There is a lot of chatter out there at the moment about GDPR, as well as a rapidly expanding portfolio of training events, some of which come with eye-watering price tags. You should not underestimate the importance of GDPR and the processes you will need to implement to become compliant by May 2018. However, before you rush out and spend all of your training budget, it is worthwhile going through the current advice and information from the Information Commissioner’s Office, and use the tools that have been made available to assess your organisational readiness. It is also worthwhile noting that there are a number of organisations out there who are or will be providing free or low-cost training to Third Sector organisations, and that guidance on some parts of the Regulation are still to be published.
I have (having to get to grips with it myself) laid out the basics of where to find information, and what is important.
What is GDPR?
GDPR = General Data Protection Regulation
The GDPR is replacing the UK’s 1998 Data Protection Act. It applies to all EU countries, and will still apply to the UK after we leave.
When is it coming?
It comes into force on the 25th May 2018
This is not the start date for getting your house in order, but actually when your house needs to be in order. This is the ultimate of spring cleans.
Does it affect me?
If you hold or process information on employees, clients, donors, and suppliers then you will have to ensure you are compliant with the new regulations. So, most likely, yes.
What happens if I don’t comply?
There are penalties for non-compliance which can vary in severity, so it is in your best interests to ensure you are compliant. What is new about the GDPR is the Accountability Act is that it requires you to demonstrate the technical and organisational measures you have put in place to become compliant.
Information on how to evidence compliance can be found here
If you have a question or are worried about your level of compliance at any stage you can also call the ICO helpline.
Who Should Be Involved
A Data Protection Officer: It is highly recommended that you appoint a Data Protection Officer (which can be an existing member of staff), and depending on the data you hold and process the appointment of a Data Protection Officer is mandatory.
There is guidance available (about halfway down the page) about the role of the DPO and when one should be appointed here.
Trustees: This should be on the Trustees agenda to ensure they are doing what it takes for the organisation to become compliant and that they understand the implications of non-compliance and how the GDPR may impact the organisation operationally.
Everyone: Staff and volunteers are responsible for ensuring they follow the regulation and best practice for holding and processing data.
What’s the difference between GDPR and the Data Protection Act?
You can read about the key areas of focus and changes to Individual Rights on the ICO’s website
One of the biggest updates to the regulation that will affect charities is around consent:
“Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.”
This is particularly important for marketers and fundraisers to be aware of, and guidelines on this, as well as other areas of the regulation, will be published in or before December 2017. The Institute of Fundraising has also written specifically to this point and you can find out more here and on the link below.
The ICO (Information Commissioner’s Office) has produced a handy document to help you prepare for GDPR’s arrival called 12 Steps to Take Now
You can conduct a GDPR organisational health check here.
The Institute of Fundraising has produced a guide for fundraising organisations which you can download here.