Last week we were were grateful to host Chris and Virginia from Hewitsons who came along to help a number of groups review their preparations for the new GDPR regulations.
They have put together their top tips based on the queries that groups presented and we are able to share them with you here:
Ø The GDPR will replace the Data Protection Act 1998 on 25 May 2018. All charities must ensure that they comply with the new rules. If a charity is already complying with the DPA then there may be very little adjustment to be made to current practices and policies.
Ø The ICO has lots of useful guidance on its website, especially for charities, which may be found at https://ico.org.uk/for-organisations/charity/. This will also be useful for local groups and other not-for-profits even if they are not charities.
Ø In order to be prepared, charities must first undertake an ‘audit’ of all the personal data that they currently hold to understand what data is held, what it is used for, the legal basis on which it is held (see below) and who has access to it
Ø As to that last point, charities should ensure the data is kept securely either by physical means (eg locked cabinet) or electronic (passwords).
Ø It is helpful if there is one person who is assigned to the job of making sure that a charity is GDPR compliant. Charities should follow the guidance about whether a Data Protection Officer must be appointed in their organisation, but whether required or not it is always useful to nominate someone for this responsibility.
Ø Boards of trustees should ensure that they recognise their duties in respect of GDPR and minute their discussions on the subject. Although it may be best for them to delegate the practical side of compliance, ultimately the responsibility to ensure that they are compliant lies with them.
Ø Charities should read the ‘12 steps to take now’ document which is produced by the ICO.
Ø The key point to remember is that there must be a lawful basis for processing personal data – for most charities this will either be because consent has been given or because there is a ‘legitimate interest’ for the charity in doing so. Other lawful bases include a legal obligation and because the person concerned is subject to a contract with the charity.
Ø ‘Special category data’, which includes data regarding someone’s health or relating to children, must be treated especially carefully – the GDPR introduces additional protections over and above standard data processing.
Ø There is no need to panic. Changes to policies and practices cannot be done overnight. So long as charities are taking all reasonable steps to ensure compliance, they are highly unlikely to be found to be in breach.