voluntary sector:
- Guidance on how to prepare for the GDPR
- Sample policies, webinar, and notification of training and events on the NCVO website
Fundraisers
- If you’re a fundraiser, make sure you follow the latest guidance from the Fundraising Regulator
- The Institute of Fundraising (IoF) and the Fundraising Regulator have published joint guidance on GDPR which has been reviewed by the ICO. Find out more about the Spotlight Series on the IoF website.