This free Lasa webinar looks at why data protection is important in a digital world, and what practical things charities and civil society organisations can do to prepare for when the EU General Data Protection Regulations come into force in May 2018.
It is vital charities use the next 12 months to understand their new responsibilities and put the required processes in place.
Our webinar gives you the opportunity to ensure you are prepared for what’s to come by putting your #GDPR questions to our data protection expert and published author, Paul Ticher.
Lasa does lots more charity tech help and advice - find out more at: Twitter: @lasaict
Acknowledgements:
Lasa actively promotes and supports the Way Ahead – Civil Society at the Heart of London. See www.citybridgetrust.org.uk/publications/way-ahead/
This webinar is supported by the City of London Corporation's charity, City Bridge Trust. www.citybridgetrust.org.uk
3. Supported by
• Lasa actively promotes and supports the Way Ahead
– Civil Society at the Heart of London. See
www.citybridgetrust.org.uk/publications/way-ahead/
• This webinar is supported by the City of London
Corporation's charity, City Bridge Trust.
www.citybridgetrust.org.uk
4. About Lasa
• 30 years in the sector
• Technology leadership, publications, events
and consultancy
www.lasa.org.uk
• Welfare Rights
www.rightsnet.org.uk
5. Webinar Tips
• Ask questions
Post questions via chat or raise your virtual hand
• Interact
Respond to polls during webinar
• Focus
Avoid multitasking. You may just miss the best part of the
presentation
• Webinar PowerPoint & Recording
PowerPoint and recording links will be shared after the
webinar
6. Paul Ticher
• Data Protection expert, author and trainer
• Specialist in information management and
systems
• Many charity clients
Twitter: @PaulTicher
8. This presentation is intended to help you
understand aspects of the EU General Data
Protection Regulation and related legislation.
It is not intended to provide detailed advice
on specific points, and is not necessarily a full
statement of the law.
10. Privacy & choice
Give us
more
money!
Support our
campaign! But of course
we told your
social worker
What Data Protection is about: 2
11. Right of Subject Access
Individual rights, such as:
Right to opt out of direct marketing
Right to compensation for harm
What Data Protection is about: 3
12. The current legal framework
EC Directive 95/46/EC
Data Protection Act 1998
Similar legislation in most other European countries
Privacy & Electronic Communications (EC Directive)
Regulations 2003
Non-statutory Guidance and Codes of Practice,
including:
Information Commissioner
Institute of Fundraising
13. The new Regulation
First draft January 2012
Extensive negotiations between Commission,
Parliament and Council over nearly four years
Final agreed draft December 2015
Published May 2016 (Reg. 2016/679)
Coming into force 25th May 2018
It’s a Regulation, not a Directive
14. Themes
“The processing of personal data should be designed
to serve [hu]mankind” (Recital 4)
More control over online services and large
commercial organisations, especially multinationals
Emphasis on reducing risk
Limited extension of individual rights
Data Controller evidence of compliance
15. Main changes include:
Definition of consent tightened up
… but still not always required
Tighter rules on children’s data (under 16), especially online
More transparency requirements
Data minimisation and pseudonymisation
More rights to have data erased
Provision for allocating responsibilities between joint Data Controllers
Data Processors carry more direct responsibilities
No registration: Data Controller has to keep records
Requirement to notify serious breaches
Bigger fines
Additional responsibilities on large organisations and those doing riskier
processing
16. Consent
Consent is “any freely given, specific, informed and
unambiguous indication of his or her wishes by which
the data subject, either by a statement or by a clear
affirmative action, signifies agreement to personal
data relating to them being processed” (Article 4(11))
“Where processing is based on consent, the
controller shall be able to demonstrate that consent
was given by the data subject … ” (Article 7(1))
“Silence, pre-ticked boxes or inactivity should … not
constitute consent.” (Recital 32)
17. When is consent not required?
Similar conditions to now, including:
Processing is lawful [if it is] “necessary for the purposes
of the legitimate interests pursued by the controller or by
a third party, except where such interests are overridden
by the interests or fundamental rights and freedoms of
the data subject which require protection of personal
data, in particular where the data subject is a child. …”
(Article 6(f) )
“The processing of personal data for direct marketing
purposes may be regarded as carried out for a legitimate
interest.” (Recital 47)
18. Where does this leave
fundraising?
Definitions unclear: when does a communication
become marketing?
How does the fundraising Code relate to the
marketing provisions of the Regulation?
New Regulation does not rescind PECR
Therefore, consent is likely to remain the only reliable
basis for most direct unsolicited fundraising
Consent has to involve “clear affirmative action”
Therefore, are we looking at opting in only?
19. Tighter rules on children’ data
Children deserve specific protection … as they may be less
aware of risks, consequences, safeguards and their rights … .
This concerns especially the use of personal data of children for
the purposes of marketing or creating personality or user
profiles and the collection of child data when using services
offered directly to a child. … (Recital 29)
Where [consent] applies, in relation to the offering of
information society services directly to a child, the processing of
personal data of a child below the age of 16 years … shall only
be lawful if … consent is given … by the holder of parental
responsibility over the child.
20. More transparency requirements
(Articles 13 & 14)
Data Subjects must usually be made aware of:
the identity and the contact details of the controller
the purposes as well as the legal basis of the processing
where relevant the legitimate interests
any recipient(s); any overseas transfers
the storage period or criteria for deletion
right of access to data and rectification or erasure
right to withdraw consent at any time
the right to lodge a complaint to a supervisory authority
whether the provision of personal data is [contractually]
required [or] the data subject is obliged to provide the data and
… possible consequences of failure to provide [it]
21. Minimisation and
pseudonymisation
Principle 3 now says data must be: “adequate,
relevant and limited to what is necessary … (“data
minimisation”)”
Data protection by design and by default (Article 25)
stresses pseudonymisation as a security measure –
especially for things like ‘big data’ analysis
Pseudonymisation means that the person is still
identifiable but their identity can only be retrieved
with the use of additional data which is held
separately and securely
22. Rights to erasure, etc.
Data Subjects have the rights to require:
Rectification of inaccurate data (Article 16)
Completion of incomplete data (Article 16)
Erasure (“right to be forgotten”), with exceptions,
but including removal of links (Article 17)
Restriction of processing in certain cases (Article 18)
Compensation for “material or non-material damage”
(Article 82)
Also the right to complain to the supervisory authority
23. Data Controller responsibilities
Technical and organisational measures to ensure full
compliance (Article 24)
Appropriate policies (including Data Protection by design
and by default) (Articles 24 & 25)
Records of processing – what, who, how, etc. (Article 30)
… but no registration (notification)
Joint Controllers must transparently “determine their
respective responsibilities” – but each can be “liable for
the entire damage” caused by a breach (Articles 26 & 82)
24. Data Processor responsibilities
(Article 28)
Data Controller still has responsibility to select
competent Processors
More detailed rules about what has to be in the
contract
Standard contracts should be available
Processor may be liable for breaches and other
compliance (many obligations refer to the “controller
or processor” – including processors based overseas)
25. Notification of serious breaches
(Article 33)
Must report (preferably within 72 hours) unless the
breach is unlikely to result in a risk to individuals
Individuals must usually be notified where the breach
is likely to result in a high risk to them
Processors must notify breaches to Controllers
26. Penalties
(Article 79)
Breaches subject to two levels of penalty, depending
on the breach:
€10 million or 2% of total worldwide turnover
€20 million or 4% of total worldwide turnover
(whichever is higher, in each case)
27. Large organisations & riskier
activities
Impact assessments before starting innovative
processing (Article 35)
Data Protection Officer, with specified competence
and duties (Articles 37– 39)
28. Selected other changes
Overseas transfers – slight loosening of the
conditions that legitimise transfers (Article 49)
Jurisdiction over multi-national companies operating
into Europe (including web-based) (Recital 101)
Scope for national variations in a number of places