The Regulation will mean significant changes in the current Data Protection law and a much tougher enforcement regime.
They note that in 2017 a number of high profile charities have fallen foul of the Information Commissioners Office (or ICO) with many receiving substantial fines under the current arrangements.
Scott – Moncrieff argue that charities will need to effectively manage the personal data they hold in order to ensure they can continue to deliver their services and raise money, while avoiding the significant fines under the Regulation.
They further note that the following charities have been fined under the current Data Protection Act:
- The International Fund for Animal Welfare – £18,000
- Cancer Support UK (formerly Cancer Recovery Foundation UK) – £16,000
- Cancer Research UK – £16,000
- The Guide Dogs for the Blind Association – £15,000
- Macmillan Cancer Support – £14,000
- The Royal British Legion – £12,000
- The National Society for the Prevention of Cruelty to Children – £12,000
- Great Ormond Street Hospital Children’s Charity – £11,000
- WWF-UK – £9,000
- Battersea Dogs’ and Cats’ Home – £9,000
- Oxfam – £6,000
The current limit for ICO fines is £500,000, however, this will increase to 20 million euros or 4% of revenue under GDPR.
A sample of activities that led to these charities being fined by the ICO includes:
- Profiling potential donors based on their wealth and hiring third parties to discover more information about donors’ wealth and background than had originally been provided.
- Sourcing information on donors to ‘fill in the blanks’ for any information they did NOT provide.
- Illegally sharing information on donors with other charities, no matter what the cause.
Quote from the Information Commissioner:
“These fines draw a line under what has been a complex investigation into the way some charities have handled personal information. While we will continue to educate and support charities, we have been clear that what we now want, and expect, is for charities to follow the law”.
GDPR brings the Data Protection Act into the 21st century by seeking to protect data subjects from the inappropriate or unauthorised sharing of their data. Below are just a few of the key areas that charities need to consider where GDPR will strengthen or change the Data Protection Act:
- The requirement to appoint a Data Protection Officer (for certain types of organisation)
- Changes to how consent can be obtained from individuals for the use of their data. For example, data subjects will have to explicitly ‘opt in’ to allow their data to be shared, and it must be made clear to them exactly how their data will be used
- The introduction of new rights for data subjects, including the right to be provided with a copy of their data so they can move it to another organisation (data portability) and the right to be forgotten (data erasure)
- GDPR is also clearer around the need to ensure that data is being held only for the purpose that it was gathered, and that it is also being deleted when it is no longer needed.
In addition to addressing the above changes, GDPR also makes certain activities mandatory: These include:
- Providing new and existing staff with suitable training and awareness, as well as additional sources of guidance and support when required
- Conducting Data Protection Impact Assessments (or DPIA) in order to design data privacy into any new systems and processes. This is of particular importance if new technology is being deployed, where there is processing on a large scale of the special categories of data, or if profiling operations are being performed which are likely to have an impact on individuals;
- Notifying the ICO within 72 hours of a data breach
- Holding those at executive management and board level accountable for compliance, requiring them to produce and maintain documents that demonstrate what actions have been taken to achieve compliance.
Scott – Moncrieff note that GDPR represents a serious challenge for many organisations, particularly for charities that are dependent on their donor databases and hold large amounts of sensitive information on vulnerable individuals. Trustees and executive leadership are accountable for compliance with the new law and it is critical that they take steps now to ensure their organisations are ready for 25 May 2018.