23 Oct GDPR: Top 10 practical tips for charities and social enterprises
Published 25 May 2017 by BWB
We are now on the final countdown to the GDPR which will apply in the UK from 25 May 2018. The GDPR has been one of the most anxiously awaited pieces of legislation of recent years. While it will undoubtedly introduce a number of changes to data protection practices, our message to charities and social enterprises is “don’t panic”. The GDPR should not radically alter how you approach data protection compliance. Many of the core principles will remain the same so for organisations that currently follow sound data protection practices, getting ready for the GDPR will not be an insurmountable task!
Our series of GDPR seminars will give practical tips on how to prepare and clarify areas of confusion. Below are what we think are the really key practical steps which charities and social enterprises should be taking now and over the next twelve months.
- Get ready to work differently with suppliers who are processing personal data on your behalf (i.e. data processors) for instance payroll providers, professional fundraisers and software providers. Agreements with these companies will need to be reviewed to make sure they are “GDPR ready”. This needs to happen now for contracts that will continue past 25 May 2018.
- Where you rely on consent for any reason – whether to process a member’s details or to send email fundraising, check that it meets the new higher threshold set out under the GDPR. Existing consents obtained under the Data Protection Act will need to be brought to a GDPR standard in time for 25 May 2018.
- Put in place mechanisms to ensure that you can record and comply with any withdrawal of consent by individuals.
- Review your privacy statements. These will need to be much more comprehensive and detailed under the GDPR.
- Introduce policies and train staff on the new rights that individuals will have under the GDPR, so that you are ready to comply with requests as soon as they come in. These will include the complex “right to be forgotten”.
- Determine whether you will need to employ a Data Protection Officer under the GDPR. This will depend on whether you are a “public authority” and on the type of processing that you are carrying out.
- After May 2018 you will no longer be required to maintain an annual registration with the ICO. Instead you will need to prepare templates for keeping new internal records of processing. You will also need to prepare to carry out “Privacy Impact Assessments” for any “high risk” profiling.
- Update your data security policies and train staff on the new obligation to report data security breaches within 72 hours where they present a risk to individuals.
- If you are an international organisation based outside the EU, which engages with supporters or customers in the EU, you may be subject to the GDPR and need to appoint a representative in the EU.
- There will be a sharp increase in the fines which the ICO can issue for data protection breaches (up to euro20 million). This needs to be reflected in your organisation’s data protection risk assessments.