General Data Protection Regulations – Preparing for the Data Protection Reform16-Jan-2018
The revisions for Data Protection laws are due to take effect from 25th May 2018, and organisations are being advised to start
preparing for the changes.
Every organisation that handles and works with personal data will soon have to include and take on the new General Data Protection Regulations (GDPR) which come into effect on 25th May 2018.
This includes charities and voluntary organisations.
Taking on and working with GDPR could be seen to be worrying, as it could be difficult to know where to start.
The Information Commissioner’s Office (ICO) is the UK’s independent authority who work to support and maintain information rights in the public interest. They promote openness by public bodies and data privacy for individuals.
To help individuals and organisations take the right steps to prepare for when the GDPR rules come into effect, The ICO have devised and produced a 12-point plan which can be used as inclusive advice and guidance.
Below is a summary of what you need to know, as advised by ICO:
1. Make sure the right people in your organisation know this is coming
Your trustee board and senior staff have to be aware that the law is changing, as they will need to know enough to make the right choices about what you need to do to put GDPR into practice. They need to be aware that putting it into place could take time and effort, as well as add data protection to your Risk Register, or any Risk Management process you might have.
2. Identify what data you hold and where that data came from
If you don’t know what personal data you hold and where it came from, you would need to start making records of your different methods of data collection within the different areas of your organisation to find out.
This would mean all personal data – which does include employees and volunteers; service users; members; donors and supporters and more.
You should document your findings as GDPR means you must keep records of your processing activities. You would also have to record if you share data with any third parties.
3. Update your privacy notices
You must always tell people in an easy-to-follow manner about how you intend to use the information they give you.
Privacy notices are the most common way to do this. If you have privacy notices on your website, this would be a good example, but they would still need to be reviewed and updated if necessary.
According to the Data Protection Regulations which will be coming into effect next year, privacy notices have to show additional information, like how long you will keep data for, and any legal right you have to process data.
The ICO has guidance on GDPR compliant privacy notices to help with this.
4. Check your processes meet individuals’ new rights
The new Data Protection Regulations give people more rights over their data; they even have the right to have their personal data deleted.
Would you be able to find the right data to do this? Who is responsible for making sure this happened?
The ICO have good guidance and advice to help you understand individuals’ rights, and to help you prepare for this.
5. Know how you will deal with ‘Subject Access Requests’
The people and organisations you work with have the right to know what data you hold on them, why this data is being processed and if it would be given to any other organisations or third party.
They also have the right to be given this information in a permanent form; as a paper or ‘hard’ copy.
This is known as a Subject Access Request.
Your organisation would need to recognise when an access request is being made, find all the data that is being asked of them and comply within one month of receiving that request.
The ICO again gives good advice on handling access requests.
6. Identify and document your ‘lawful basis’ for processing data
To legally process data under GDPR you must have a lawful basis to do so.
You might have to process personal data because it is required to deliver a contract you have with an individual, so you would need lawful basis to be able to do this.
There might be different reasons that give you lawful basis to process data; more importantly different lawful basis gives different rights to individuals.
You might be dependent on getting consent or permission from someone as a lawful basis; as a result individuals could have stronger rights to have their data deleted.
To understand and record what lawful basis you have to process data, ICO have guidance on lawful basis to help you with this.
At the time of writing, ICO are continuing their work to help you prepare for the new regulations, and has produced practical advice on how to comply with existing
regulations, as well as how to improve data protection practices in your business, how to keep employees’ and customers’ personal information secure
and how to get ready for the upcoming data protection reforms.
The booklet Preparing for the General Data Protection Regulation (GDPR) written by The ICO, goes into more detail about the above 12 steps you can take now to prepare for GDPR which will apply from 25th May 2018.
For more information visit the ICO website.
MVA also provides a Data Protection Self-Assessment Toolkit. Written by ICO, it has checklists to make sure that you or your organisation complies with the Data Protection Act and find out what you need to do.