New, wider and more far reaching controls on data protection will come into force next May when the General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. It will apply to all organisations processing personal data of people residing in the EU, regardless of the organisation’s location.
Companies and charities fined for non-compliance
The information commissioner, who is responsible for implementing data protection legislation has already been flexing her muscles on breaches of the existing legislation. Companies such as Honda and Flybe, both of whom sent out marketing emails to customers without consent, have been heavily fined. You may also have read earlier this year about the 11 large charities which were fined for screening donors to target them for additional funds and trading personal details without consent.
The new data protection world
Penalties under the new regulations will be higher and tiered from the most serious infringements, for example, not having customer consent to process data to less serious, for example, not having records in order or a failure to conduct an impact assessment.
So, from May 2018, organisations must take into account the need to protect data at the start of designing a data storage system and will only be able to hold and process data absolutely necessary for the completion of its duties. Consent must be given by a client or donor before personal data can be processed. It must be easy to withdraw consent as it is to give it. They have a right to see the data being kept on them and they also have the right to have their personal data erased.
A challenge for the sector
The Institute of Fundraising has conducted a survey recently looking at how charities are preparing for the changes to data protection regulation. Of the 340 organisations which responded, almost two thirds said they had no plan in place. Nearly 65% of them were small charities with annual incomes of less than £1 million.
One of the biggest challenges facing respondents to the Institute of Fundraising’s survey was a lack of clear guidance from regulators, but they also identified a lack of internal skills or expertise in data protection and the limitations of systems, capacity and technology.
Inevitably, while larger, better resourced charities are recruiting new staff and looking for external support from data protection experts, small and medium sized charities are having to do more of a DIY job. With this in mind, we are hoping to organise a training session or workshop on the new regulations. If you would be interested in attending a local NCVO workshop at 3VA for a discounted price of £100.00 or a small workshop led by 3VA where all of our knowledge is pooled, please contact Martina Taylor at email@example.com by 31 October indicating which option you would prefer. If we have sufficient interest, we can schedule something over the next few months. We would also be very pleased to hear from any organisation which has begun the process and would be happy to share their experiences with others.
What we are doing at 3VA
At 3VA we are in the process of cleaning up our database and putting together a plan so that we can stay compliant. This is the outline of the process we are following:
- We are setting up a small working group to oversee the work and keep our trustees informed. Responsibility for data protection will now lie at a board level, so it is important that they have the confidence in systems and processes to ensure that data is handled properly.
- We are conducting a complete audit of personal data which we hold, including employees, volunteers, members, events/training participants etc, including seeing what personal data we hold, how consent was gained, where it is stored, how long it is stored for and how it is used.
- We will ensure we have processes for securely deleting data no longer needed.
- We will decide on whether to have an ‘opt in’ or ‘opt out’ approach to including people on our database and mailing lists.
- We will ensure that we have clear and updated privacy notices on all our communications and ensure that if someone does raise a query, we have the systems in place to deal with them efficiently and accurately.
- Finally, we will be reviewing our online security to ensure that we are protecting data adequately.
Article by Martina Taylor and Jenny Watson