The General Data Protection Regulation replaces the Data Protection Act with effect from 25th May 2018.
The Information Commissioners Office (the ICO) are still preparing their detailed guidance, even though the bill has now been passed to ensure the GDPR becomes law by its due date.
Support Cambridgeshire attended a Charity forum recently held by Hewitsons, solicitors, and here are some interesting and important snippets from the discussions.
Historic database contacts:
It was widely felt that organisations which hold a historic database of contacts will not need to retrospectively gain consent. Let’s take a simple example:
An organisation has been sending newsletters to a data base of 300 contacts for the past 4 years. This organisation will not need to gain new consents for this existing 300 as it can claim legitimate interest – That is that this 300 have been receiving your newsletters for years and are clearly interested in receiving them (organisations should however have an unsubscribe in place).
New contacts would need to provide explicit consent to be supplied with the newsletter.
The GDPR is clear that for those organisations providing services or projects to children, parental or guardian consent MUST be obtained. Based upon the recent forum discussion, it was also felt that given the higher scrutiny levels applying to children, retrospective consents should be obtained prior to the 25th May 2018 if they are NOT already in place or have been missed.
Cloud based servers:
For those organisations operating cloud based services the best advice given was to contact your particular supplier to see what protocols they have in place to ensure that data is held securely on their particular cloud based system. If a data sharing agreement is not in force, then one should be devised which suits both parties. It would appear that under the GDPR both the supplier of the cloud based system and the organisation are equally liable for data breaches, and as such breaches have to be reported to the ICO within 72 hours it is probably best to avoid them at all costs.
The forum examined some of the fines that have been levied recently, mainly to larger Charities: Cancer Support UK at 16K, The Royal British Legion at 12K and the NSPCC at 12K. The forum noted that most of these fines were given due to data swapping and the selling of contact lists, not for minor breaches of the current Data Protection Act. Always remember that the ICO is here to advise and guide, not to penalise.
The forum felt it was important that each and every organisation had a document retention policy (DRP) in place. Contact firstname.lastname@example.org if you require a template DRP to alter and amend to fit your own organisational circumstances.
The ICO 12 step Model:
The forum felt that this was a useful document which should be read by all organisations as preperation for the GDPR.
The 12 step Model can be viewed here:
For those organisations with good Data Protection principles in place already the new GDPR should not be a concern. The first stage is to analyse what data you have, why you use it and how you store and retrieve it. Organisations then need to think about how they obtain consents: These now need to be clear, transparent and explicit.
Support Cambridgeshire is hoping to arrange a further Charity forum with Hewitsons in early 2018: Any organisation interested in attending should contact email@example.com.