GDPR - General information



GDPR – General Data Protection Regulations

by Dominic Edwardes (Trollope Society) and David-Leigh Hunt (Keats-Shelley Memorial Association)

Please note that this is general information intended for guidance only, it does not represent legal advice. All societies should take action to ensure that they meet the specific legal requirements of GDPR.

What you need to know

GDPR replaces the previous Data Protection Act 1998, and is intended to give individuals control over their data and how it is used. The law will be enforced by the Information Commissioners Office (ICO). Enforcement of the law began on 25 May 2018. The law affects all organisations processing personal data, although there are exemptions from the registration fee and some requirements for small organisations.

There are three main areas underpinning GDPR:

• transparency (clear, open)

• accountability (how you comply with the GDPR)

• governance (appropriately managed, awareness within organisations)

The principles of GDPR

Data processing must be:

• lawful

• adequate, relevant and limited

• retained no longer than necessary

• specific and for legitimate purposes

• accurate and current

• protected

• compliant

• data not to be transferred outside the European Economic Area unless the other country has an adequate system of data protection

The question is whether we have a legitimate interest to store the data in order to process transactions with an individual, or have they given consent to the society holding that data and using it for the purposes the society intends (i.e. it cannot be obtained by one service and automatically added to all other marketing and communications lists). Therefore, the point is that the individual is aware of, and consents to, data being stored for an identified purpose.

The requirement to demonstrate compliance is the new accountability principle. It is necessary to show how decisions are made and record the process.

What is personal information and sensitive personal information?

Personal information is data by which ‘A living person…can be identified directly or indirectly’. This includes name and address, telephone numbers, an ID number, location data, IP addresses (if they can be linked back to an individual ‘without undue effort’) and email addresses. There is no distinction between personal data about private, public or work roles.

Sensitive Personal Data is data that gives information on protected characteristics or attributes, such as health information, religious or similar belief or racial/ethnic origins, political opinions, sexual orientation/behaviour, or the actual or alleged commission of criminal offences.

Lawfulness of processing

There are four main categories by which data can be processed:

• Consent of the data subject. This is the main category for communications such as newsletters.

• Processing necessary to perform a contract with the data subject or to enter into a contract with them. This covers activities such as membership management and Gift Aid.

• Processing is necessary for legal compliance. This covers HR functions, pay and tax.

• Processing is necessary to protect the vital interests of a data subject or another person.

Consent

Where the lawfulness of processing is based on consent, the subject must have actively given consent.

Consent is:

• clear affirmative action

• must be verifiable

• can be withdrawn at any time

Consent is not:

• silence

• a pre-ticked box

• inactivity

This affects how the society collects and uses data. We cannot continue to contact people who have not actively opted in, and from whom we have not heard for a long period of time.

Enhanced rights of individuals

• Right to be forgotten – data should not be stored forever. It must be reviewed and deleted where appropriate.

• Right to have stored data on request.

• Right to have inaccuracies rectified – this includes making amendments on our systems, but if we have given the information to a third party, we have to inform them as well. Preferably, the society should not share data with other parties.

• Right to data portability – this allows individuals to obtain and re-use their personal data for their own purposes across different services (e.g. downloading monthly bank transactions to then upload to a price comparison site).

• Right to object to data processing – for direct marketing purposes, for example.

• Right to restrict data processing – to block/suppress processing of personal data. This means that you can hold the data, but cannot do any further processing with it.

• Need to refresh consent (timeframe not yet specified). Good practice will probably end up settling on between two and five years.

Data Protection Officer (DPO)

The DPO must be versed in the management and knowledge of data protection law. The DPO must report to the highest level of the organisation, and management must be proportionate to the organisation. This requirement primarily affects large organisations, but it would be desirable to appoint someone with specific responsibility in the society for GDPR.

Data breaches

All data breaches must be reported to the ICO within 72 hours. Breaches include accidental/unlawful destruction, loss, access, and alteration/disclosure of personal data. In the event of a data breach, the people affected must be notified and the organisation must document the impact and the remedies taken.

The sanctions for breaches are significant and include fines of up to 4% turnover for major breaches (up to 2% turnover for failure to comply). Individuals can claim for distress. There is a potential of custodial sentences for CEOs who wilfully and deliberately cause mass breaches. Previous ICO sanctions under the DPA were mainly around health and marketing.

Children

Requirement for parental/guardian consent for children under 16 (this may be lowered to 13 by the UK government). Parental/guardian consent is not required where the child is accessing counselling/preventative services.

This is unlikely to affect literary societies, although it is recommended that there is a minimum age of 18 years for membership.

Challenges for literary societies:

• Website – ensure all data collected via the website is on an opt-in basis, or is processed to perform a business contract (i.e. membership).

• Email lists – electronic newsletters should be sent out using a system which meets the requirements for the recipient to manage their communication preferences.

• Local groups – these may have data which is used to communicate via email to members attending groups. This is a risk as they may not have clear records of when and how people opted in, or the length of time that they have been on the list without responding. It is recommended that all email lists are moved onto the Mailchimp system and that no local groups be allowed to send group emails except for via Mailchimp.

• Suppliers – societies need suppliers to confirm they comply with the GDPR. This includes mailing houses and website developers.

• Security of data – societies need to adopt a process for transferring personal data securely, such as a system of sending a link to a password-protected file, rather than the file itself.

• Former members – it is no longer acceptable to continue to contact former members for significant periods after their membership has lapsed. It is recommended that membership renewal mailings continue for one year after a lapse and then data is deleted.

Consent and legitimate interest as a lawful basis

There are six lawful bases for processing personal information. For fundraising and marketing communications only two are relevant – consent and legitimate interest.

Consent needs an individual to freely take an affirmative action to tell us how they want us to communicate with them. For email, the only option is to use consent due to the Privacy and Electronic Communications Regulation (PECR). This has been the case since 2003.

Legitimate interest can be used where the processing is necessary for the legitimate interest of an organisation and the legitimate interest does not outweigh the rights and freedoms of the individuals.

Legitimate interest is more flexible than consent. Direct marketing is named as an activity that can be processed as a legitimate interest in the GDPR. Care is needed to format an approach that ensures that the subject of the data storage has given informed consent.

You cannot use both consent and legitimate interest as the lawful basis: if you ask for consent and do not receive it, it would not be fair to contact the supporter regardless.

What level of granularity will we go to for our permission statements?

There has been a lot of discussion about transfer of stored data to other organisations with a similar interest. This is not allowed unless the data subject has given consent to the data being shared with another organisation. A further point is that you cannot ‘bundle’ together different tasks; e.g. you cannot use consent to receiving a newsletter as the consent to being approached for donations.

How long will consent last for?

A decision also needs to be made as to how long consent will last for. The guidance from the ICO is that consent will not last forever and when working with a number of charities who were fined for Data Protection violations, the ICO said that two years was best practice. Other charities that I am aware of are working towards consent being valid for three years and a process for recapturing consent will need to be implemented.

How will we proceed with the renewing permission from supporters whom we want to contact via email?

There is a risk in emailing supporters to ask for their consent to email them in future. The ICO fined a couple of companies: one being Flybe for sending unsolicited emails trying to capture consent from potential customers.

How will we evidence consent?

The GDPR states that an organisation is accountable for being able to evidence consent. In other words, a society must have a paper trail demonstrating its compliance. Documents must include the capture of the permission statement, the privacy policy, the source of data capture and the date. The privacy policy must be kept updated and included with the documentation.

|Data list |Lawful basis |Adequate, |Retained no longer than |Specific and for |Accurate and current |Protected |Demonstrate |Actions |

| | |relevant, limited |necessary |legitimate | | |compliance | |

| | | | |purposes | | | | |

|Membership lists |Legitimate |Yes |Need to delete records of |Yes |Annual member information|The database is secure and |Yes |Procedure for sending |

| |interest | |lapsed annual members of | |is current. |not accessible online. | |data to mailing house |

| | | |more than 2 years | | |Ensure data is secure in | |Confirm mailing house |

| | | | | | |transmission. | |compliance and deletion |

| | | | | | | | |of data after use. |

|Website membership |Legitimate |Yes |Need to delete lapsed |Yes |System in place for |Yes. Confirm adequate |Update Privacy |Confirm server security |

|data |interest | |members more than 2 years | |members to update |server security with web |Policy. |Update Privacy Policy. |

| | | |old | |details. |developer. | | |

|Website mailing list |Consent – opt in |Yes |Re-permission after 2 years|Yes |Yes. System in place to |Yes. Mailchimp systems meet|Yes | |

| | | | | |opt out and manage |requirements | | |

| | | | | |details | | | |

|Local lists |Consent – unclear |Unknown |Unknown |Unknown |Unknown |Unknown |No |Conduct audit of local |

| |how this was | | | | | | |group lists |

| |gained | | | | | | |Migrate data to Mailchimp|

| | | | | | | | |Repermission |

Example of an information assets audit

5

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download