28 June 2017

General Data Protection Regulation: how does it affect charities?

We set out the key areas charities need to consider before the General Data Protection Regulation (GDPR) replaces the current Data Protection Act.

As most charities will be aware, the General Data Protection Regulation (GDPR) comes into force on 25 May 2018. This means significant changes in the current Data Protection law and a much tougher enforcement regime. 2017 has already seen a number of high profile charities fall foul of the Information Commissioners Office, with many receiving substantial fines under the current arrangements. As such, it is critical that charities effectively manage the personal data they hold in order to ensure they can continue to deliver their services and raise money, while avoiding the significant fines under the GDPR.

In April 2017 alone, the following charities were fined under the current Data Protection Act:

  • The International Fund for Animal Welfare - £18,000
  • Cancer Support UK (formerly Cancer Recovery Foundation UK) - £16,000
  • Cancer Research UK - £16,000
  • The Guide Dogs for the Blind Association - £15,000
  • Macmillan Cancer Support - £14,000
  • The Royal British Legion - £12,000
  • The National Society for the Prevention of Cruelty to Children - £12,000
  • Great Ormond Street Hospital Children’s Charity - £11,000
  • WWF-UK - £9,000
  • Battersea Dogs’ and Cats’ Home - £9,000
  • Oxfam - £6,000

The current limit for ICO fines is £500,000, however, this will increase to 20 million euros or 4% of revenue under GDPR.

A sample of activities that led to these charities being fined by the ICO includes:

  • Profiling potential donors based on their wealth and also hiring third parties to discover more information about donors’ wealth and background than had originally been provided.
  • Sourcing information on donors to ‘fill in the blanks’ for any information they didn’t provide.
  • Illegally sharing information on donors with other charities, no matter what the cause.

Quote from the Information Commissioner:

“These fines draw a line under what has been a complex investigation into the way some charities have handled personal information. While we will continue to educate and support charities, we have been clear that what we now want, and expect, is for charities to follow the law”.

GDPR brings the Data Protection Act into the 21st century by seeking to protect data subjects from the inappropriate or unauthorised sharing of their data. Below are just a few of the key areas that charities need to consider where GDPR will strengthen or change the Data Protection Act:

  • The requirement to appoint a Data Protection Officer (for certain types of organisation);
  • Changes to how consent can be obtained from individuals for the use of their data. For example, data subjects will have to explicitly ‘opt in’ to allow their data to be shared, and it must be made clear to them exactly how their data will be used;
  • The introduction of new rights for data subjects, including the right to be provided with a copy of their data so they can move it to another organisation (data portability) and the right to be forgotten (data erasure);
  • GDPR is also clearer around the need to ensure that data is being held only for the purpose for which it was gathered, and that it is also being deleted when it is no longer needed.

In addition to addressing the above changes, GDPR also makes certain activities mandatory, for example:

  • Providing new and existing staff with suitable training and awareness, as well as additional sources of guidance and support when required;
  • Conducting Data Protection Impact Assessments (DPIA) in order to design data privacy into any new systems and processes. This is of particular importance if new technology is being deployed, where there is processing on a large scale of the special categories of data, or if profiling operations are being performed which are likely to have an impact on individuals;
  • Notifying the ICO within 72 hours of a data breach;
  • Holding those at executive management and board level accountable for compliance, requiring them to produce and maintain documents that demonstrate what actions have been taken to achieve compliance.

GDPR represents a serious challenge for many organisations, particularly for charities that are dependent on their donor databases and hold large amounts of sensitive information on vulnerable individuals. Trustees and executive leadership are accountable for compliance with the new law and it is critical that they take steps now to ensure their organisations are ready for 25 May 2018.

If you would like any help ensuring your compliance, or if you would like to discuss GDPR further, please do not hesitate to contact either Fraser Nicol or Liz McLean or 0141 567 4500. 

Bookmark and Share