GDPR for the Third Sector

2. Who here is 100% confident their organisation
complies with the laws on data protection
today?
And that you are ready for the change in the law
next year?

3. ▪ Jowanna Conboye
▪ IP & IT Associate,
specialising in data protection advice
▪ ip.it@stephens-scown.co.uk
▪ 01872 265112

4. DATA PROTECTION IN THE NEWS
Charities investigated
for ‘calling vulnerable
people for money’
Source: The Guardian July 2015
ICO fines eleven
more charities
Source: ICO April 2017
RSPCA and British Heart
Foundation fined over
‘wealth screening’ data
breaches
Source: BBC News Dec 2016

5. GOOGLE IN 1998

6. BBC IN 1998

9. THE LAW
GENERAL DATA PROTECTION REGULATION 2016
A new law for
a new age? Increased burden
from Europe or a
golden opportunity?
Passed as law in
May 2016 in the EU
Comes into force in May 2018
with enforcement action due
from day 1.

11. GDPR
STAYING THE SAME
a) Lawful, fair and transparent
Must satisfy one of the conditions for processing:
• consent
• performance of contract with data subject
• legal obligation
• vital interests
• public interest
• legitimate interests, unless overridden by rights of data subject
The data protection principles
(under article 5)

12. b) Purpose limitation
• Used only for the reason it was collected
• Notified to the data subject
• “Specified, explicit and legitimate”
c) Data minimisation
• Don’t hold more data than you need
• “Adequate, relevant and necessary”
The data protection principles
(under article 5)
GDPR
STAYING THE SAME

13. d) Data quality
➢ “Accurate and kept up to date”
➢ Beware of assumptions
➢ When was the last time you updated the data?
e) Storage limitation
➢ Don’t keep data for longer than necessary
➢ Data cleanse!
f) Data security
➢ “Integrity and confidentiality”
The data protection principles
(under article 5)
GDPR
STAYING THE SAME

15. (Part 1)
• Accountability
➢ data controllers will have to show compliance
➢ high administration burden
➢ ICO says this is the biggest change
GDPR
WHAT HAS CHANGED?
• Enforcement
➢ used to be a maximum of £500k in the UK
➢ now up to €20 million or 4% of worldwide
turnover!
➢ (£17 million under Data Protection Bill)

16. • Consent
➢ no more implied consent
➢ will have a drastic effect for the charities who collect and use
customer data for fundraising
➢ “freely given, specific, informed and unambiguous”
➢ opt-in only, but what about Privacy and Electronic Communication
Regulations? Soft opt-in and ePrivacy Regulation
➢ beware of “re-contacting” people to refresh their consent – e.g. Flybe
and Honda
➢ underlying message is if you are relying on consent you need to tell
people exactly what you are doing and then get their active
agreement – no tricks!
➢ for legitimate interests, you need a written balancing exercise
(Part 2)
GDPR
WHAT HAS CHANGED?

17. • Data breaches
➢ Organisations must report any data protection breach within 72 hours. But it might be
unclear whether a breach has happened, so businesses will need a Data Breach
Response Plan
• Pseudonymisation
➢ Processing of personal data so that it cannot be attributed to a specific individual
without additional information
➢ New concept may catch charities that think they deal in anonymous data
➢ Still personal data but potentially subject to fewer restrictions
➢ The key must be kept separately and securely
• Data Processors
➢ Data processors must directly comply with the new law to the same standard as
controllers and also will be liable to fines
GDPR
WHAT HAS CHANGED?
(Part 3)

18. GDPR
WHAT HAS CHANGED?
(Part 4)
• “Privacy by design”
➢ requirement to implement data protection by design not tagged on at the
end of a project
➢ organisations will need to conduct Privacy Impact Assessments for each
new project that deals with any personal data
➢ how does this apply to existing projects or the business as a whole – will
you need to “re-design”?
➢ Best solution is to conduct a Data Protection Audit

19. o Right to object to profiling
o Right to data portability
o Right to be forgotten
• Enhanced data subject rights, including:
(Part 5)
GDPR
WHAT HAS CHANGED?

21. BREXIT
• Key date: GDPR becomes law on 25 May 2018 before we leave EU
• UK bill: UK government have published Data Protection Bill which
absorbs GDPR into UK law
• Timings: DP Bill will become law at the same time the GDPR comes
into force in the EU
• Conclusion: the GDPR is here to stay!

22. WHAT’S THE RISK OF GETTING IT WRONG?
▪ Huge fines – for data protection breaches, this is up to £500,000 now
and will increase to €20 million or 4% of turnover in 2018
▪ Being made to comply anyway - being forced to change your
procedures by regulators and having to abide by data protection laws
▪ Bad publicity - affect on customer and donor confidence in your
charity can lead to loss of reputation and significant loss of funds

23. WHAT CAN YOU DO NOW TO PREPARE?
7 TOP TIPS
1. Audit all the personal data you hold:
▪ how do you collect data (both online and offline)?
▪ how do you store data (both hard and soft copy)?
▪ how do you use data (both internally and externally)?
2. Review your fundraising procedures and basis for processing
▪ Are you relying on consent?
▪ Is it opt in or opt out?
▪ What permissions do you have to contact donors and customers?
3. What have you told your donors? Do you know?

24. WHAT CAN YOU DO NOW TO PREPARE?
7 TOP TIPS
4. Conduct PIAs
5. Make sure you have a the correct policies for each different
type of processing and that you comply with them in practice
6. Talk to your suppliers about whether they are ready for the
GDPR.
7. Ensure your employees are trained in data protection

26. ▪ Jowanna Conboye
▪ IP & IT Associate
▪ ip.it@stephens-scown.co.uk
▪ 01872 265112