Complying with the new data protection regulations
Thursday 13th July 2017
Like all organisations which process personal data, charities must comply with data protection legislation. In light of the forthcoming General Data Protection Regulations (GDPR), which will replace the Data Protection Act 1998 (DPA) from 25 May 2018, this is more important than ever.
It is essential to have compliant data processing measures and procedures in place sooner rather than later, especially as there will be severe penalties for failure to comply with GDPR including fines equivalent to 4% of an organisation’s annual turnover.
Other sanctions include suspension and bans from processing data, something which would be extremely damaging to charities which rely heavily on the use of personal data to promote their services, products and to assist with fundraising.
Here are some of the main changes and tips for charities to ensure compliance:
Privacy notices (often used in conjunction with longer privacy policies) should be provided to supporters of the charity at the point their personal data is collected or within a reasonable time where data is obtained from a third party. The GDPR expands upon the requirement for certain information to be made readily available to data subjects upon the collection of their data.
Under the GDPR, details to be provided include details of the data controller, the purpose of the processing, the details of any third parties the data will be shared with and rights of access. In addition to this, the GDPR requires data controllers to provide details such as the legal basis for processing, the period of time the data will be stored, if data will be transferred outside the EEA (European Economic Area), the data subjects rights (as further detailed below) along with the right to lodge a complaint with the Information Commissioner’s Office (ICO) amongst others.
Procedures for obtaining consent
As with the DPA, the GDPR will require data controllers to have a legitimate reason for processing personal data. If you rely on the consent of the data subject, under GDPR you must be able to demonstrate it was freely given and communicated by a statement of clear affirmative action such as an “opt in” box rather than an “opt out” box. Silence, inactivity or pre-ticked boxes will no longer constitute consent.
Marketing and profiling
In light of recent ICO (Information Commissioner’s Office) investigations into charity use of personal data as reported in the media, charities must be extremely careful when using personal data for marketing purposes including the use of profiling. New privacy regulations which complement the GDPR are due to come into force in 2018. The regulations contain specific legislative restrictions on the use of electronic communications for marketing purposes.
The draft regulations will continue to allow charities to send marketing emails/SMS about their products or services to individuals who have purchased similar products without obtaining express consent to do so (provided the individual is given the opportunity to object to such marketing at the point of collection of their details and each time a marketing email/SMS is sent) (known as the Soft opt-in approach). In all other situations, express consent will be required.
It is important to note that the Soft opt in approach only applies to commercial promotions involving the marketing of similar goods and services purchased by a supporter. It therefore cannot be used to send further marketing to a supporter following a donation unless express consent has been given.
Profiling can be used to evaluate personal aspects of an individual, in particular to analyse or predict their economic situation, health, personal preferences, reliability, behaviour, location or movements for the purpose of marketing. Under GDPR, supporters must be made aware of this including how decisions are made, the significance and consequences of such decisions, along with the right to object to the processing.
Procedures for data subjects’ rights
The GDPR expands upon data subjects’ rights. In addition to subject access, data subjects will have the right to require inaccuracies to be corrected, information erased, prevent direct marketing and automated decision making, a right to withdraw consent and data portability (the right for data to be provided in a usable/commonly used format such as electronic format and transferred to another data controller upon request). Procedures will need to be put in place to deal with such requests.
Subjects’ access requests
There is currently a requirement to respond to such requests within 40 days. Under the GDPR, this will be reduced to one month and additional information must be provided such as data retention periods, the right for data to be deleted, inaccurate data to be corrected and the right to lodge complaints with the ICO.
There will no longer be a right to charge a flat fee for the provision of such information and instead information must be provided free of charge unless manifestly unfounded, excessive or repetitive. The creation of template response letters that comply with GDPR will assist with dealing with such requests.
Data breach notification
Currently, it is good practice to report personal data breaches to the ICO. Under the GDPR, serious breaches should be reported immediately and within 72 hours of becoming aware of the breach. An explanation will be required where this timescale cannot be met. If the breach is likely to result in a high risk to the rights and freedoms of data subjects, the data subjects must also be notified without undue delay.
Data Protection Officers (DPOs)
Appointing or designating an individual as a data protection officer to oversee an organisation’s compliance with data protection legislation is considered good practice. Under the GDPR, this will be a requirement for organisations which undertake regular and systematic monitoring of data subjects on a large scale. The DPOs will be required to fulfil a number of obligations. These include: (i) monitoring compliance, (ii) liaising with the ICO, and (iii) training staff.
Data protection policy
A data protection policy helps to ensure member of staff are aware of their data protection duties. As the GDPR requires organisations to be able to demonstrate their compliance through technical and organisational measures, it is safe to say a data protection policy is essential and should be updated to take account of the changes introduced by GDPR.
Data processing agreements
Any arrangements with third parties to process data on your behalf/upon your instructions must be in writing and contain various guarantees of compliance with the GDPR, including but not limited to: only acting on instructions of the data controller, notification of breaches, restrictions on sub-processing without consent, assistance in dealing with data subjects’ rights, requirement for personal data to be kept secure and confidential, and return or destruction of data upon request.
Such agreements may be necessary to document arrangements with third parties that undertake marketing and fundraising on your behalf or where a cloud software provider holds data on your behalf. Such provisions should be included within any new agreements entered into, while existing agreements which will continue beyond 25 May 2018 should be checked and amended as appropriate.
Data sharing agreements
If you share supporter data with third parties for their own use rather than acting upon your instructions (such as other charities and organisations for their own purposes), not only should supporters be made aware of this when data is initially collected but it is also recommended that data sharing agreements are entered into. These should stipulate the purpose for which the data can be used by a third party and should include similar provisions to those included in data processing agreements. Having such agreements in place will help ensure your compliance with the GDPR.
For those charities who are currently registered with the ICO, there will no longer be a requirement to notify the ICO of data processing activities undertaken. Instead, all charities which process personal data must keep an internal record of their processing activities including details of the categories of personal data it processes, the purpose of the data processing activities, applicable retention periods, and the technical and organisational measures taken to keep the data secure.