The General Data Protection Regulation has been enshrined in the Data Protection Act 2018, superseding the Data Protection Act 1998 and bringing data protection legislation into the digital age. It aims to standardise the way Personally Identifiable Information (PII) is dealt with in terms of Data Controllers (i.e. organisations that collect personal data) and Data Processors (i.e. a third party you share data with). Ultimately it gives back control and ownership of data to the individual.
Check out the handy charity FAQ page developed by Information Commissioner’s Office (ICO) as your first port of call, and see below for a concise list of further information you can access.
Guide to the General Data Protection Regulation (GDPR) This comprehensive guide has been designed by ICO as the definitive source of information for organisations to reference when ensuring they are complying with the new data protection legislation. It highlights the key themes of the General Data Protection Regulation (GDPR) to help organisations understand the new legal framework in the EU. It explains the similarities with the previous UK Data Protection Act 1998 (DPA), and describes some of the new and different requirements. It is for those who have day-to-day responsibility for data protection.
This is a living document and includes links to relevant sections of the GDPR itself, to other ICO guidance and to guidance produced by the EU’s Article 29 Working Party. The Working Party includes representatives of the data protection authorities from each EU member state, and the ICO is the UK’s representative.
More useful ICO guidance:
- Data Protection Self Assessment checklists – have you taken the necessary steps towards compliance?
- How organisations can use legitimate interest for data processing. Legitimate interest is one of six bases for lawful processing of personal data, and can be used in some circumstances to justify fundraising when an organisation does not have opt-in consent. The ICO says it is likely to apply as the basis for direct marketing, and gives an example of when it might be used by a fundraiser.
- ICO busts some common myths around GDPR in series of blogs.
- ‘Think Privacy’ – An ICO toolkit for charities (posters and more).
As the new GDPR law comes into force, are you GDPR-ready? Charity Digital Newshave created a handy 5 step infographic to break down the 99 articles of the law into an easy to read checklist. You can access this here
“A perpetuated misconception that all profiling needs consent. It doesn’t, end of.” Since this seems to have been an area of much confusion under the GDPR we thought we would post a link to Phil Lee’s blog, from FieldFisher (a European law firm) as he tries to set things straight.
Have a look at these GDPR briefings on various aspects of fundraising, produced by the Institute of Fundraising (IoF) and the Fundraising Regulator and co-badged by the Information Commissioner’s Office.
Personal Information and Fundraising: Consent, Purpose and Transparency: Checklist
Check out this guide by the Institute of Fundraising, GDPR: The Essentials for Fundraising Organisations
NCVO have produced a handy 12 step guide for preparing for GDPR: ‘How to Prepare for GDPR and Data Protection Reform’
Also valuable is their recent GDPR webinar, now available to view on youtube: ‘What Does GDPR Mean for your charity’
Charity cloud-software partner, Blackbaud Europe, has released a new, 12-page handbook to help non-profits understand the implication of GDPR on their organisations.
‘The GDPR Handbook for Non-Profits’ runs through the main differences between the new regulation and existing laws, gives advice on the first steps non-profits should take, and explains how governance and technology underpins compliance with new data protection legislation. GDPR Handboook.
Also of interest is the recording of their recent one-hour webinar, ‘Communicating Privacy Practices to Donors’