As of the 25th of May 2018, organisations operating in the UK and European Union (EU) must comply with the General Data Protection Regulation (GDPR) which will replace the current Data Protection Act.
Not only will the new regulation detail existing laws surrounding data protection, but it will also contain laws regarding newly enhanced technology, and obligations and responsibilities organisations will have when it comes to handling the data they hold on EU citizens. This is likely to have a significant impact on many charities who hold multiple pools of data, including that of beneficiaries of the service, individual donors and volunteers.
Across Britain, MPs and government authorities are urging charities to prepare for the upcoming regulation to avoid facing fines of €20 million or four per cent of an organisation’s annual global turnover – whichever is the higher amount. Ahead of this, it is crucial that charities understand and are fully aware of the facts surrounding GDPR. Here we take a look at how things will change:
Any charity that processes the personal data of an EU citizen will have to comply with the GDPR wherever your organisation operates across the world. While the GDPR is technically an EU initiative, it will have a global impact, regardless of the UK’s Brexit decision.
Although it was already rather broad, the definition of ‘personal data’ will be expanding further. This means that, as of next May, it will include any information that can be used to identify an individual, such as contact data, genetic, mental, cultural, economic and social information. This will cover data held on staff, volunteers, donors and funders.
If your charity allows the processing of data on a large scale you may need to appoint a Data Protection Officer (DPO).
This does not depend on the size of your charity, but instead on the amount of data that you are processing on a regular basis. Charities may need to appoint somebody to ensure that personal data processes, systems and storage conforms to the GDPR and can also be evidenced should a data breach occur.
Because the risk of a data breach has increased, Privacy Impact Assessments (PIAs) will be introduced for organisations to facilitate taking steps to mitigate the knock-on risk to individuals.
Projects within a business that involve personal data must have a PIA carried out ahead of this. The DPO will then have to make sure they comply with the GDPR during the project.
The information a charity provides to an individual regarding ‘valid consent’ must be clear and simple under the GDPR. In addition to this, the organisation will have to communicate fully how this data will be processed.
Valid consent from a user also needs to be obtained, rather than by an assumption that it has been given.
Once the GDPR is enforced, charities will not be able to hold or retain any data for longer than is necessary. Individuals can request the ‘right to be forgotten’, where an organisation must delete all data on a person in full. In addition to this, charities will not be able to manipulate data from what it was originally agreed to be for. If they wish to do this, a new and updated consent must be obtained.
Be prepared for the upcoming GDPR changes by signing up to our free online course.
Need a more in-depth look at the new legislation? Why not try our full online course here?