The GDPR is the EU data protection regulation which replaces the current Data Protection Act. It aims to simplify regulation and give individuals more control over their personal data.
For Third Sector organisations already working within the constraints of the Data Protection Act it is unlikely to mean enormous changes to their approach. However, it does come with some additional duties and and some additional anxiety, due to the enormous penalties for non-compliance. The penalties for non-compliance will make third sector organisations think twice about their use of personal data (i.e. fines can be up to 4% of worldwide turnover).
The regulations become enforceable from 25 May 2018. From that point on organisations who process personal data must comply with the new regulations.
For example, regulations will apply to data stored and processed for campaigning, for fundraising and for volunteer management. It should also be noted that volunteers are to be treated in the same way as employees, i.e. they must have appropriate training in the area of data protection.
Third sector organisations must arrange an audit of personal data held and know:
* Where it comes from?
* Who it is shared with?
When asking for consent to store someone’s personal details:
* You must explain why you are collecting the data.
* Explain why you are retaining it .
* And provide clear information on how it will be used.
Explicit consent is now required to sell or share data with third party organisations. For example, when building an online mailing list a pre-ticked box on a form is no longer allowed. Consent must be unambiguously indicated through an action of the subscriber, i.e. they must tick the box themselves.
Everyone who is on an existing list must be aware that they are on the list and why they are on there. Consent is not however required for all forms of direct marketing – organisations can still make calls or send direct marketing material by post provided they can satisfy the ‘legitimate interest’ condition. Situations where you do not need consent are set out specifically in the GDPR* (see my notes at the foot of this article).
Individuals will have a right of access to their own data at any time. Third sector organisations therefore will need to plan how to handle data access requests and decide on timescales and procedures.
There is also a new ‘right to be forgotten’ choice and individuals can request to be removed from data lists. Data also has to be kept up to data; so regular checks will be required on existing data. This will require privacy policies to be updated to outline procedures for individuals to request removal of their data. Individuals also have to be able to find out what data you hold about them.
Procedures need to be in place to detect, report and investigate any personal data breaches.
The new legislation provides an opportunity to review current practices and ensure you are not contravening any of the additional protections required by the new act. And of course it needs to be taken seriously due to the severe penalties for any organisation found to be in breach of the the new legislation.
What about Brexit?
Brexit will not put paid to this legislation; it is almost certain that the UK will adopt most (or all) of GDPR legislation.
Do you need help with compliance?
Jim Byrne Accessible Website Design can help your organisation comply with the new regulations in the following areas.
Making your online content more secure
If you are holding individuals data on your web site (e.g. members, volunteers, clients) you need to be active in ensuring your website is secure. I can help you by hardening security on your server, providing security monitoring services, enabling secure connections (e.g. an SSL Certificate) and providing backups for all of your online data (both database content and files).
Ensuring online forms comply
I can review your existing forms to check compliances and update any that need to be updated.
Providing a website compliance audit
I can also provide an audit of your website and website data to check how you are collecting and storing users personal data.
Contact me now for help with GDPR compliance.
* The UK’s Data Protection Regulator’s (ICO) highlights four factors in relation to whether you can rely on Legitimate Interests to hold an individual’s data:
- You need to show that you have balanced their interests with your interests when processing their data.
- Your assessment needs to be documented, be available and be open to challenge by affected individuals on the Regulator.
- You need to be able to uphold the individual’s right to object to such processing.
Contact me If you value experience (over 20 years as a web developer) and unrivalled technical know-how. Get in touch. Tel: 07810 098119. Email: email@example.com