General Data Protection Regulation (GDPR): Frequently Asked Questions
Does the GDPR replace the Data Protection Act (DPA) and Privacy and Electronic Communications Regulations (PECR)?
- Yes, the GDPR does replace the DPA. It does not replace the PECR, which give people specific privacy rights in relation to electronic communications.
Does the UK’s decision to leave the EU have any impact on GDPR?
- No, it doesn’t. The government has confirmed that the UK’s decision to leave the EU will not affect the introduction of the GDPR on 25 May 2018.
Who is affected by GDPR?
- You can assume that if you hold personal information that falls within the scope of the DPA, it will also fall within the scope of the GDPR. The regulation will apply to any organisation providing goods/services inside the EU that says how personal data and sensitive personal data should be processed and to those that process it too. GDPR applies equally to not-for-profit and charitable organisations. It also applies to both automated personal data and to manual filing systems.
When am I ‘processing’ personal identifiable information or sensitive personal data?
- If you are storing, collecting, using or destroying personal data about your staff, members, supporters, suppliers, or any other contacts, or disclosing or transferring their data to another organisation, then you are processing personal identifiable information.
- Sensitive personal data is information covering:
• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data
• biometric data
• data concerning health
• data concerning a natural person’s sex life or sexual orientation
What ways can I justify processing data?
- There are some fundamental ways to demonstrate a legal basis for the collection and processing of personal data:
• You have explicitly gained the consent of the data subject to hold and process their personal information. This consent must be actively given and you must be able to provide evidence of this consent.
• You have a “legitimate reason” to hold and process personal information. For example, during an online purchase you have to provide whatever basic information is necessary to fulfil a transaction i.e. contact and address information and the seller will have to record your transaction.
• You may have a legal obligation to collect and process personal data. For example, if the person is an employee, you have a legal obligation to record and process payroll information and report details to HMRC. As you are legally bound to do this, you do not require the explicit consent of the individual to do this.
• Processing is necessary to protect the “vital interests” of an individual, that is effectively matters of life or death.
• Processing is necessary to comply with a UK legal obligation.
• Processing is necessary for the performance of a task carried out in the public interest.
- In Hart Square’s opinion, consent and legitimate interests are the two most relevant legal bases to the NFP sector.
We pass our member/supporter data to our mailing house supplier so that they can send out member/supporter communications. Can we still do this after the commencement of the GDPR?
- Your supplier needs to demonstrate to you that they are compliant with GDPR. Your contract with your supplier needs to have a GDPR compliance policy. If your supplier is not compliant, your organisation as well as the supplier could be liable for a fine.
Can our organisation carry on using existing DPA consents?
- You are not required to automatically refresh all existing DPA consents in preparation for the GDPR. However, if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being: specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, then you should obtain GDPR-compliant consent.
- Consent must be actively given. There must be some form of clear affirmative action – that is a positive opt-in.
- Consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent.
- When obtaining consent, the purpose for which the data is being collected and the way it will be processed must be explained in clear and simple terms.
- Ideally explicit consent is required for each channel of communication – both electronic and non-electronic – to allow the individual choice and flexibility.
- You should also consider if you can rely on another of the legal bases to process personal and sensitive personal data. (See question above.)
How long does consent last?
- There is no explicit expiry date, but there is an expectation that consent should last between two to three years. It is essential to record the date of when was consent was given, at the time it was given and a record of what the individual was told to capture their consent.
- There is a requirement to have evidence of that interaction or conversation that recorded that consent and a link to the statement that was used to capture it.
Will audits from the Information Commissioner’s Office (ICO) increase?
- The ICO has not made their position on this subject clear. However, the need to evidence compliance is most likely to come from members/supporters in first instance. You must show at once upon request that you are compliant, or face the possibility of significant fines.
Isn’t having to sacrifice all this data a bad thing?
- Whilst the numbers of contacts may reduce, the quality of information should increase and you can become more targeted in your communications. It’s an opportunity to manage your organisation’s data better and ensure you have the accurate, quality information about your member/supporter database and build better and closer relationships.
Do I need to go on training or require certification for GDPR?
- It’s not part of the requirements to attend any training or gain certification.
Shouldn’t our strategy just depend on how sensitive the data we’re holding is?
- No, if your organisation is holding staff data, keeping HR records, customer/member/supporter lists, or other contact details then you will need to take steps to comply with the GDPR.
What are the consequences of not adhering to the GDPR?
- The minimum penalty for non-compliance is 2% of global turnover or £10million whichever is more. In addition, there is the media coverage that would be generated by the non-compliance, the loss of your organisation’s reputation to hold data responsibly, which in turn may affect member or supporter retention, as trust in the organisation is eroded
Isn’t the number of complaints I had under DPA indicative of how many I will get under GDPR?
- Not necessarily. It is likely that the increased media interest in non-compliant organisations following the commencement of the GDPR will raise awareness to all members of the public about their rights.