On 25 May 2018, the General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998 (DPA). This will change the way you can collect, store and process personal data. The principles of the new GDPR legislation are familiar from the DPA, but the obligations in some areas are more extensive. Under the EU framework serious violations will mean a penalty of €20m or 4% of global turnover, whichever is greater.
Most charitable organisations hold vast amounts of personal data (from HR details for staff to donor databases). Many also hold sensitive personal data such as racial or ethnicity details, information regarding religion, physical or mental health conditions, or criminal record details. The charity sector has significant legal and moral obligations to protect this data from harm. Charities need to ensure their internal processes and IT systems will be able to cope with the new regulation from May 2018.
The move to comply with the new Regulation will require accurate maintenance of documentation of personal data and systems recording the exact method and details of consent. Customer consent must now be freely given, specific, informed, and unambiguous. Organisations must be able to show how and when consent was lawfully obtained. The data subject must have the right to withdraw consent at any time, and it must be as easy to withdraw as it is to give. Consent mechanisms will need to be genuine and granular: ‘catch-all’ consents will likely be invalid. The individuals must take affirmative action to provide their consent, such as signing a form or ticking a box.
Under the GDPR data subjects have a ‘right to be forgotten’ ie, to have their personal data permanently erased. There must be a reliable business process for data erasure. Organisations in possession of the data must also notify other holders of the data that consent has been withdrawn and data should be erased. Data erasure can be difficult due to backups, multiple systems and cloud storage.
The Institute of Fundraising (IoF) has launched a new guide entitled GDPR: The essentials for Fundraising Organisations available here
Please contact us if you would like to discuss preparing for GDPR.