The General Data Protection Regulation is coming into force from 25th May 2018. The new legislation will replace the Data Protection Act 1998. The GDPR seems to have been the topic of discussion for many months, yet some organisations still don’t know where they stand or how it affects them. Organisations that are not operating in the private sector like charities and non-profits are still questioning how the legislation will impact their operations.
The first thing to be aware of is that there has been a lot of scaremongering. Most people actively talking about GDPR are, if we’re honest, trying to sell something. There’s nothing wrong with trying to sell your services but in the case of GDPR there have been a lot of instances where the truth has been embellished. There’s been a lot of cases of Chinese whispers where one person has been told one thing and then they have passed it on with incorrect information.
Before we get started, we want to point out that we are not solicitors or legal experts. What we discuss in this blog is based on what we have learnt in our industry and from the Information Commissioner’s Office (ICO) website. We are not intending to offer legal advice, just some explanation and help in the hope that you will investigate the actions most appropriate to your organisation.
How will charities be impacted by GDPR?
The first thing to understand is that the GDPR will affect charities and non-profit organisations. The legislation is applicable to all organisations that can be considered data controllers and data processors.
A data controller is any organisation that processes data and is responsible for determining how and why that data will be processed. A data processor is an organisation that is responsible for processing data on the behalf of a data controller.
Basically, if you process personal data then GDPR applies to you, even if you are a charity or non-profit organisation. Personal data can be information you hold on your employees, your clients, your suppliers or those donating to you. Under GDPR, it is your legal obligation to respect the data you process and protect it.
What happens if a charity is not GDPR compliant?
If an organisation, including charities or non-profits, is found to be in breach of the GDPR then they can face severe consequences. Fines of up to 4% of your annual global turnover or €20 million, whichever is greater, can be applied if an organisation is found to be non-compliant with the GDPR. There is also the possibility that if you suffer a data breach that will have a negative impact on a data subject you must inform the ICO within 72 hours of discovering the issue. If you do not inform the ICO then you could be liable for further fines of 2% of your annual global turnover or €10 million.
These fines will apply to organisations outside of the private sector. In 2014, it was reported that a charity experienced a severe data breach that saw their client data compromised and their website smeared with activist messages. The charity was fined £200,000 for the breach by the ICO.
What should charities do to get ready for GDPR?
We advise any organisation, not just charities, to begin their journey to GDPR compliance with understanding the personal data that you process. You cannot begin to make plans and put processes in place to ensure your compliance if you do not know what data you hold in the first place.
Your first step should be to understand whose personal data you hold. You will more than likely hold employee data, but do you hold client information? Supplier details? People who have donated to you? Volunteers? Take note of the different kinds of data you process and categorise them so that it’s easier to understand the processing decisions around them.
The next step is understanding what data you hold on these specific groups. The likelihood for most organisations is that your employee data is going to be particularly sensitive. You will hold a lot of information about your staff. Make a record of everything you can think of that you process about your staff. You then need to do this with all the other different types of personal data that you have identified such as your clients and volunteers.
You should then think about where this data is held. Is it all digital? Is it on a server on-premises or in the Cloud? Do you have filing cabinets holding this data? Do you work with a lot of paper holding personal data on desks? Does data go offsite through mobile devices or paper? You need to think about the geography of the personal data you process and the risks that could be associated with it. For example, if you have caseworkers going off-site with data on an iPad do you have the ability to control that device? Could you make it safer by deploying mobile device management?
You also need to consider how long you have held data for. If you are still holding the data of an employee or client that left 20 years ago you need to think about whether you still need it. If you do, and if you can justify the reasons why you do, then that’s fine. If you don’t need to be holding that data then you need to think about removing it. If you choose to process data then that data is your responsibility. The less you hold the less risk there is.
The most important thing that you need to consider throughout the whole process of GDPR compliance, not just the first steps, is your reasons why. If you hold someone’s data you need to be able to justify the reasons why you do. No one is trying to restrict you or say you can’t do your job anymore but they are saying you need to be able to justify why you process data. For example, if you hold someone’s middle name can you justify your reasons for holding it? Yes, you may need their first and last name but what benefit does holding the middle name bring to you? Under GDPR, you have to indicate your legal basis for processing data. There are six legal bases to choose from and when you choose one you have to be able to justify it.
Fundraising and GDPR
Charities and non-profit organisations are not exempt from GDPR and therefore when contacting people in regard to fundraising they need to consider their justification for holding people’s personal data. If a donor or other individual does not fully understand what your organisation is doing with their personal data then you cannot do it. Due to being able to use the grounds for legitimate interest, it appears that you don’t need to have consent for every bit of personal data that you hold but you need to be clear on your justification for holding that data other than having consent.
When fundraising, it is important to understand that consent cannot be assumed. Failure to opt-in is not consent, nor is silence or previous support. Charities and non-profits need to be aware of this when considering how they use data when fundraising.
How can charities protect their data under GDPR
Once you’ve ascertained the current situation of the personal data you process, you need to think about the actions you are going to take to reach GDPR compliance. There are a lot of different processes and policies that you will need to put in place to ensure that you are processing personal data legally.
You will also need to ensure that the personal data you are processing is protected. If you choose to hold an individual’s personal data then you are taking responsibility for it and therefore you need to protect it. It’s the same as if you were babysitting a child to a certain extent. Someone has entrusted you with their child because they think you have the capability to keep it safe. Someone’s data is the same. You need to take action to look after the data you hold and protect it.
There are a lot of things you can do to ensure that your security is up to scratch. We always recommend our 7 Essential Steps to Cyber Security as the first port of call for the basics. The best advice we can give for applying the appropriate security measures for GDPR is to conduct a gap analysis on your IT security to identify any issues. You may also want to consider gaining a Cyber Essentials accreditation, which is a certification backed by the ICO.
If you are concerned about GDPR or your charity’s security please do get in touch. We can help you with your gap analysis and gaining the Cyber Essentials accreditation. Call us on 01675 469020 or email firstname.lastname@example.org.