Whatever size or structure your organisation is, if it collects and uses personal data (such as contact details) from donors, beneficiaries, volunteers, staff or any other individuals, the GDPR is likely to apply to you.

Castle -2688940_1920 (002)

The General Data Protection Regulation (GDPR)

The GDPR is a new European law that has been introduced to improve and unify data protection across the EU. All member states will have to comply with the GDPR from 25 May 2018, so the GDPR will replace the Data Protection Act 1998 in the UK from that date. Any organisation that processes personal data of EU citizens will be required to comply with the GDPR, regardless of where the organisation is based globally, so the fact that the UK is due to leave the EU does not mean that the GDPR will not apply to UK organisations in the future.

The Information Commissioner's Office (ICO) will regulate the implementation of the GDPR in the UK.

Whatever size or structure your organisation is, if it collects and uses personal data (such as contact details) from donors, beneficiaries, volunteers, staff or any other individuals, the GDPR is likely apply to you. It imposes specific legal responsibilities on those that are defined as 'data controllers' or 'data processors', so it's important that you determine whether your organisation meets the criteria for either or both of those definitions.

Key changes

While there are many similarities between the Data Protection Act and the GDPR, there are some key changes to be aware of, including:

  • a reduction in the number of data protection principles, from 8 to 6 (although they remain very similar in content to the 8 principles set out in the Data Protection Act), and a new overarching principle of accountability
  • a change of terms used, so that 'sensitive personal data' will be referred to as ' special category data' instead
  • a requirement for more detailed privacy notices to be provided to individuals when data is collected from them, including information such as the lawful basis that the organisation is relying upon to process that individual's data
  • the need for certain organisations to legally appoint a Data Protection Officer (if specific criteria is met)
  • enhanced data protection rights for individuals, including the right to erasure (also known as the right to be forgotten) and a new right of data portability
  • a requirement for consent to be 'opt in' (where the lawful basis for processing data is consent), rather than implied, and it must also be clear, specific and easily withdrawn
  • a duty for all organisations to report certain breaches of personal data, within 72 hours of becoming aware of the breach;
  • the need for some organisations to carry out a data protection impact assessment if their processing of personal data is likely to result in a high risk an individual's rights; and
  • a significant increase in the level of fines that the ICO can impose for breaches of personal data.   

WCVA resources for you

WCVA can help you to prepare for the GDPR in a number of ways.

  • Free #Desktopdata webinars, developed with the ICO to address a range of essential topics that you need to be aware of when preparing for GDPR compliance
  • Training courses titled 'Introduction to data protection and the GDPR' and 'Practical preparations for the GDPR' (please note these course have now been delivered but keep an eye on our training and events pages for details of future dates)
  • An information sheet providing detailed guidance on the GDPR and the changes that it will introduce

You can also catch up with our #GDPRsk twitter chat, or watch our short animated film: A quick guide to GDPR for the Third Sector

GDPR vid thumb E

 

County Voluntary Council support

Many local County Voluntary Councils (CVCs) are offering training sessions and workshops on the GDPR. Find your local CVC to get further information.

ICO resources

The ICO have produced a wide range of resources to help you work your way through various aspects of GDPR compliance. You can access their website, and you may find the following resources of particular use. Please note that the resources that are referred to as being for 'charities' are likely to be of use to all not-for-profit organisations, not just those who are registered charities.

Other guidance

A variety of other organisations have also produced guidance on the GDPR, which may be helpful to you during your preparations. As stated above, please note that resources which are referred to as being for 'charities' are likely to be of use to all not-for-profit organisations, not just those who are registered charities.

Coming soon

We are delighted to be working with the law firm, Hugh James, on the development of a suite of GDPR compliant templates that third sector organisations will be able to adapt to their own requirements. These will include model data protection and document retention policies, privacy notices, and checklists for data protection audits and privacy impact assessments.

Keep an eye on WCVA's newsletter and website for updates on when the resources become available.

 

This content was produced by Anna Bezodis Training and Consultancy

Disclaimer: Although this content includes information of a legal nature, it has been developed for information purposes only and does not constitute legal advice or opinion as to the current laws, regulations or guidelines of any jurisdiction.