Introducing ICO and GDPR ICO The UKs independent authority set up to uphold information rights in the public interest promoting openness by public bodies and data privacy for individuals ID: 696034
Download Presentation The PPT/PDF document "Introducing… GDPR A quick guide to und..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Introducing… GDPR
A quick guide to understanding the basics Slide2
Introducing… ICO and GDPR
ICO - The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals
GDPR -
The
General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU)Slide3
What the ICO say about this...
'Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and
can be the starting point to build from.
However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things
differently'Slide4
What is it?
GDPR - General Data Protection Regulation
This
is a new EU law governing data protection, which will supersede the Data Protection Act in 2018
It is taking effect from 25 May 2018It aims to give
people
more control over their
data and allows them
to request to see the personal data held on themSlide5
Why do you need to know about this?
Data protection legislation covers everyone about whom you keep personal dataThis includes employees, volunteers, service users, members, supporters and donors
GDPR will not introduce widespread changes to existing law, but will increase the
monetary penalties
for non-complianceSlide6
Does
Brexit affect this?The quick answer is… No!Despite the UK exiting the EU, the British government has said GDPR will still apply and charities must
comply
This is why you must be ‘GDPR’ ready
This session can help you get readySlide7
What will we do today?
Explore the basicsHelp you relate this to your group or organisation Give you some practical tips to get started
Share guidance and resources available Slide8
Some important definitions
Personal data - data about or relating to a living, identifiable, individual
Data
subject
–the person the data is aboutData controller – the organisation that ‘
determines the
purposes’, that decides to gather and use the
informationSlide9
Some important definitions continued…
Data processor – the data processor carries out specific tasks on behalf of the
data controller
Data processing
– the collection, recording, treatment and storage of data Data profiling – usually an automated process of evaluating personal aspects such as age or gender Slide10
Some important definitions continued…
Information Asset Owner – is responsible for identified data assetsSenior Information Risk Owner
– is usually a board member and sets policy
Data Protection Officer
– needed for public authorities or large organisations, or where high level of transparency or large scale monitoring is requiredSlide11
A simple process
Make everyone aware of thisNominate a dedicated lead for this
List
everywhere you store
dataCreate a simple explanation of why you need to hold the data - what's the purpose?
Contact everyone, explain this, and ask for their consent to hold their data
Update your data when you get their consent
Have this written down in a policySlide12
1.
Have you made everyone aware of this?Board and trustees Employees
Volunteers
S
ervice usersMembersSupportersDonorsAnyone else? Slide13
2
. Who is your lead?Nominate a lead for thisInvest in specific training for them
This is a difficult role and they will need support
Identify an expert you can work with if you have specific issues or complexity
Name them as your contact person on your website/in your policyThey can also be your lead for comments, compliments and complaintsSlide14
3
. Where do you store data?Local and cloud based operating systemsSpreadsheets and databases
Paper records of the above
Personal electronic and paper files
Handwritten notes and lists Anything else/anywhere else? Slide15
4. What’s your purpose for holding data?
Purposes must be “specified, explicit and legitimate”
You
must set out your purposes clearly and
unambiguouslyYou can’t just say ‘fundraising purposes’, when that could cover a huge variety of data usesThe discipline of clearly identifying your purposes at the outset is one of the
most useful
things you can do, and you must break down ‘fundraising purposes’ into
its constituent partsSlide16
5. Gaining consent
Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of this
The
most common way to provide this information is in a
privacy notice The best privacy notices are as short as they can be, written in language that is plain to the point of bluntness, and highlighting the most surprising and
unexpected things
that you are doingSlide17
5. Gaining consent
The starting point of a privacy notice should be to tell people:Who
you
are
What you are going to do with their informationAnd who it will be shared
with
These are the basics upon which all privacy notices should be
built, however
,
you
can also tell people more than this and should do so where you think that not telling people will make your processing of that information
unfairSlide18
5. Gaining consent
There is a fundamental difference between telling a person how you’re going to use their personal information and getting their
consent
You should ask
individuals to positively opt-inYou should give them sufficient information to make a choice about opting in
If
your consent mechanism consists solely of an “I agree” box with no supporting information then
people are
unlikely to be fully informed
and the consent cannot be considered
validSlide19
5. An example…
Here at [organisation name] we take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us.However, from time to time we would like to contact you with details of other [specify products]/ [offers]/[services]/[competitions] we provide. If you consent to us contacting you for this purpose please tick to say how you would like us to contact you:
Post
☐ Email ☐ Telephone ☐
Text message ☐ Automated call ☐
We
would also like to pass your details onto other [name of company/companies who you will pass information to]/[well defined category of companies], so that they can contact you by post with details of [specify products]/ [offers]/[services]/[competitions] that they provide. If you consent to us passing on your details for that purpose please tick to confirm:
I
agree ☐Slide20
5. Gaining consent
What you can’t do/use:
‘
Untick
this box’‘Tick this box if you do not want to receive marketing (especially if the marketing
is email or
text’)
‘Text STOP’
The
ICO’s recent guidance on GDPR
consent confirms
this without any hint of ambiguity: “Consent requires a positive opt-in”
27
• By giving us your details for [unrelated thing], you agree to receive emailsSlide21
5. Gaining consent
How long does consent last?The ICO’s consent guidance says “There is no set time limit for consent. How long
it lasts
will depend on the context. You should review and refresh consent
as appropriate” The real limit of how long consent lasts is what you tell the person at the
start
Slide22
5. What the ICO says…
You should read the detailed guidance the ICO has published on consent under the GDPR, and use our consent checklist to review your
practices
It
must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consentYou are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR... But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being
specific, granular, clear, prominent, opt-in, properly documented and easily
withdrawn
Slide23
6
. When you get consentBegin to update your data when
you get
consent
Be clear about what parts someone is consenting to as they may not positively opt in to all the optionsRemember to include how long the consent lasts and when reminders need to be sent You have to find a way to manage
this
You may need to adapt your systems and processes Slide24
7
. Developing your policies You must have your processes written downExamples of what to be included, and other useful resources can be found at:
www.ico.org.uk
www.knowhownonprofit.org www.civilsociety.co.uk Slide25
Other things to consider
Data in the public domainSensitive personal data
Suppression lists
The Right to Be
ForgottenPrivacy dashboards Subject access requests/data requestsChildren and GDPRPersonal
data
breaches
FundraisingSlide26
Data in the public domain
Actually asked questions: C
an
I use data from Companies House to identify
where a potential donor works and the contact them by post?Can I use the Sunday Times Rich List to identify potential donors
?
Can I search directories like Who’s Who lists and then contact them?
Answer
: Yes, but you would need to tell them (in the first contact) how
you obtained
their
dataSlide27
Sensitive personal
dataAn additional complication comes if you are using personal data that DPA defines as
sensitive, or GDPR defines as ‘special categories
’
The sensitive data categories are racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar
nature, trade union membership, physical or mental health or condition
; sexual
life, the commission or alleged commission by the data subject of
any offence
; or any proceedings for any offence that are currently
ongoing
You must seek specific advice on this Slide28
Suppression lists
This is a list of all the people who have told you that they do not wish to hear from you
It
is reasonable to split your suppression list
into different channels, but only if the person has made a nuanced request (i.e. you can mail but not phone)
A
person should be on your suppression list if they formally exercise their
rights under
Section 11 of the Data Protection Act, which allows them to stop
marketingSlide29
The Right
to Be ForgottenIf a person wants to be on your suppression list, they will not ask
you to
delete the data you hold on that
listHowever, if they insist that all of their data is deleted, this means you will permanently delete every reference to that person
This is their ‘right to be forgotten’
You can never contact them again (and should be unable to as you have no record of their data)Slide30
Privacy dashboards
It is good practice to embed links to tools like dashboards within your privacy notice to allow individuals to manage their preferences and to prevent their data being shared where they have a choice
A privacy dashboard can help to achieve
this - this
offers people one place from which to manage what is happening to their informationThis is helpful if you process personal data across a number of applications or
services
See
https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/?
template=pdf&patch=38#link3
for an example Slide31
Subject access requests
Individuals have the right to know what data you hold on them, why the data is being processed and whether it will be given to any third party
They
have the right to be given this information in a permanent form (hard
copy) - this is known as a subject access requestYour organisation needs to be able to identify a subject access request, find all the relevant data and comply within one month of receipt of the
request
The
ICO gives guidance on
thisSlide32
What the ICO says…
You should update your procedures and plan how you will handle requests to take account of the new rulesIn
most cases you will not be able to charge for complying with a
request
You will have a month to comply, rather than the current 40 daysYou can refuse or charge for requests that are manifestly unfounded or
excessive
If
you refuse a request, you must tell the individual why and that they have the right to
complainSlide33
Children and GDPR
GDPR brings in special protection for children’s personal dataGDPR
says children under 16 cannot give consent (although this may be reduced to 13 in the UK) so you may have to seek consent from a parent or
guardian
You will need to be able to verify that person giving consent on behalf of a child is allowed to do soAny
privacy statements will need to be written in language that children can
understandSlide34
What the ICO says…
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity
For
the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social
networkingRemember that consent has to be verifiable When
collecting children’s data your privacy notice must be
written in language that children will understandSlide35
Data breaches
A data breach is a breach of security leading to ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’
You
will need to have the right procedures in place to detect, investigate and report a personal data
breachGDPR introduces a duty to report certain types of data breaches to the ICO and in some cases to the individuals concerned
You
need to be able to demonstrate that you have appropriate technical and organisational measures in place to protect against a data
breach
Read
guidance from ICO on data
breachesSlide36
What the ICO says…
The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals
You
only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social
disadvantageWhere a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most
cases
Failure
to report a breach when required to do so could result in a fine, as well as a fine for the breach
itselfSlide37
Fundraising
The use of personal data is central to most fundraising activities and there has been a great deal of public and media scrutiny of fundraising techniques
If
you use personal data to fundraise then you need to follow the latest guidance on fundraising and data
protectionThe Fundraising Regulator provides guidance which complements guidance from the ICO on direct marketingSlide38
Summary
If you already capture data, this is about reviewing and enhancing your processes See this as an opportunity to improve your processesRelate
this to you – how would you want your data to be handled?
You have to show you have engaged in this process as there are no exceptions
You have to record what you do – this is your evidence of engagementGet specialist advice if you need itSlide39
Finally…
Think about the immediate next steps for you and your group or organisation Remember the deadline and make a simple
plan
You’ll
need time to test out the new processes Talk to others todayLeave questions for us – we will try and helpAttend more in-depth training
Review the ICO website and tools
Remember to share what you know with others