If you hold any data about individuals for the purpose of your organisation's activities, you are almost certainly going to be subject to data protection regulations. It's a complex area of the law that you simply must be on top of, with severe penalties for breaches as well as the potential for damage to your organisation's reputation.

​

But it's not just about leaving a file containing personal information on a train, although we've all read about hapless civil servants and others doing things like that. The data protection regime places the rights of the individual first, and organisations handling their data must have a legal basis for doing so and must look after the security of that information, as well as keeping it up to date and producing it for inspection or deletion if requested.

​

Organisations must therefore have the systems and resources, as well as trained staff, to handle data with these precepts in mind. And with GDPR the expectations are even greater!

​

Contact us here to discuss your needs and how you can get ready for GDPR.

 

In what constitutes the first major review of the UK's domestic data protection regulations since the Data Protection Act 1998, the European Union introduced the General Data Protection Regulation ('GDPR') with effect from 25 May 2018. The Regulation has been fully adopted by the UK and will for part of UK law after the country's exit from the EU.  It also applies to those outside of the EU processing data of EU citizens, and so will cover many of the companies UK based organisations use for backing-up data or providing email platforms, such as Mail Chimp, and partner organisations overseas.

​

Much of what is regulated by the GDPR was already covered by pre-existing regulations. For charities, compliance is even more important with the recent launch of the Fundraising Preference Service, which allows those on your mailing lists to opt-out of receiving communications from you, and obliges you to remove them from your database.

 

​​The regulations and guidelines include a lot of very general principles and recommended behaviours. After all, they are intended to apply to the activities of many thousands of organisations handing all sorts of data for a multitude of reasons. But every organisation is different, with its own systems, staff and resourcing levels and needs when it comes to data mangement. For that reason, a tailor-made approach is recommended - one that works for you and the way in which your organisation operates.

 

An organisation that can demonstrate that it has used its best endeavours, given its size and resources, to manage data properly will obviously be looked on more favourably by the Information Commissioner (who regulates the sector) should problems arise. However, the overriding purpose of data protection regulations is the protection of the individual whose data is being handled – both in terms of what data is held on them and the security of that data - and that, rather than what is convenient, is what organisations have to focus on.

 

A brief overview of GDPR gives a flavour of its scope and implications for organisations of all kinds:-

 

• The regulations affect any organisation holding personal data about individuals in the EU.

​

• This includes (but is not limited to) HR records, customer and client records and anything that can identify an individual, including email addresses, hard copy files or photographs. It will also include opinions or actions related to that individual and so holders of data need to be aware that information such as comments or observations about a person is disclosable.

​

• Charities must have explicit, informed consent to send marketing, promotional or fundraising communications to supporters and donors by email or text - there is a little more flexibility for commercial entities, but not much. Individuals have the absolute right to give, withhold or withdraw consent for their data to be held for particular purposes and for the amount of time for which it is held. Accordingly, it's important to make sure you have a legal basis for handling data and a published privacy policy that is wide enough to meet your needs, but not so wide as to be unreasonable.

​

• They also have to right to know what data is being held about them (in order for their consent to be informed) and so organisations holding that information must be able to retrieve it for inspection or deletion.

​

• The GDPR retains the definitions of data controllers and data processors. As the principal holder of information, an organisation will be deemed a data controller and third parties with whom that data is shared (such mailing houses or event organisers, for example) would be data processors. The data controller is responsible for the way in which a data processor handles data.

​

Another thing for some charities or trusts to bear in mind; a data controller must be a legal person or entity. In unincorporated organisations (those that are not companies), the controllers would be deemed to be the trustees, who would be personally liable.

​

This summary, updated on 1 June 2018, should have given you an idea of the issues involved, but for a no obligation chat about the impact of GDPR on your organisation, contact Jon Benjamin here.