Are you ready for new data protection laws?
- Charities will have to comply with new data protection rules from 2018
- The General Data Protection Regulation (GDPR) will introduce new requirements for those processing personal data and tougher penalties for data breaches
- We explain what charities need to know about the GDPR
Charities are under significant pressure to act responsibly with people’s personal data.
There have been instances, highlighted in the media, in which charities have failed to handle sensitive data properly, and the penalties for such failings are set to increase under new EU data protection rules.
In this article, we discuss what your charity needs to know about the EU General Data Protection Regulation (GDPR) – which will replace the Data Protection Act when it comes into force in May 2018 – and explain how it may impact your organisation.
GDPR – the key changes
The GDPR may introduce a number of changes affecting organisations responsible for processing personal data, including:
- A requirement to report data breaches to the Information Commissioner’s Office (ICO) within 72 hours of discovery
- A broadened definition of personal data (see boxout), including online identifiers, such as a person’s IP address
- A requirement to obtain parental consent for processing the data of children under the age of 16 (there will be exemptions, e.g. charities that offer confidential helplines)
In addition, the penalties for data breaches could be far greater.
The biggest fine handed out by the ICO for a data breach is currently £350,000, however organisations could potentially face penalties of up to €20m under the GDPR for serious breaches.
Yasmin Durrani, Data Protection Officer at Zurich, says: “The higher penalties will represent a risk for charities, although I don’t think the ICO will start issuing huge fines to charities in the first instance, unless they have knowingly been guilty of misconduct.
“If charities get the basics right, the risks may be lowered considerably.”
Developing robust systems for processing data
So, what should you do to ensure your systems for processing personal data are robust?
Durrani says: “First of all, you need to understand what data you process, so that you can classify it. Not every type of data will be personal and therefore within the scope of these regulations.
“You should have robust retention schedules, which specify the retention period for each type of data. Ensure that you only keep personal data as long as it is necessary.
“The next step is to understand where geographically your data is kept. As part of this, you should consider carefully all your arrangements for sharing data with third parties.”
How different sizes of charity will be affected
Before considering whether or not you need to do anything differently in order to comply with the GDPR, you should examine the details of the GDPR carefully, as some of the new requirements will only apply to larger organisations.
Durrani says: “Organisations that carry out regular and systematic monitoring of individuals on a large scale are required to appoint a Data Protection Officer, as well as comply with certain requirements regarding record-keeping.”
Educate on data breach notification requirements
You should ensure that your staff and volunteers are aware of the requirement for reporting data breaches within 72 hours – and that they understand what constitutes a data breach.
Durrani says: “If an employee or volunteer sends an email to the wrong person, quickly identifies their mistake, and then resends the email to the right person, they will often not consider that a data breach, but this kind of incident should be reported.
“It’s important that you give your staff the tools to report data breaches, but also the confidence that they will not face repercussions for doing so.”
Protecting data isn’t just about complying with rules
Although the GDPR will not come into force for another two years, the management of data remains a vital issue for charities today.
Durrani says: “Data analytics can help you to discover and explore new markets, and if you are really serious about running an efficient organisation that will grow and flourish, you need good governance and good standards of managing data – it’s the key to your long-term sustainability.”
Durrani will be talking more on this topic at the Insurance Risk Europe Forum 2016, which takes place on 29 November.
The ICO has also published an overview of the GDPR.