The general data protection regulation (GDPR) is a new law enforced by the EU that will replace the current data protection act on 25 May 2018. It is essential that charities ensure that they are ready for the change.
It is the biggest change to data handling laws in over 25 years, and means that all organisations will have to comply with the new processes of handling personal data. Brexit is very unlikely to have much of an impact on the adoption of the GDPR in the UK, so compliance is a must.
The changes in regulation can be confusing to decipher, so we’ve broken down the main points about how the GDPR will impact charities:
‘Valid consent’ must be explicit
You must explain clearly why you are collecting any personal data and exactly how you will use it, and if a charity wants to make this information available to a third party, it must have the permission of the person whose data it is. A clearly affirmative action, such as filling out a form or actively ticking a box, would be enough to signify this. User silence or already ticked boxes will not be deemed suitable, as they are not considered positive actions that signify consent.
Can a charity remain on an ‘opt out’ policy?
It remains up to the charity to adopt an ‘opt-in’ or ‘opt-out’ approach, however, they must meet lawful conditions for direct marketing. Charities will still be allowed to send post or make calls to unregistered individuals, but only on the condition that they can prove the ‘legitimate interest’ of the receiver. A charity’s desire to further their own cause must never override that of the individual and the individual’s right to say ‘no’, or ‘opt out’ must always be respected above all else.
Users can access their own data
A key change is that individuals who have had their data recorded by a charity can, at any time, make a subject access request to check the data and what it is being used for. They can also ask to be withdrawn at any time and their data must be totally erased from all records.
Protect against data breaches
The amount that ICO can fine organisations for data breaches will be increased and charities have an obligation to report certain data breaches if they occur. Charities must ensure that they have a system in place to detect, report and investigate all data breaches.
If you are still concerned about what changes you’ll need to make to get ready for the GDPR, ICO and the Institute of Fundraising have both published guides on what changes your charity needs to consider.