Hewitson’s solicitiors have just run a Support Cambridgeshire Charity Forum on the subject of GDPR, which comes into force on the 25th May 2018.
The event, held in Huntingdonshire attracted 20 delegates, and covered the essential differences between GDPR and the current Data Protection Act, which it replaces.
There was some fantastic feedback from the event: Take a look at some of the delegate quotations below:
The session confirmed some concerns and worries I have.
Very useful – clarified the changes and made it less daunting.
The course was excellent and well delivered.
The presenters were knowledgeable, sensible and understood their audience.
It was nice to have points explained clearly. The presenters were excellent.
It gave me a clear understanding of the changes.
It was concise and useful.
It was helpful to clarify a confusing subject.
It is vital that every organisation starts to think about GDPR, and its possible implications. Hewitson’s have supplied some helpful feedback:
- The GDPR will replace the Data Protection Act 1998 on 25 May 2018. All charities must ensure that they comply with the new rules. If a charity is already complying with the DPA then there may be very little adjustment to be made to current practices and policies.
- The ICO has lots of useful guidance on its website, especially for charities, which may be found at https://ico.org.uk/for-organisations/charity/. This will also be useful for local groups and other not-for-profits even if they are not charities.
- In order to be prepared, charities must first undertake an ‘audit’ of all the personal data that they currently hold to understand what data is held, what it is used for, the legal basis on which it is held (see below) and who has access to it.
- As to that last point, charities should ensure the data is kept securely either by physical means (e.g. locked cabinet) or electronic (passwords).
- It is helpful if there is one person who is assigned to the job of making sure that a charity is GDPR compliant. Charities should follow the guidance about whether a Data Protection Officer must be appointed in their organisation, but whether required or not it is always useful to nominate someone for this responsibility.
- Boards of trustees should ensure that they recognise their duties in respect of GDPR and minute their discussions on the subject. Although it may be best for them to delegate the practical side of compliance, ultimately the responsibility to ensure that they are compliant lies with them.
- Charities should read the ‘12 steps to take now’ document which is produced by the ICO, if they have not done so already.
- The key point to remember is that there must be a lawful basis for processing personal data. For most charities this will either be because the data subject has given consent to the processing of their data (a positive opt in) or processing is necessary for the purposes of legitimate interests pursued by the charity.
- Other lawful bases include processing that is necessary: for the performance of a contract to which the data subject is party or for compliance with a legal obligation to which the charity is subject or in order to protect the vital interests of a data subject or another person (i.e. to protect their life) or for the performance of a task carried out in the public interest (mostly relevant to public authorities).
- Special category data which includes data regarding someone’s health or relating to children, must be treated especially carefully: The GDPR introduces additional protections over and above standard data processing.
- There is no need to panic! Changes to policies and practices cannot be done overnight. So long as charities are taking all reasonable steps to ensure compliance, they are highly unlikely to be found to be in breach. And remember the changes are taking place across all 28 Member States, and will apply to organisations outside the EU that offer goods / services to individuals inside the EU. Many are therefore grappling with this new regime.