By Richard Sisson, former Senior Policy Officer at the Information Commissioner’s Office
May 2018 marked a key moment in privacy and information rights with the implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
The change in the regulatory landscape has reemphasised the importance of getting privacy right. People have woken up to the new rights the GDPR delivers, with increased protection for the public and increased obligations for organisations.
At the Information Commissioner’s Office, we regulate this new legislation and have been working with charities to help them with their compliance.
We have already seen evidence of better practice across the sector but it is important charities keep data protection high on their agenda.
Overall, most data breaches and complaints we have seen across all sectors, including charities, have been in relation to subject access requests, disclosure of data and security. So here are our top data protection tips for charities and third sector organisations for better data protection compliance.
Supporting people accessing their data
Anyone in the UK has the legal right to find out what information is held about them by organisations and ask for a copy free of charge within one month. This is known as a subject access request (SAR).
Requests can be made verbally or in writing, including through social media, so it’s good practice to have a policy for recording these requests. SARs can be responded to electronically (as long as it is secure), unless the individual requests otherwise.
Your charity can ask for further information to establish the identity of a requester, particularly where sensitive data is involved. Such requests should be reasonable and proportionate. The one month time limit will start once you have received the necessary information. Further information about the right of access is on the ICO website.
Keeping people’s data secure
Under data protection legislation, organisations have responsibilities to protect the personal information that is collected and used. This includes having appropriate security to prevent personal data from being accidentally or deliberately compromised.
The security measures put in place should fit the needs of the particular organisation. They don’t necessarily have to be expensive or onerous. They may even be free or already available within the IT systems already in use at your charity. Further guidance on how to keep people’s data secure is on the ICO website.
Being transparent about people's data
People should know what your charity are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice), so it’s important you are open and honest with people about how their data will be used. Remember that for consent to be valid it must be fully informed, specific, freely given and not bundled together with general terms and conditions.
Organisations must also not keep personal data for longer than is necessary. Have a retention policy in place that sets out when and how personal information needs to be reviewed, deleted or anonymised. People can request to have their data erased, so this should also be part of your retention policy.
Preparing for the unexpected
Experience shows that organisations find it much easier to deal with unexpected situations when they have a plan in place that has been tested before. Make sure everyone in your charity knows their roles and what procedures are in place in case of an incident involving personal data. Having a reporting policy is very important, including an incident log or a method of rating the risks associated with a data breach.
Data protection and Brexit
If your charity only operates within the UK, you may not need to do much to prepare for data protection after we leave the EU. The UK government plans to incorporate the GDPR into UK law when we leave, so to be prepared for Brexit it is best that you are effectively complying with the GDPR now. If you operate within the European Economic Area (EEA), there may be a few steps you need to take to comply with data protection legislation. Further guidance is available on the ICO website.
For more information on data protection, you can find more resources, including toolkits and guidance, on the ICO website www.ico.org.uk/charity.