Download the data subject access rights image above here
The General Data Protection Regulation (GDPR)
THCVS Privacy Notice
Overview of the new regulation
The GDPR are a set of new regulations governing the control and processing of personal data. The regulations include the storage, use and transfer of information about people who are living, and can be identified. The IOC have produced a short briefing about what is personal data and how to identify whether you are holding personal data.
There are some similarities between the new GDPR and the older Data Protection Act 1998 (DPA). So if you are complying with the DPA, then is should be relatively straightforward to move towards compliance with GDPR.
If you are involved in fundraising which makes use of personal data, you will need to refer to the latest guidance on data protection and fundraising. The Fundraising Regulator have provided guidance which can be read alongside the Information Commissioners Office (ICO) guidance around direct marketing. You may also find the Spotlight Series from Institute of Fundraising useful.
What are the key areas to consider with GDPR?
Consent should be freely given, specific, informed and unambiguous. Where people are asked for consent, a positive opt in is a way of demonstrating an individual’s wishes. Consent should not be inferred from silence, inactivity or pre-ticked boxes.
The ICO have produced a short 12 Step Guide on preparing for the GDPR
NCVO Know How - Have useful guidance on GDPR. A great compliment to the ICO guide, I recommend the recorded webinar.
Summary of the main areas of change
Ensure that key decision makers and people in your organisation are aware that the law is changing to the GDPR, and the likely impact this will have on your group or organisation. There are a range of free GDPR infographics available here to help raise the message of the new regulations.
Information you hold
Document the personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
Communicating privacy information
Review your current privacy notices and plan out how you will make any necessary changes. It is important to show that you have been working within your organisation or group to meet the GDPR regulations, should you be asked to demonstrate this. The ICO has produced guidance on privacy.
Check your procedures to ensure they cover all the rights individuals have. This should include, for example, how long you keep people’s personal data, how you would delete personal data, and how you will share personal data with individuals when they request this, in a format that is commonly used. The ICO has produced guidance on the rights of individuals.
Subject access requests
Put in place a mechanism for how you and your organisation will handle any requests to view personal data you hold about an individual, including any timescales for meeting any requests. The ICO has drafted more detailed guidance on dealing with access requests, or see this summary poster.
Lawful basis for processing personal data
Identify and document your organisations lawful basis for collecting and processing tasks, and update your privacy notice to explain it. The ICO has written more detailed guidance on what is a lawful basis.
Review how you gain, record and manage consent and whether your organisation or group needs to change how you obtain this. Where you think changes or amendments are needed to how you obtain consents, if you think a change is needed to meet the GDPR. Information on what form the consent could take has been drafted by the ICO.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. GDPR says children under 16 cannot give consent (although this may be reduced to 13 in the UK). You can find the ICO guidance on this here.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. The ICO has provided an overview of the process.
Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments and work out how and when to implement them in your organisation. The ICO has provided advice on how to do this.
Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer. the ICO has provided guidance on accountability and governance.
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority.