The General Data Protection Regulation (GDPR) comes into force on 25th of May 2018. If you’ve not started yet on the road to compliance, it’s not too late. Read our previous posts in our GDPR series for Charity Digital News:
Post 2 – Who is responsible for our data?
How much work is involved in getting ready for the GDPR?
Unfortunately, there is no set answer as it depends on how compliant you are today with the current legislation present:
- Data Protection Act, 1998
- Privacy Electronic Communications Regulations, 2003
- Freedom of Information Act, 2001
It’s worth noting that the GDPR is a regulation and not a directive, which means it applies to ALL Data Processors and ALL Data Controllers that operate in the EU or outside this area that are processing data on EU citizens. The UK government has recently drafted their Data Protection Bill, which is going through the processes in the UK to become law and it will cover most of the same areas as the GDPR.
The regulation is made up of Principles, Articles and Recitals; essentially points broken down further and further to make sense and there are very strong similarities between the principles in the GDPR and those of the Data Protection Act (DPA). We recommend focusing on reading up on the DPA and GDPR and ensuring that you understand how it affects your organisation.
It’s safe to say that all charities, no matter their size, have a fair amount of work to do to prepare for GDPR – from audits to putting processes in place to training colleagues. Don’t forget you should be on the way to compliance with the GDPR as of now, the 25th May is when it comes into force.
Do we need to register with the ICO and what is the cost?
If you process data of any kind, you are considered a Data Controller. This doesn’t refer to just “supporter data” but to things like trustees, employees, suppliers and volunteers; anything that could identify an individual is in scope. Therefore, we suggest that you do register with the ICO; as it is likely you are processing data as a Controller of some kind. When registering, if you are unsure what to put in the application then browse similar registered organisations to see what they have put. However, you will need to ensure the Data Processing covers all areas of your organisation.
There is a current requirement for you to notify the ICO of the data processing you are carrying out as a Data Controller, (unless an exemption applies) explaining what personal data you collect and what you do with it. For example, if you process any monthly Direct Debit donations then you will need to notify the ICO.
The fee for most organisations is currently around £35 for each company number, which is an annual registration fee. There are some exceptions to this, which might make the payment higher and you will need to register all company numbers if you operate across multiple entities.
Something to be aware of is the new Digital Economy Act (DEA), which will be coming into play. It will usher in a new method of funding for the ICO to operate. What this means for your organisation is that your fee may go up or down.
We are only a small charity, this is all so overwhelming – where should we start?
Get started by setting up a working group addressing GDPR is a good place to start; in addition to appointing someone in the organisation to lead on the area of data protection.
Then focus on the following three items:
1. Data Review/Audit – create a flow map of where all the data lies in your organisation. This can be done using tools such as Excel, Word, Visio or even by hand on paper. It’s better to have something rather than nothing even if it is a crude drawing, as it is important to understand where your data is and who has access to it. To start you can address the 5 W’s of Data:
- Why Is Personal Data Processed?
- Whose Personal Data is Processed?
- What Personal Data is Processed?
- When is Personal Data Processed?
- Where is Personal Data Processed?
This information can all exist in the aforementioned flow map and this can then have layered access management. Essentially it will represent a visual diagram of where data is collected, and how it is used and where it ends up.
2. Policy Review – review any current data policies that you have or draft them if there aren’t any in existence. Once you have those in place, seek legal approval. Policies are one thing but remember that you need to put the processes and procedures in place to implement them.
First point of call would be to look and see if you have any of the below core policies:
- Terms and Conditions (For Products/Services)
- Terms of Website Use
- Information Technology Policy
Secondly it would be wise to assess how the areas of the GDPR will impact core areas being:
- Identification of the DPO / DP Representative
- Data Subjects’ Core Rights
- Retention Policies / Guidance
- Risk Register
Tailor the policies to work with your organisation and try and seek legal advice for the final approval; this can often be done pro-bono by some legal firms.
3. Training – ensure all staff are trained in data protection, however those that have greater access to personal information need more thorough training than those who don’t have high access levels. The training could be delivered through an external person or from your in-house data protection representative.
- Face to Face Training
- Agreements and Testing
- Bespoke training for key “High” risk areas
There will need to be a record kept of all training undertaken; it is suggested this should be reviewed annually.
Steps 1-3 can form part of a project plan to address GDPR compliance in your organisation, along with stipulating a project team to aid in its delivery. Small charities may want to set up a sub-committee or working group of their trustees to help project manage the work.
You need to walk the walk, not talk the talk so you need to demonstrate that your organisation is covered, through due diligence, by doing data privacy impact assessments (DPIA). This means documentation and ensuring policies, processes and procedures are well understood by your organisation.
What help is available to my charity?
The good news is there are lots of blogs, guides and help available both online or offline. Some are free, others you may need to register your email address to access the content and then there are those you will need to pay for.
Some useful sources we recommend reading are:
- The ICO – in particular- 12 steps of GDPR, GDPR detail and myth busting blog.
- The IOF – in particular- Opt-in paper, regulation and compliance
- Data Protection Network – in particular – Legitimate interests guide
- IT Governance – in particular – Training and audits
There are third party organisations which offer GDPR readiness services, but it would be worthwhile trying to ascertain skill sets in your own organisation first before plugging the gap with external consultants. Some law firms will offer pro bono advice, especially for charities, so, it’s worth reaching out to a few.
If you want a more official approach, then the ICO could come on site to your charity and address areas of your organisation. However, they will most likely frown upon nothing being in existence so make sure you have considered some areas mentioned above before inviting them in.
The above article offers general advice, based on our understanding of facts and guidance issued to date by various bodies, this in no way, shape or form constitutes legal advice.