GDPR: A Quick Guide to Compliance

Learn about the General Data Protection Regulation (GDPR) and its implications for data protection. Discover how GDPR affects individuals and organizations, understand the key principles and requirements, and get prepared for compliance. Find out why GDPR matters, how it differs from existing laws, and how it impacts data privacy in the European Union.

• GDPR
• Data Protection
• Compliance
• EU Law
• Privacy

hetty Follow

Uploaded on Aug 08, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Introducing GDPR A quick guide to understanding the basics

2. Introducing ICO and GDPR ICO - The UK s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals GDPR - The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU)

3. What the ICO say about this... 'Many of the GDPR s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently'

4. What is it? GDPR - General Data Protection Regulation This is a new EU law governing data protection, which will supersede the Data Protection Act in 2018 It is taking effect from 25 May 2018 It aims to give people more control over their data and allows them to request to see the personal data held on them

5. Why do you need to know about this? Data protection legislation covers everyone about whom you keep personal data This includes employees, volunteers, service users, members, supporters and donors GDPR will not introduce widespread changes to existing law, but will increase the monetary penalties for non- compliance

6. Does Brexit affect this? The quick answer is No! Despite the UK exiting the EU, the British government has said GDPR will still apply and charities must comply This is why you must be GDPR ready This session can help you get ready

7. What will we do today? Explore the basics Help you relate this to your group or organisation Give you some practical tips to get started Share guidance and resources available

8. Some important definitions Personal data - data about or relating to a living, identifiable, individual Data subject the person the data is about Data controller the organisation that determines the purposes , that decides to gather and use the information

9. Some important definitions continued Data processor the data processor carries out specific tasks on behalf of the data controller Data processing the collection, recording, treatment and storage of data Data profiling usually an automated process of evaluating personal aspects such as age or gender

10. Some important definitions continued Information Asset Owner is responsible for identified data assets Senior Information Risk Owner is usually a board member and sets policy Data Protection Officer needed for public authorities or large organisations, or where high level of transparency or large scale monitoring is required

11. A simple process 1. Make everyone aware of this 2. Nominate a dedicated lead for this 3. List everywhere you store data 4. Create a simple explanation of why you need to hold the data - what's the purpose? 5. Contact everyone, explain this, and ask for their consent to hold their data 6. Update your data when you get their consent 7. Have this written down in a policy

12. 1. Have you made everyone aware of this? Board and trustees Employees Volunteers Service users Members Supporters Donors Anyone else?

13. 2. Who is your lead? Nominate a lead for this Invest in specific training for them This is a difficult role and they will need support Identify an expert you can work with if you have specific issues or complexity Name them as your contact person on your website/in your policy They can also be your lead for comments, compliments and complaints

14. 3. Where do you store data? Local and cloud based operating systems Spreadsheets and databases Paper records of the above Personal electronic and paper files Handwritten notes and lists Anything else/anywhere else?

15. 4. Whats your purpose for holding data? Purposes must be specified, explicit and legitimate You must set out your purposes clearly and unambiguously You can t just say fundraising purposes , when that could cover a huge variety of data uses The discipline of clearly identifying your purposes at the outset is one of the most useful things you can do, and you must break down fundraising purposes into its constituent parts

16. 5. Gaining consent Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of this The most common way to provide this information is in a privacy notice The best privacy notices are as short as they can be, written in language that is plain to the point of bluntness, and highlighting the most surprising and unexpected things that you are doing

17. 5. Gaining consent The starting point of a privacy notice should be to tell people: Who you are What you are going to do with their information And who it will be shared with These are the basics upon which all privacy notices should be built, however, you can also tell people more than this and should do so where you think that not telling people will make your processing of that information unfair

18. 5. Gaining consent There is a fundamental difference between telling a person how you re going to use their personal information and getting their consent You should ask individuals to positively opt-in You should give them sufficient information to make a choice about opting in If your consent mechanism consists solely of an I agree box with no supporting information then people are unlikely to be fully informed and the consent cannot be considered valid

19. 5. An example Here at [organisation name] we take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us. However, from time to time we would like to contact you with details of other [specify products]/ [offers]/[services]/[competitions] we provide. If you consent to us contacting you for this purpose please tick to say how you would like us to contact you: Email Telephone Automated call Post Text message We would also like to pass your details onto other [name of company/companies who you will pass information to]/[well defined category of companies], so that they can contact you by post with details of [specify products]/ [offers]/[services]/[competitions] that they provide. If you consent to us passing on your details for that purpose please tick to confirm: I agree

20. 5. Gaining consent What you can t do/use: Untick this box Tick this box if you do not want to receive marketing (especially if the marketing is email or text ) Text STOP The ICO s recent guidance on GDPR consent confirms this without any hint of ambiguity: Consent requires a positive opt-in

21. 5. Gaining consent How long does consent last? The ICO s consent guidance says There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate The real limit of how long consent lasts is what you tell the person at the start

22. 5. What the ICO says You should read the detailed guidance the ICO has published on consent under the GDPR, and use our consent checklist to review your practices It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent You are not required to automatically repaper or refresh all existing DPA consents in preparation for the GDPR... But if you rely on individuals consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn

23. 6. When you get consent Begin to update your data when you get consent Be clear about what parts someone is consenting to as they may not positively opt in to all the options Remember to include how long the consent lasts and when reminders need to be sent You have to find a way to manage this You may need to adapt your systems and processes

24. 7. Developing your policies You must have your processes written down Examples of what to be included, and other useful resources can be found at: www.ico.org.uk www.knowhownonprofit.org www.civilsociety.co.uk

25. Other things to consider Data in the public domain Sensitive personal data Suppression lists The Right to Be Forgotten Privacy dashboards Subject access requests/data requests Children and GDPR Personal data breaches Fundraising

26. Data in the public domain Actually asked questions: Can I use data from Companies House to identify where a potential donor works and the contact them by post? Can I use the Sunday Times Rich List to identify potential donors? Can I search directories like Who s Who lists and then contact them? Answer: Yes, but you would need to tell them (in the first contact) how you obtained their data

27. Sensitive personal data An additional complication comes if you are using personal data that DPA defines as sensitive, or GDPR defines as special categories The sensitive data categories are racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, trade union membership, physical or mental health or condition; sexual life, the commission or alleged commission by the data subject of any offence; or any proceedings for any offence that are currently ongoing You must seek specific advice on this

28. Suppression lists This is a list of all the people who have told you that they do not wish to hear from you It is reasonable to split your suppression list into different channels, but only if the person has made a nuanced request (i.e. you can mail but not phone) A person should be on your suppression list if they formally exercise their rights under Section 11 of the Data Protection Act, which allows them to stop marketing

29. The Right to Be Forgotten If a person wants to be on your suppression list, they will not ask you to delete the data you hold on that list However, if they insist that all of their data is deleted, this means you will permanently delete every reference to that person This is their right to be forgotten You can never contact them again (and should be unable to as you have no record of their data)

30. Privacy dashboards It is good practice to embed links to tools like dashboards within your privacy notice to allow individuals to manage their preferences and to prevent their data being shared where they have a choice A privacy dashboard can help to achieve this - this offers people one place from which to manage what is happening to their information This is helpful if you process personal data across a number of applications or services See https://ico.org.uk/for-organisations/guide-to-data- protection/privacy-notices-transparency-and- control/?template=pdf&patch=38#link3 for an example

31. Subject access requests Individuals have the right to know what data you hold on them, why the data is being processed and whether it will be given to any third party They have the right to be given this information in a permanent form (hard copy) - this is known as a subject access request Your organisation needs to be able to identify a subject access request, find all the relevant data and comply within one month of receipt of the request The ICO gives guidance on this

32. What the ICO says You should update your procedures and plan how you will handle requests to take account of the new rules In most cases you will not be able to charge for complying with a request You will have a month to comply, rather than the current 40 days You can refuse or charge for requests that are manifestly unfounded or excessive If you refuse a request, you must tell the individual why and that they have the right to complain

33. Children and GDPR GDPR brings in special protection for children s personal data GDPR says children under 16 cannot give consent (although this may be reduced to 13 in the UK) so you may have to seek consent from a parent or guardian You will need to be able to verify that person giving consent on behalf of a child is allowed to do so Any privacy statements will need to be written in language that children can understand

34. What the ICO says You should start thinking now about whether you need to put systems in place to verify individuals ages and to obtain parental or guardian consent for any data processing activity For the first time, the GDPR will bring in special protection for children s personal data, particularly in the context of commercial internet services such as social networking Remember that consent has to be verifiable When collecting children s data your privacy notice must be written in language that children will understand

35. Data breaches A data breach is a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data You will need to have the right procedures in place to detect, investigate and report a personal data breach GDPR introduces a duty to report certain types of data breaches to the ICO and in some cases to the individuals concerned You need to be able to demonstrate that you have appropriate technical and organisational measures in place to protect against a data breach Read guidance from ICO on data breaches

36. What the ICO says The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most cases Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself

37. Fundraising The use of personal data is central to most fundraising activities and there has been a great deal of public and media scrutiny of fundraising techniques If you use personal data to fundraise then you need to follow the latest guidance on fundraising and data protection The Fundraising Regulator provides guidance which complements guidance from the ICO on direct marketing

38. Summary If you already capture data, this is about reviewing and enhancing your processes See this as an opportunity to improve your processes Relate this to you how would you want your data to be handled? You have to show you have engaged in this process as there are no exceptions You have to record what you do this is your evidence of engagement Get specialist advice if you need it

39. Finally Think about the immediate next steps for you and your group or organisation Remember the deadline and make a simple plan You ll need time to test out the new processes Talk to others today Leave questions for us we will try and help Attend more in-depth training Review the ICO website and tools Remember to share what you know with others