What's happening Blog GDPR - Get Data Protection Ready! By Dr Andy Clempson, Senior Research Policy Manager, AMRC You've probably heard it already but data protection law is changing - out with the old Data Protection Act 1998 (DPA) and in with the new General Data Protection Regulation (GDPR) which comes into force on May 25 2018, a mere 222 days away! (not that we’re counting)… There has, and continues to be a lot of attention paid to this – not a week goes by without hearing or reading something GDPR related and our sector is by no means immune. But beyond the doom and gloom that some are preaching, there are nuggets of comfort that mean we should tackle this head on. After all, this is about protecting people’s data, including yours and mine, so it’s important that we recognise this and the challenges and opportunities it brings to shape how we work. In this blog, we look at why data protection is changing, what the new rules look like and how you can be best prepared for GDPR. This follows hot on the heels from a recent article suggesting that a fifth of charities that took part in a recent GDPR survey had not yet taken any steps to prepare for the new regulation, and 72% found a lack of clear guidance the biggest challenge in doing so. Why the change? That DPA has long since been a cornerstone of data protection law. It applies to ‘personal data’ – any information about identifiable, living individuals that is recorded (electronically, in a filing system, even scribbled on a post-it note – or anything with the intention of going into one of these). On first glance, you might think this refers only to a small amount of information your charity holds. But ponder it for a few minutes and you’ll quickly realise it’s a HUGE amount – both internally to your organisation (data relating to you and other staff) and externally (your supporters, fundraisers, patients, relatives, those signed up to mailing lists… the list could go on). Take a look at this handy guide to work out if the data you hold is ‘personal data’. For those of us who enjoy governance (yes - there are a small but dedicated band of us out there!) you will be familiar with its 8 data protection principles under the Act: used fairly and lawfully used for limited, specifically stated purposes used in a way that is adequate, relevant and not excessive accurate kept for no longer than is absolutely necessary handled according to people’s data protection rights kept safe and secure not transferred outside the European Economic Area without adequate protection. On the face of it, these seem quite extensive - no one can argue with the importance of each of these in their own right. But the world has moved on since 1998. The sheer volume of personal data we have access to – hand written and digital, where it is stored and how it is accessed has changed substantially. Whoever saved something to the ‘cloud’ in 1998 when the humble 3½ inch floppy disk was the tool of choice? While the principles of the Act remain true, their practical application has changed substantially, so it’s timely for a refresh. Another change since 1998 is the growing awareness and importance of people power. As the volume of information stored about someone has increased, so has public concern around how it’s collected, stored and used. News of data breaches, fraud and theft of data has heightened sensitivity and awareness of data protection and the upmost importance of respecting an individual’s wishes when it comes to handing their data. This fuelled the development of the GDPR – an EU law passed by the Council of the European Union on 27th April 2016. GDPR replaces the DPA on May 25th 2018 and applies to all organisations that control and process personal data – this includes that vast majority of AMRC members (if you are unsure, take a look at the definitions from the ICO). And before we mention the ‘B-word’ (Brexit), this will have no effect on GDPR – it will still apply so we need to be ready for the changeover. What’s new in GDPR? In many ways, GDPR is similar to the DPA. When compared with other countries in the EU, the UK’s DPA was already pretty substantive. So in theory, we should be relatively comfortable with the idea of data protection and what this looks like. There are also 6 principles under GDPR – that’s two less than the DPA: fair, lawful and in a transparent manner only for particular purpose(s) data must be adequate, relevant and not excessive for the purpose(s) accurate and up to date where required not kept for longer than is necessary secure and in a system that permits the easy identification of the data subject. So up to now, you might be wondering what all the fuss is about. It should be easy, right? Taking off the rose-tinted spectacles Sometimes, just because we’re used to something, it doesn’t mean that change is easier to stomach. And just because there are fewer principles, less can actually turn out to be more. Both of these are true in GDPR. Some of the biggest changes under GDPR include: Consent for processing data will have greater and more rigorous criteria applied to it. Consent must be freely given, informed and specific. So this means that if you have someone’s consent for contacting them only about research, you will not be allowed to contact them about a fundraising activity. Where consent is involved, a shift towards ‘opt-in’ is increasingly gathering pace. An example of this is Cancer Research UK’s Just a Tick campaign. Under GDPR, consent requires ‘clear affirmative action’. Silence or pre-ticked boxes do not mean consent has been given. Consent will also have to be recorded under GDPR so that it is verifiable. * Note: some details around this are still to be clarified – particularly in regards to something called legitimate interests which weighs up the balance between the needs of the data controller (typically, your organisation) and the data subject (the individual concerned) and whether you need consent to collect, store, use or otherwise ‘process’ their personal information. Stay tuned for guidance from the Information Commissioner’s Office, but start planning now. More explicit information in fair processing ‘notices’. A short, pithy privacy notice will no longer be sufficient under GDPR. Organisations will have to include a more information to make it clearer and more explicit to the reader. The idea behind this is to give people more power and right to tell an organisation how they want their data handled and for this to be respected. An increase in enforcement fines for breaching GDPR – up to €20 million or 4% of total annual worldwide turnover of the preceding year (whichever is higher). Something that will send many trustees into panic… The right to be forgotten: this is a new right under GDPR where individuals can request that an organisation deletes all of their personal data. There are some limitations to this – such as cases involving legal or criminal matters, so make sure you understand the rules. There are many other changes under GDPR but the above highlights how just a few small tweaks can have big repercussions on how we work. What you need to do now 1. All organisations must have systems in place by 25th May 2018 to evidence how you comply with GDPR. So if you haven’t already, do start planning now - time is running out. 2. Become familiar with the Information Commissioner’s Office website and the excellent resources on the Data Protection Network – its free to sign up and access the guidance. 3. Go through your internal systems and work out what information you hold, where it is stored, how long you keep it and why you need it. Question what you have – and clear up things you don’t need. The risk of holding on to personal information because ‘one day we might need it’ can be higher than deleting it. A good clean up in readiness for GDPR is not a bad thing at all. 4. Here at AMRC, we can also try and help you. We want to collate a range of different policies and guidance to share with other organisations. If you think you can help, please drop me a line – [email protected]. And please don’t be put off because you think you don’t know enough. We are all in the same boat - please share what you can and don’t be afraid to ask for help, or getting it wrong. Better to know now than to wait for it to crop up down the line. I hope this has been a helpful canter through GDPR. Please get in touch with us if we can help.