This document summarizes a presentation on data protection and preparing for the General Data Protection Regulation (GDPR) given to the National Council for Voluntary Organisations (NCVO). It discusses key areas charities need to focus on to comply with GDPR, including obtaining valid consent, updating privacy policies and communications, data protection officers, working with third party processors, and individuals' new rights. The presenters recommend charities conduct an audit and mapping exercise to focus on policies, consent practices, records management, agreements, and staff training on data protection.
3. Introduction
Big developments in data protection in last year – possibly more for
charities than any other sector:
• ICO issued monetary penalty notices to 11 charities
• GDPR implementation 25 May 2018
• Resulting changes to the Fundraising Regulator’s code and (at times
confused) “guidance”
• Replacement of PECR – new e-privacy directive
• Data Protection Bill, published 13 September 2017
A lot of changes required – but no fundamental changes in principle.
4. Consent (1)
• Biggest area of concern for data controllers at the moment.
• Starting point – consent is not always required.
• Legitimate interest is often a valid alternative to consent and will
remain under GDPR except for public bodies – which will need to
move to a more consent-based system.
• Consent is, and will continue to be, main route to processing sensitive
personal data, and sending direct marketing electronically (email, text,
social media, and non-TPS registered phone numbers).
5. Consent (2)
• In fact not much change and, contrary to popular myth, tick box opt-in
will not be the only way of obtaining consent.
• Consent must be:
– Specific (not new)
– Informed (not new)
– Freely given (more detail on this in GDPR)
– Unambiguous (new but doesn’t add much)
– An affirmative act (new, but no change from current ICO guidance)
6. Consent (3)
• Key practical consequence is greater granularity:
• GDPR requires separate consent for different processing
“operations” (purposes) (eg fundraising, volunteering, wealth
screening (?)). ICO draft guidance says this applies “wherever
appropriate” and not if it is unduly disruptive. At a minimum consent
must cover all purposes.
• GDPR says there must be consent for each activity. Unclear what
activities are, but assumed to include channels of communication.
But ICO draft guidance says not if the activities are interdependent (so
may not need to all be listed – better to do so if possible, in privacy
policy). At a minimum consent must cover all activities.
7. Consent (4)
Other consent issues of note:
• Opt-out versus opt-in? An affirmative act is required – doesn’t have to
be tick box opt-in. If individuals freely give you their details and you
offer them an opportunity to opt out of DM, then you have lawfully
obtained consent.
• What if existing consent is not GDPR compliant? Key point is that you
have consent for the activities you wish to undertake. If insufficiently
granular then seems unlikely to be top of the list for ICO compliance
unless there are other concerns.
• How long is consent valid for? Two years is safe. Four to five years
is probably safe – try to get evidence. Longer than that, only if
specific justification.
8. Consent (5)
More consent issues of note:
• Keep clear records to demonstrate compliance – what individuals
were told, when and how they consented
• The right to withdraw consent must be stated at time consent is
collected
• Giving consent must not be mandatory if buying goods or services
(but, arguably, technically compliant if mandatory when giving a
donation)
9. Privacy statements/other communications with data subjects
Generally more onerous requirements. Privacy statements or other
communications with individuals must include:
• Identity and contact details of data controller
• Purposes of the processing
• Legal basis for processing (e.g. consent or legitimate interest - and what your
legitimate interest is)
• Recipient/categories of recipient of the personal data
• Transfer of data outside EEA
• How long data will be held for
• Existence of automatic decision making
• Individuals’ rights
• Right to lodge a complaint with ICO
• Right to withdraw consent
The statement is an opportunity to achieve fairness
11. Data Protection Officer
• GDPR requires data controllers and data processes to appoint a DPO
– in relatively limited circumstances.
• Careful analysis required.
• If not mandatory for your charity then sensible to appoint someone to
be lead on data protection issues but possibly without formal status of
DPO.
12. What will the DPO do?
GDPR specifically provides that:
• Must be involved in all issues relating to data protection properly and
in a timely manner
• Advisory role
• Monitor compliance with GDPR and other DP legislation including
internal policies
• Contact point for ICO and data subjects (contact details published)
• Advise on DPIAs
• Expert knowledge of data protection law and practices
• Need active support by senior management – must report directly to
highest management level
• May not be dismissed or penalised for performing tasks
13. Do we need to appoint a DPO?
Article 37(1) GDPR sets out when you must appoint a DPO
1. Processing is carried out by a public authority or body (except
courts)
2. Core activities involve regular and systematic monitoring of
individuals on a large scale
3. Core activities involve processing sensitive personal data (or data
relating to criminal convictions and offences) on a large scale
EU or national law may require appointment of DPOs in other situations
14. Working with third party data processors (1)
Some aspects of DPA will apply directly to data processors:
• Implement appropriate security measures
• Report breaches to data controller (not to the ICO)
• Appoint Data Protection Officer (where required – see earlier slide)
• Keep records of processing
15. Working with third party data processors (2)
Data controllers required to seek guarantees – in particular specific
provisions must go into contracts with data processors.
• Only to process data on instructions of data controller, and keep data
secure (not new)
• More detail about the processing (including duration)
• Comply with data controller’s requirements on transferring data
outside of the EEA
• Ensure staff are under a duty of confidence
• Assist controllers to comply with subject access requests
• Obtain authority to appoint sub-processors (and pass on obligations)
• Appoint DPO (if required)
• Return or delete data at end of agreement
• Demonstrate compliance and allow the data controller to audit
16. Other changes
Greater rights for individuals including:
– Right to be forgotten
– Right to object
– Right of access (subject access request) now within one month and
cannot charge a fee
• Data privacy impact assessments
• Mandatory reporting of security breaches within 72 hours unless the
breach is unlikely to result in a risk to the rights and freedoms of
individuals
• “Notification” (i.e. registration) abolished
17. What next?
• Audit
• Mapping exercise?
• Our view is that key areas of focus should be:
– Data protection policy, privacy policy
– Collection of consent and fair processing information
– Data retention policy
– Record keeping
– Agreements with data processors
– Training of staff in data protection compliance