What is GDPR is a replacement to the Data Protection Act (DPA, 1998). It aims to standardise the way Personally Identifiable Information (PII) is dealt with in terms of Data Controllers (i.e. organisations that collect personal data) and Data Processors (i.e. a third party you share data with). Ultimately it gives back control and ownership of data to the individual. In terms of compliance, this should be what you adhere to now; however, it does not come into enforcement until the 25 May 2018.
Check out this resource pack developed by ICO for smaller organisations and also the training available from the FSI (Swindon 31st January) and (London 20th February) . The 25th May isn’t that far away so get ready, so also check out Elizabeth Denham’s latest Blog
“A perpetuated misconception that all profiling needs consent. It doesn’t, end of.” Since this seems to have been an area of much confusion under the GDPR we thought we would post a link to Phil Lee’s blog, from FieldFisher (a European law firm) as he tries to set things straight.
The Information Commissioner’s Office has published new guidance explaining how an organisation can use legitimate interest as the basis for processing data. The new guidance is part of the regulator’s wider GDPR. Legitimate interest is one of six bases, and applies when you need to use some data in order for your business to function. It can be used in some circumstances to justify fundraising when an organisation does not have opt-in consent. The ICO says it is likely to apply as the basis for direct marketing, and gives an example of when it might be used by a fundraiser.
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are a few new elements and significant enhancements, so you will have to do some things for the first time and some things differently. Start preparing by taking these first 12 steps.
The Data Protection Act and its associated regulations apply to organisations across the UK. The purpose of this guidance is to help charities and fundraisers better understand their responsibilities in relation to data protection, donor consent and legitimate interests, reflect on their current practices and feel confident in developing a Direct Marketing approach that takes full account of the rights and wishes of the individual.
Personal Information and Fundraising: Consent, Purpose and Transparency: Checklist
GDPR is coming and great news that Institute of Fundraising have produced a Guide to help charities understand the impacts. GDPR Essentials
NCVO have produced a handy 12 step guide for preparing for GDPR: ‘How to Prepare for GDPR and Data Protection Reform’
Also valuable is their recent GDPR webinar, now available to view on youtube: ‘What Does GDPR Mean for your charity’
Charity cloud-software partner, Blackbaud Europe, has released a new, 12-page handbook to help non-profits understand the implication of GDPR on their organisations.
‘The GDPR Handbook for Non-Profits’ runs through the main differences between the new regulation and existing laws, gives advice on the first steps non-profits should take, and explains how governance and technology underpins compliance with new data protection legislation. GDPR Handboook.
Also of interest is the recording of their recent one-hour webinar, ‘Communicating Privacy Practices to Donors’
Documents of interest
- Overview of GDPR
- Take the ‘Getting Ready for GDPR’ Checklist on the ICO site – it will give you a report on what you need to do.
- Read GDPR 12 Steps to Take Now
Note the Consent Guidance is due to be finalised in December 2017 but you can see a draft of the Guidance here.
Overview of the General Data Protection Regulation (GDPR) This overview highlights the key themes of the General Data Protection Regulation (GDPR) to help organisations understand the new legal framework in the EU. It explains the similarities with the existing UK Data Protection Act 1998 (DPA), and describes some of the new and different requirements. It is for those who have day-to-day responsibility for data protection.
This is a living document and will be expanded in key areas. It includes links to relevant sections of the GDPR itself, to other ICO guidance and to guidance produced by the EU’s Article 29 Working Party. The Working Party includes representatives of the data protection authorities from each EU member state, and the ICO is the UK’s representative.
Blog: Andrew Cross, Data and Insights Lead at Lightful: This blog gives a brief overview of the following key areas: Data controllers vs processors, What can you do starting today and Concent. We will get further, more detailed information on these and other areas of GDPR but this is a good read to get you started and thinking about how this will affect your charity.
The General Data Protection Regulation comes into force 25 May 2018. The Data Protection Bill gives more detail of the reforms beyond the GDPR. In a series of blogs By Elizabeth Denham, (Information Commissioner) she busts a series of myth’s that have surfaced over the last few months – interesting reading: