Submitted by Carrie Brookes on 10 Apr 2018 - 3:16pm
Major changes to Data Protection regulations come into effect from May 25th affecting all organisations regardless of size.
This page rounds up the best guidance and advice we've gathered on General Data Protection Regulation (GDPR) for the voluntary sector.
Sorry, what's GDPR?
The General Data Protection Regulation (GDPR) will replace the UK Data Protection Act 1998 (DPA) from 25 May 2018.
The GDPR strengthens the rights of individuals to access and amend their personal data; places greater emphasis on an organisation’s accountability; and introduces more serious consequences for non-compliance, including fines.
The Information Commissioner's Office is responsible for upholding information rights and enforcing GDPR with a wealth of guidance and where to start, including:
- GDPR preparation: 12 steps to take now
- Getting ready for GDPR checklist - a self-assessment checklist
- Advice line for small organisations
What should my organisation be doing to be GDPR compliant?
To be GDPR compliant you will need to have policies and processes in place relating to personal data and make sure all staff are trained. In particular you should:
- Have a named person responsible for personal data in your organisation and make sure all staff and trustees know the GDPR is coming - and when
- Do a data map: identify what personal data you hold and where it came from. Sefton CVS have created a Information Audit template and other resources which can be amended to suit your organisation
- Document your lawful basis for storing and using personal data
- Put systems in place to respond to requests for access or updates to personal data or for the data to be deleted (called ‘subject access requests’)
- Make sure your privacy notices are written clearly and are easily accessible.
- Review and update how you seek and manage consent (an opt out option is no longer good enough!)
- Put procedures in place to report a data breach to the ICO within 72 hours if necessary, and make sure all staff understand what constitutes a data breach. Further guidance on data breaches is on the ICO website.
- Think about extra protections for under 16s
Frequently Asked Questions
The ICO has compiled a list of FAQs for charities, and below we've pulled together the most commonly asked we hear.
Does it apply to us? We're volunteers only with no paid staff.
Yes, it applies to all organisations collecting personal data.
But we only have email addresses, that's not personal data?
Yes it is under GDPR guidance. Any data that can identify a living individual is classed as personal data.
Do I need to email everyone on my mailing list asking for their consent to continue contacting them?
You may have seen a growing number of organisations carrying out this exercise. There are no 'rules' on this, so you need to read the GDPR guidance and apply the eight principles to your situation.
The ICO states in its FAQs for charities section:
"You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard."
Each organisation's situation is different, so you must read the guidance and apply it accordingly, hence the lack of rules on this. Electronic marketing also overlaps with another set of guidance from the ICO called Privacy and Electronic Communications Regulations (PECR) which is worth reading, in particular the area of consent and 'soft opt-in'.
The best guidance and resources we've found
Guide for charities - The Charity Finance Group guide to GDPR (PDF) is an excellent free guide split into five parts: governance, fundraising data, financial data, beneficiary data and employee data. The guide is aimed at anyone with responsibility for data management within their charity, from trustees, to finance directors, to volunteers.
Staff awareness - Think Privacy (PDF) is a useful toolkit to communicate the importance of data privacy to employees with posters and campaign ideas from the ICO.
Fundraisers - The Institute of Fundraising (IoF) and the Fundraising Regulator have published joint guidance on GDPR which has been reviewed by the ICO. The guidance is based on the questions that charities have asked and provides clear and practical answers. It looks at different fundraising methods, and identifies ways in which personal data is likely to be used in each case.
So what's next?
Event with Middlesbrough Council - MVDA will be supporting an event being organised by Middlesbrough Council’s Procurement Unit on the topic of GDPR and further details will be circulated when a date has been agreed.
Whilst we can’t provide specific advice on GDPR you may find it beneficial to undertake the training our staff did with Virtual College, An Introduction to GDPR – Free Overview