The importance of charities complying with GDPR
The General Data Protection Regulations (GDPR) came into force on 25 May 2018. Last year, the date put fear into many organisations, but was it really such a big deal, indeed for charities?
In short – yes. It was a big deal, and still is.
GDPR is policed by the Information Commissioner’s Office (ICO.) In her annual report for 2018/19, Elizabeth Denham, the Information Commissioner, said “The GDPR brought in a step change in how organisations approach data protection. It increased the onus on organisations to take a proactive approach to data protection, identifying what risks they were creating through their use of data, and working to reduce and mitigate those risks. The greater enforcement powers granted to regulators helped to establish compliance as a board level issue.”
Hefty fines
The ICO has broad powers including the ability to impose hefty fines and no organisation is exempt with one recent fine pushing a business to insolvency. In the past, before GDPR, the ICO has fined charities for failures in data protection, sometimes quite heavily, so there is absolutely no way now with GDPR that charities will escape punishment for failure to comply.
Staying compliant with GDPR is an ongoing task that should form part of everyday compliance, not dissimilar to managing the finances, but there is no reason to be fearful because being compliant for most charities is straightforward.
GDPR IS ABOUT PERSONAL DATA, NOT ALL DATA. GDPR relates to personal data. The data relates to living persons (critically, not businesses or other charities or trusts) that can be used to specifically identify persons. Anonymised data is not captured by the regulations; this is helpful for those with data-sets used for market research and statistical purposes.
AN INFORMATION AUDIT – BEING CONSCIOUS OF WHAT DATA IS HELD AND WHY. All charities should (by now) have completed an information audit of personal data.
For the vast majority of small to medium sized charities, the process isn’t too arduous. It means looking at all the touchpoints with personal information (including CCTV images) and listing them. So for example, for an animal rescue centre:
- Visitor records.
- CCTV security recordings.
- Employment records.
- Adopter records.
- Personal donation records.
- Marketing database.
At each of these touchpoints analyse what data is captured and decide why it is recorded.
Six legal bases
There are six legal bases for storing and processing personal data. The three that most charities should focus on are:
- To fulfil a contractual obligation.
- For compliance with a lawful obligation.
- For the legitimate interests of the organisation (which can include the commercial wellbeing of the organisation such as promoting donations through direct marketing.)
Where a charity believes that legitimate interests is the lawful basis for processing, it is necessary to perform a balancing exercise of considering whether the rights and freedoms of the individuals are adversely impacted by the proposed processing. If they are, then an alternative legal basis is needed.
Charities can rely on the fourth basis of “consent”, but should avoid relying on this if at all possible because consent can be withdrawn. Note however, if the data is “special category data”, express consent to store and process it is nearly always necessary. (Specialist legal advice should be sought on this.) Special category data includes race, sexual orientation and health.
For completeness, there are two further bases (six in total) that relate to public tasks and vital interests but organisations should be very wary of relying on these as legal bases for processing.
HAVE A PRIVACY POLICY AND KEEP IT CURRENT. After your charity has completed the information audit, a privacy policy should be published setting out the analysis along with how the organisation complies with GDPR. This can be in tabular form. Most organisations keep this on their website, where it can be easily updated as necessary.
How long data kept
The privacy policy will need to explain how long data is kept for, how it can be updated or amended and how data subjects (people!) should address any queries to the charity relating to their personal data.
DATA SECURITY. Ensure personal data is secure. This can involve digital security such as using complex passwords and physical security such as locking of files, filing and offices. Only allow those staff who need to access the data, to access the data. Keep IT security up to date.
PROCEDURES FOR KEEPING DATA ACCURATE. This may be one of the hardest areas of compliance for charities. A one-off exercise to get GDPR compliant is one thing, finding time (and volunteers) to keep everything up to date and accurate is another. But it is a fundamental principle of GDPR that data is accurate. The obligation is to take all reasonable steps, which allows charities to take cost practicality into account.
However, reasonableness also reflects the importance of the data. If the data is being used to make decisions that are significant to a person, such as eligibility for a charitable benefit, reasonableness requires a higher standard of accuracy than for less consequential data.
DATA RETENTION. If a legal basis for holding data cannot be found, it should be suitably destroyed, including recoverable back-ups. If data was needed but is no longer needed, then it should be suitably destroyed too.
REQUESTS TO ACCESS PERSONAL DATA. This is not new under GDPR but organisations are still doing it badly. Handling of data subject access requests remains the most frequent complaint category to the ICO at 38% of complaints.
Request handling procedure
One solution to avoid a complaint to the ICO would be to have a policy in place, dealing with the procedure of handling such a request, testing that procedure and keeping a record of how well you dealt with each request to help continually improve your handling of requests of access.
The main steps suggested for handling data subject access requests are as follows:
- Acknowledge the request. Within this you should ask for any ID you may require to establish the person is who they say they are and any further information required to find the information they are looking for.
- Locate the data they are seeking. Requests to access personal data can be wide-ranging and can cover all personal data your charity holds on that individual.
- Compile the data and review it. Reviewing the data is of utmost importance. You need to check that it actually contains the individual’s personal data and either seek consent of anyone else identified in the data or redact their names, along with any confidential information or trade secrets etc.
- Provide the information to the individual. You must comply with the request within one month. You can extend this by up to two months where the request is “complex”. You must also establish how they want the data to be sent to them.
LIABILITY – STAFF TRAINING AND INSURANCE. Perhaps of more worrying overtones are the number of personal prosecutions for staff who have improperly used personal data held by their employer.
Reviewing the enforcement notifications made by the ICO shows a variety of reasons why staff chose to misuse personal data, often not malicious.
Proper staff training
Charity employers should ensure that their staff are properly trained with regard to data protection. Staff must understand that personal data can only be accessed and processed for lawful purposes on behalf of their employer. Failure to do so, could lead to the staff member personally facing sanctions and, by the doctrine of vicarious liability, the employer open to civil recovery from the harm caused to data subjects. Charity employers should discuss widening their insurance cover to include this as an insured loss.
Charities may feel that they are being subject to really challenging requirements far removed from their core objectives. However, they should understand that their ability to achieve those core objectives could be significantly threated by substantial fines in the event of breach by them of GDPR.
