Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A5: Data protection: Your charity's biggest risk?


Published on

Presented Tuesday 14 November at the NCVO/BWB Trustee Conference 2017

Published in: Government & Nonprofit
  • Be the first to comment

  • Be the first to like this

A5: Data protection: Your charity's biggest risk?

  2. 2. Data Protection and preparing for GDPR NCVO 14 November 2017
  3. 3. Introduction Big developments in data protection in last year – possibly more for charities than any other sector: • ICO issued monetary penalty notices to 11 charities • GDPR implementation 25 May 2018 • Resulting changes to the Fundraising Regulator’s code and (at times confused) “guidance” • Replacement of PECR – new e-privacy directive • Data Protection Bill, published 13 September 2017 A lot of changes required – but no fundamental changes in principle.
  4. 4. Consent (1) • Biggest area of concern for data controllers at the moment. • Starting point – consent is not always required. • Legitimate interest is often a valid alternative to consent and will remain under GDPR except for public bodies – which will need to move to a more consent-based system. • Consent is, and will continue to be, main route to processing sensitive personal data, and sending direct marketing electronically (email, text, social media, and non-TPS registered phone numbers).
  5. 5. Consent (2) • In fact not much change and, contrary to popular myth, tick box opt-in will not be the only way of obtaining consent. • Consent must be: – Specific (not new) – Informed (not new) – Freely given (more detail on this in GDPR) – Unambiguous (new but doesn’t add much) – An affirmative act (new, but no change from current ICO guidance)
  6. 6. Consent (3) • Key practical consequence is greater granularity: • GDPR requires separate consent for different processing “operations” (purposes) (eg fundraising, volunteering, wealth screening (?)). ICO draft guidance says this applies “wherever appropriate” and not if it is unduly disruptive. At a minimum consent must cover all purposes. • GDPR says there must be consent for each activity. Unclear what activities are, but assumed to include channels of communication. But ICO draft guidance says not if the activities are interdependent (so may not need to all be listed – better to do so if possible, in privacy policy). At a minimum consent must cover all activities.
  7. 7. Consent (4) Other consent issues of note: • Opt-out versus opt-in? An affirmative act is required – doesn’t have to be tick box opt-in. If individuals freely give you their details and you offer them an opportunity to opt out of DM, then you have lawfully obtained consent. • What if existing consent is not GDPR compliant? Key point is that you have consent for the activities you wish to undertake. If insufficiently granular then seems unlikely to be top of the list for ICO compliance unless there are other concerns. • How long is consent valid for? Two years is safe. Four to five years is probably safe – try to get evidence. Longer than that, only if specific justification.
  8. 8. Consent (5) More consent issues of note: • Keep clear records to demonstrate compliance – what individuals were told, when and how they consented • The right to withdraw consent must be stated at time consent is collected • Giving consent must not be mandatory if buying goods or services (but, arguably, technically compliant if mandatory when giving a donation)
  9. 9. Privacy statements/other communications with data subjects Generally more onerous requirements. Privacy statements or other communications with individuals must include: • Identity and contact details of data controller • Purposes of the processing • Legal basis for processing (e.g. consent or legitimate interest - and what your legitimate interest is) • Recipient/categories of recipient of the personal data • Transfer of data outside EEA • How long data will be held for • Existence of automatic decision making • Individuals’ rights • Right to lodge a complaint with ICO • Right to withdraw consent The statement is an opportunity to achieve fairness
  10. 10. ICO guidance
  11. 11. Data Protection Officer • GDPR requires data controllers and data processes to appoint a DPO – in relatively limited circumstances. • Careful analysis required. • If not mandatory for your charity then sensible to appoint someone to be lead on data protection issues but possibly without formal status of DPO.
  12. 12. What will the DPO do? GDPR specifically provides that: • Must be involved in all issues relating to data protection properly and in a timely manner • Advisory role • Monitor compliance with GDPR and other DP legislation including internal policies • Contact point for ICO and data subjects (contact details published) • Advise on DPIAs • Expert knowledge of data protection law and practices • Need active support by senior management – must report directly to highest management level • May not be dismissed or penalised for performing tasks
  13. 13. Do we need to appoint a DPO? Article 37(1) GDPR sets out when you must appoint a DPO 1. Processing is carried out by a public authority or body (except courts) 2. Core activities involve regular and systematic monitoring of individuals on a large scale 3. Core activities involve processing sensitive personal data (or data relating to criminal convictions and offences) on a large scale EU or national law may require appointment of DPOs in other situations
  14. 14. Working with third party data processors (1) Some aspects of DPA will apply directly to data processors: • Implement appropriate security measures • Report breaches to data controller (not to the ICO) • Appoint Data Protection Officer (where required – see earlier slide) • Keep records of processing
  15. 15. Working with third party data processors (2) Data controllers required to seek guarantees – in particular specific provisions must go into contracts with data processors. • Only to process data on instructions of data controller, and keep data secure (not new) • More detail about the processing (including duration) • Comply with data controller’s requirements on transferring data outside of the EEA • Ensure staff are under a duty of confidence • Assist controllers to comply with subject access requests • Obtain authority to appoint sub-processors (and pass on obligations) • Appoint DPO (if required) • Return or delete data at end of agreement • Demonstrate compliance and allow the data controller to audit
  16. 16. Other changes Greater rights for individuals including: – Right to be forgotten – Right to object – Right of access (subject access request) now within one month and cannot charge a fee • Data privacy impact assessments • Mandatory reporting of security breaches within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of individuals • “Notification” (i.e. registration) abolished
  17. 17. What next? • Audit • Mapping exercise? • Our view is that key areas of focus should be: – Data protection policy, privacy policy – Collection of consent and fair processing information – Data retention policy – Record keeping – Agreements with data processors – Training of staff in data protection compliance
  18. 18. Lawrence Simanowitz Partner Bates Wells Braithwaite Tel: 020 7551 7796