GDPR – what do you need to know?
The GDPR or General Data Protection Regulation is due to come into force in 2018. By all accounts it will trigger a seismic change in the way charities, corporates and other governments handle individual’s data. This piece sets out the upcoming changes and explains how charities can act to prepare now.
The GDPR or General Data Protection Regulation is a regulation from the European Union which, despite Brexit, will come into UK law in May 2018. It aims to create uniform standards across Europe on the use of individuals personal data. That is, any data which belongs to that individual, or could be used to identify them in some way. The overarching goal of this very large regulation is to expand people’s rights over their data, making data more like any other property one owns, from cars to clothes to houses.
What does this mean for charities? Well charities, like most organisations, handle people’s data. They are both custodians of it and users of it – that latter category primarily applying to fundraising charities. This makes them both ‘data controllers’ and ‘data processors’ under the new regime and updates this adds to responsibilities they may have already had under the UK’s data protection act.
All charities, along with every business, membership organisation and government, hold data and therefore are, to a greater or lesser extent, data controllers. At the very least they have information about their employees, volunteers and possibly even donors which they store. The responsibility on charities to look after this data is going to become much more serious under GDPR.
The headline grabber has been the fines possible in the event of a data breach, which means data under your control being stolen or lost. GDPR sets the upper limit for fines at €10m or 2 per cent of worldwide turnover, whichever is higher.
This should not be understood as a punishment for being hacked. What GDPR requires is the charities and other bodies put into practice a range of data protection principles, such as anonymization and encryption, controlled access, employment of data protection officers to show they have responsibly tried to minimise the risk. It is those organisations that do not reasonably attempt to follow the guidance set out by the Information Commissioner (who enforces GDPR in the UK) who are at risk of punishment.
Data controllers also define how data is collected and what processing may be done to it. In some cases, the data will then be used by a processor who works on it, in others the controller and the processor will be the same organisation. The classic example for the charity sector is a fundraising agency doing processing on behalf of the data controller, a charity. GDPR requires that both ends of that relationship take steps to ensure that what the other is doing is fair and legal. If they are found not to, the will be repercussions.
It is important to note that there is no automatic right to have or to process someone’s data. This is even the case for publicly available information. If we think about conventional property rights again, just because your car is on a public street doesn’t mean that it is ok for me to use it – no matter how responsible I am with it. GDPR makes an individual’s rights over their data closer to their rights over their car.
Charities, and other organisations, therefore now need to give a reason for why they hold and process people’s data. The Information Commissioner says the best reason is consent, that is the individual who owns the data tells the charity that they can have it, and what they can do with it. Think back to the car – “no it is not my car officer but my friend has given me permission to borrow it and drive it to Scotland for the weekend”. This is easy to check and easy to prove, provided the right paper trail is in place.
There has been some controversy about consent in the charity sector because the Information Commissioner takes the view that proving consent requires a positive affirmation that an individual understands what their data is being used for, the ‘opt-in vs opt out’ debate. Charities fear this will harm their ability to gather and use data, and therefore ultimately their fundraising income, as people are less likely to tick opt in boxes than fail to tick opt out boxes.
Ultimately the decision on what is reasonable will be made by the Information Commissioner and excuses of the ‘he didn’t say I couldn’t drive to Scotland’ type are unlikely to be looked upon kindly.
While the Information Commissioner considers consent to be the gold standard, there are five other grounds to process individuals data under GDPR. Most are very specific and do not apply to charities but one, the legitimate interest condition, most likely does.
This allows the processing of the data when it is in your legitimate interests, provided it does not override the rights and freedoms of the individual who owns it. Currently, there are not explicit definitions of what is legitimate in every context. It is possible that there may never be. The examples given by the information commissioner themselves set high standards setting the interests of a data controller with an outstanding debt against the individuals debtors rights.
To extend our previous analogy, “I have this car and am driving it to Scotland because it’s owner has not made their payments and it is in the legitimate interest of the finance company for me to repossess it”.
There are many more aspects to the GDPR than we have space to cover here. A great deal of guidance is available currently from the Information Commissioner and third parties. As we approach May 2018 we can expect to see more guidance clarifying issues and setting out more clearly how charities should be responding. It is an evolving picture so if your charity holds and processes data it is important to take it in hand now, try to get up to speed, and continually monitor for developments.
Share this article
Thomas Collinge is a political and social affairs journalist, and public affairs assistant, at Slack Communications.Read more articles by this author