The general data protection regulation (GDPR) will replace current data protection law on 25 May 2018. Regardless of Brexit, all charities and businesses will need to comply with this EU legislation. The changes will bring the UK and EU into line with global standards which are evolving to respond to trends in digital communications.
The GDPR introduces new requirements for the processes of holding data. Charities should review their existing data process and take the necessary steps to be compliant before May 2018.
All these changes will be accompanied by an increased set of sanctions, including higher fines, and there is no relief after May 2018.
Charities should consider the following GDPR requirements:
Charities need to clearly explain why they are collecting personal data and how they intend to use it. They will need explicit consent to give data to third party providers. Consent must be unambiguous and specific to be valid, given by an affirmative action such as ticking a box. It is no longer sufficient to rely on implied consent such as pre-ticked boxes on websites.
It is not necessary to obtain consent for all forms of direct marketing, such as post or calls to numbers not registered with a telephone preference service, but organisations must be able to justify the legitimate interest condition.
User access to personal data
Users will now be able to request access to their own personal data to see what data is held and what it is used for. Charities must have processes in place to be able to deal with such requests, as transparency and accountability are key principles under the GDPR.
Request removal of personal data
People can request that organisations remove their data, either if they no longer want the charity to hold it or if it is no longer used for the purpose for which it was collected. Any data held will need to be up-to-date, accurate and held for no longer than necessary.
Fines and the duty to report data breaches
The amount that the Information Commissioner’s Office can fine organisations for data breaches has increased. Charities need to have procedures in place to detect and report such breaches, as there is now an onus on the organisation to report certain types of data breaches.
The GDPR raises questions about how fundraisers can identify and approach both existing and new donors. This will apply across all sectors of charities, including marketing, managing volunteers and campaigning. Charities will need to put strategies in place at board level to deal with the changes required throughout the organisation.
Whilst the structure of data protection law will substantively remain the same after May 2018 there are new and different requirements, with the burden of compliance increasing. Charities should make every effort to question their current systems and procedures in light of the new regulation. They should introduce any changes as soon as possible.