All organisations have two years to prepare for the substantial changes to the UK’s data protection regime which will apply from 25 May 2018. The General Data Protection Regulation (GDPR) comes into force today, 24 May 2016. However there is a two-year grace period before it will apply in all member states from 25 May 2018.
What are the main changes charities need to be aware of?
- Consent from individuals to the processing of their personal data must be unambiguous and given by means of clear affirmative action. This is in addition to the current requirement that consent must be freely given, specific and informed although does not go much further than existing ICO guidance. Consent will not be considered to be freely given if an individual has no genuine or free choice, although there remains some uncertainty around consent that is given when a donation is collected.
- The deadline for subject access requests has been reduced from 40 days to one month and data controllers will no longer have the right to demand a £10 fee from applicants.
- Data controllers must notify the ICO within 72 hours if personal data has been lost, destroyed or accessed without authority and there is likely to be a risk to the rights of individuals. Individuals themselves will need to be informed if there is a high risk to their rights.
- The GDPR will apply to charities and other data controllers based outside of the EU if they offer goods or services to individuals in the EU or if they monitor the behaviour of individuals within the EU (this is likely to include monitoring through online cookies).
- For the first time data processors (and not just data controllers) will have obligations under the GDPR. Agreements with data processors will need to be more detailed.
- Individuals will have a right to be forgotten in certain circumstances and a right to object to processing (including profiling).
- Currently the maximum fine which can be imposed by the ICO is £500,000. This will increase significantly under the GDPR. The maximum fine available for a serious breach of the GDPR will be 4% of worldwide turnover or €20 million, whichever is higher.
What should charities be doing now?
- Charities should undertake a data protection focused audit to establish where the changes will affect day-to-day activities (such as fundraising, relationships with service users and compliance practices).
- Charities should review existing supplier agreements and data processing agreements. Depending on the contract term and practices in these agreements, some may need to be amended before 25 May 2018.
- Charities should review their internal policies (including their data protection policy) and procedures and consider how these need to be changed.
- Charities should consider providing training on the new requirements to staff.
What happens if the UK votes to leave the EU?
If the UK left the EU, the UK will need to offer an 'adequate level of protection' as determined by the European Commission before data exchanges can take place from countries in the EU to the UK. In order for the UK to do this the most straightforward option would be to adopt key features of the GDPR. Therefore, even if the UK votes to leave the EU, our view is that it is likely that the UK will need to implement at least some of the key provisions of the GDPR.
Posted on 24/05/2016 in Legal UpdatesBack to Knowledge