Introducing… GDPR A quick guide to understanding the basics - PowerPoint Presentation

Slide1

Introducing… GDPR

A quick guide to understanding the basics Slide2

Introducing… ICO and GDPR

ICO - The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals

GDPR -

The

General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU)Slide3

What the ICO say about this...

'Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and

can be the starting point to build from.

However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things

differently'Slide4

What is it?

GDPR - General Data Protection Regulation

This

is a new EU law governing data protection, which will supersede the Data Protection Act in 2018

It is taking effect from 25 May 2018It aims to give

people

more control over their

data and allows them

to request to see the personal data held on themSlide5

Why do you need to know about this?

Data protection legislation covers everyone about whom you keep personal dataThis includes employees, volunteers, service users, members, supporters and donors

GDPR will not introduce widespread changes to existing law, but will increase the

monetary penalties

for non-complianceSlide6

Does

Brexit affect this?The quick answer is… No!Despite the UK exiting the EU, the British government has said GDPR will still apply and charities must

comply

This is why you must be ‘GDPR’ ready

This session can help you get readySlide7

What will we do today?

Explore the basicsHelp you relate this to your group or organisation Give you some practical tips to get started

Share guidance and resources available Slide8

Some important definitions

Personal data - data about or relating to a living, identifiable, individual

Data

subject

–the person the data is aboutData controller – the organisation that ‘

determines the

purposes’, that decides to gather and use the

informationSlide9

Some important definitions continued…

Data processor – the data processor carries out specific tasks on behalf of the

data controller

Data processing

– the collection, recording, treatment and storage of data Data profiling – usually an automated process of evaluating personal aspects such as age or gender Slide10

Some important definitions continued…

Information Asset Owner – is responsible for identified data assetsSenior Information Risk Owner

– is usually a board member and sets policy

Data Protection Officer

– needed for public authorities or large organisations, or where high level of transparency or large scale monitoring is requiredSlide11

A simple process

Make everyone aware of thisNominate a dedicated lead for this

List

everywhere you store

dataCreate a simple explanation of why you need to hold the data - what's the purpose?

Contact everyone, explain this, and ask for their consent to hold their data

Update your data when you get their consent

Have this written down in a policySlide12

1.

Have you made everyone aware of this?Board and trustees Employees

Volunteers

S

ervice usersMembersSupportersDonorsAnyone else? Slide13

2

. Who is your lead?Nominate a lead for thisInvest in specific training for them

This is a difficult role and they will need support

Identify an expert you can work with if you have specific issues or complexity

Name them as your contact person on your website/in your policyThey can also be your lead for comments, compliments and complaintsSlide14

3

. Where do you store data?Local and cloud based operating systemsSpreadsheets and databases

Paper records of the above

Personal electronic and paper files

Handwritten notes and lists Anything else/anywhere else? Slide15

4. What’s your purpose for holding data?

Purposes must be “specified, explicit and legitimate”

You

must set out your purposes clearly and

unambiguouslyYou can’t just say ‘fundraising purposes’, when that could cover a huge variety of data usesThe discipline of clearly identifying your purposes at the outset is one of the

most useful

things you can do, and you must break down ‘fundraising purposes’ into

its constituent partsSlide16

5. Gaining consent

Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of this

The

most common way to provide this information is in a

privacy notice The best privacy notices are as short as they can be, written in language that is plain to the point of bluntness, and highlighting the most surprising and

unexpected things

that you are doingSlide17

5. Gaining consent

The starting point of a privacy notice should be to tell people:Who

you

are

What you are going to do with their informationAnd who it will be shared

with

These are the basics upon which all privacy notices should be

built, however

,

you

can also tell people more than this and should do so where you think that not telling people will make your processing of that information

unfairSlide18

5. Gaining consent

There is a fundamental difference between telling a person how you’re going to use their personal information and getting their

consent

You should ask

individuals to positively opt-inYou should give them sufficient information to make a choice about opting in

If

your consent mechanism consists solely of an “I agree” box with no supporting information then

people are

unlikely to be fully informed

and the consent cannot be considered

validSlide19

5. An example…

Here at [organisation name] we take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us.However, from time to time we would like to contact you with details of other [specify products]/ [offers]/[services]/[competitions] we provide. If you consent to us contacting you for this purpose please tick to say how you would like us to contact you:

Post

☐ Email ☐ Telephone ☐

Text message ☐ Automated call ☐

We

would also like to pass your details onto other [name of company/companies who you will pass information to]/[well defined category of companies], so that they can contact you by post with details of [specify products]/ [offers]/[services]/[competitions] that they provide. If you consent to us passing on your details for that purpose please tick to confirm:

I

agree ☐Slide20

5. Gaining consent

What you can’t do/use:

‘

Untick

this box’‘Tick this box if you do not want to receive marketing (especially if the marketing

is email or

text’)

‘Text STOP’

The

ICO’s recent guidance on GDPR

consent confirms

this without any hint of ambiguity: “Consent requires a positive opt-in”

27

• By giving us your details for [unrelated thing], you agree to receive emailsSlide21

5. Gaining consent

How long does consent last?The ICO’s consent guidance says “There is no set time limit for consent. How long

it lasts

will depend on the context. You should review and refresh consent

as appropriate” The real limit of how long consent lasts is what you tell the person at the

start

Slide22

5. What the ICO says…

You should read the detailed guidance the ICO has published on consent under the GDPR, and use our consent checklist to review your

practices

It

must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consentYou are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR... But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being

specific, granular, clear, prominent, opt-in, properly documented and easily

withdrawn

Slide23

6

. When you get consentBegin to update your data when

you get

consent

Be clear about what parts someone is consenting to as they may not positively opt in to all the optionsRemember to include how long the consent lasts and when reminders need to be sent You have to find a way to manage

this

You may need to adapt your systems and processes Slide24

7

. Developing your policies You must have your processes written downExamples of what to be included, and other useful resources can be found at:

www.ico.org.uk

www.knowhownonprofit.org www.civilsociety.co.uk Slide25

Other things to consider

Data in the public domainSensitive personal data

Suppression lists

The Right to Be

ForgottenPrivacy dashboards Subject access requests/data requestsChildren and GDPRPersonal

data

breaches

FundraisingSlide26

Data in the public domain

Actually asked questions: C

an

I use data from Companies House to identify

where a potential donor works and the contact them by post?Can I use the Sunday Times Rich List to identify potential donors

?

Can I search directories like Who’s Who lists and then contact them?

Answer

: Yes, but you would need to tell them (in the first contact) how

you obtained

their

dataSlide27

Sensitive personal

dataAn additional complication comes if you are using personal data that DPA defines as

sensitive, or GDPR defines as ‘special categories

’

The sensitive data categories are racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar

nature, trade union membership, physical or mental health or condition

; sexual

life, the commission or alleged commission by the data subject of

any offence

; or any proceedings for any offence that are currently

ongoing

You must seek specific advice on this Slide28

Suppression lists

This is a list of all the people who have told you that they do not wish to hear from you

It

is reasonable to split your suppression list

into different channels, but only if the person has made a nuanced request (i.e. you can mail but not phone)

A

person should be on your suppression list if they formally exercise their

rights under

Section 11 of the Data Protection Act, which allows them to stop

marketingSlide29

The Right

to Be ForgottenIf a person wants to be on your suppression list, they will not ask

you to

delete the data you hold on that

listHowever, if they insist that all of their data is deleted, this means you will permanently delete every reference to that person

This is their ‘right to be forgotten’

You can never contact them again (and should be unable to as you have no record of their data)Slide30

Privacy dashboards

It is good practice to embed links to tools like dashboards within your privacy notice to allow individuals to manage their preferences and to prevent their data being shared where they have a choice

A privacy dashboard can help to achieve

this - this

offers people one place from which to manage what is happening to their informationThis is helpful if you process personal data across a number of applications or

services

See

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/?

template=pdf&patch=38#link3

for an example Slide31

Subject access requests

Individuals have the right to know what data you hold on them, why the data is being processed and whether it will be given to any third party

They

have the right to be given this information in a permanent form (hard

copy) - this is known as a subject access requestYour organisation needs to be able to identify a subject access request, find all the relevant data and comply within one month of receipt of the

request

The

ICO gives guidance on

thisSlide32

What the ICO says…

You should update your procedures and plan how you will handle requests to take account of the new rulesIn

most cases you will not be able to charge for complying with a

request

You will have a month to comply, rather than the current 40 daysYou can refuse or charge for requests that are manifestly unfounded or

excessive

If

you refuse a request, you must tell the individual why and that they have the right to

complainSlide33

Children and GDPR

GDPR brings in special protection for children’s personal dataGDPR

says children under 16 cannot give consent (although this may be reduced to 13 in the UK) so you may have to seek consent from a parent or

guardian

You will need to be able to verify that person giving consent on behalf of a child is allowed to do soAny

privacy statements will need to be written in language that children can

understandSlide34

What the ICO says…

You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity

For

the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social

networkingRemember that consent has to be verifiable When

collecting children’s data your privacy notice must be

written in language that children will understandSlide35

Data breaches

A data breach is a breach of security leading to ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’

You

will need to have the right procedures in place to detect, investigate and report a personal data

breachGDPR introduces a duty to report certain types of data breaches to the ICO and in some cases to the individuals concerned

You

need to be able to demonstrate that you have appropriate technical and organisational measures in place to protect against a data

breach

Read

guidance from ICO on data

breachesSlide36

What the ICO says…

The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals

You

only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social

disadvantageWhere a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most

cases

Failure

to report a breach when required to do so could result in a fine, as well as a fine for the breach

itselfSlide37

Fundraising

The use of personal data is central to most fundraising activities and there has been a great deal of public and media scrutiny of fundraising techniques

If

you use personal data to fundraise then you need to follow the latest guidance on fundraising and data

protectionThe Fundraising Regulator provides guidance which complements guidance from the ICO on direct marketingSlide38

Summary

If you already capture data, this is about reviewing and enhancing your processes See this as an opportunity to improve your processesRelate

this to you – how would you want your data to be handled?

You have to show you have engaged in this process as there are no exceptions

You have to record what you do – this is your evidence of engagementGet specialist advice if you need itSlide39

Finally…

Think about the immediate next steps for you and your group or organisation Remember the deadline and make a simple

plan

You’ll

need time to test out the new processes Talk to others todayLeave questions for us – we will try and helpAttend more in-depth training

Review the ICO website and tools

Remember to share what you know with others