What Will The Effect of GDPR Be On My Third Sector Organisation?

Keyboard Key with EU Flag, GDPR Wording, Padlock & 25th May 2018 Date

Introduced to keep pace with the modern digital landscape, the GDPR is more extensive in scope and application than the current Data Protection Act (DPA). The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures.

The Key Changes Introduced by the Regulation

Non-EU organisations that do business in the EU with EU data subjects' personal data should prepare to comply with the Regulation. Those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.

Data privacy encompasses other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity. Companies should take measures to reduce the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

Parental consent will be required for the processing of personal data of children under age 16. EU Member States may lower the age requiring parental consent to 13.

The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.

Article 35 of the GDPR states that data protection officers must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”. 

Firms whose core business activities are not data processing are exempt from this obligation.

The GDPR does not specify credentials necessary for data protection officers, but does require that they have “expert knowledge of data protection law and practices.”

A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct privacy impact assessments where privacy breach risks are high to analyse and minimise the risks to their data subjects.

Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified.

Where the risk to individuals is high, then the data subjects must be notified, although a specific timescale is not specified by the Regulation.

Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regime.

Data subjects have the “right to be forgotten”. The Regulation provides clear guidelines about the circumstances under which the right can be exercised.

Since the Regulation is also applicable to processors, organisations should be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers may need to appoint representatives in the EU.

Data processors will have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be an imperative requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may impact service costs.

Data portability will allow a user to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.

The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept.

There is also a requirement that controllers should only collect data necessary to fulfil specific purposes, discarding it when it is no longer required, to protect data subject rights.

A new one-stop shop for businesses means that firms will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU. This will also have a positive impact on Internet service providers with offices in several EU countries.

UK organisations handling personal data will still need to comply with the GDPR, regardless of Brexit. The GDPR will come into force before the UK leaves the European Union, and the government has confirmed that the Regulation will apply, a position that has been confirmed by the Information Commissioner.

Penalties for Non Compliance to the GDPR

On 5 April 2017 the Information Commissioner’s Office (ICO) fined 11 major charities for data protection breaches, including Cancer Research UK, Macmillan Cancer Support and NSPCC. These fines totalled £138,000 but under the GDPR regulation that comes into force on the 25 May 2018 these fines could be significantly higher.

The ICO said that some of the charities had been fined because they had

“screened millions of donors so they could target them for additional funds," while others had "traced and targeted new or lapsed donors by piecing together personal information obtained from other sources. And some traded personal details with other charities creating a large pool of donor data for sale.”

The Regulation mandates considerably tougher penalties than the DPA: organisations found in breach of the Regulation can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater. Fines of this scale could very easily lead to business insolvency.

Data breaches are commonplace and increase in scale and severity every day. As Verizon’s 2016 Data Breach Investigations Report reaffirms, “no locale, industry or organisation is bulletproof when it comes to the compromise of data”, so it is vital that all organisations are aware of their new obligations so that they can prepare accordingly.

.

IS Know How’s Partnership with IT Governance can help Charities and Social Enterprises Comply with the EU GDPR.

Together our wide-ranging data protection expertise can help organisations prepare for the GDPR. We offer a comprehensive suite of information resources, solutions and consultancy services including:

Training Courses:

 

Certified EU General Data Protection Regulation Foundation Logo

Certified EU General Data Protection Regulation Foundation (GDPR) Training Course

Avoid heavy fines and loss of reputation resulting from data breaches. Learn from the experts how the EU General Data Protection Regulation (EU GDPR) will affect your organisation. Understand the implementation path to ensure EU GDPR compliance.

Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course

Learn from the experts how to meet the requirements of the EU General Data Protection Regulation (GDPR). Gain practical understanding of the tools and methods for implementing and managing an effective compliance framework, and how to fulfil the role of data protection officer (DPO).

Certified EU General Data Protection Regulation Practitioner (GDPR) Logo
Certified EU General Data Protection Regulation (GDPR) Foundation and Practitioner Combination Course Logo

Certified EU General Data Protection Regulation (GDPR) Foundation and Practitioner Combination Course

Learn from the experts how to meet the requirements of the EU General Data Protection Regulation (GDPR). Gain practical understanding of the tools and methods for implementing and managing an effective compliance framework, and how to fulfil the role of data protection officer (DPO).

Data Protection Impact Assessment (DPIA) Workshop

This one-day workshop is designed to provide delegates with the practical knowledge needed to perform a data protection impact assessment (DPIA) that will minimise privacy risks and comply with the UK Data Protection Act (DPA) and the EU General Data Protection Regulation (GDPR).

Data Protection Impact Assessment (DPIA) Workshop Logo
GDPR Staff Awareness E-learning Course Logo

GDPR Staff Awareness E-learning Course

This simple-to-use interactive modular e-learning programme for employees introduces the new GDPR and the key compliance obligations for organisations.

Compliance Tools:

EU GDPR Compliance Gap Assessment Tool

This EU GDPR Compliance Gap Assessment Tool has been created to help organisations kick-start their GDPR compliance project by assessing their current stance against the GDPR, helping them clearly establish areas for development, and plan and prioritise their project effectively.

EU GDPR Compliance Gap Assessment Tool Logo
EU General Data Protection Regulation (GDPR) Documentation Toolkit Logo

EU General Data Protection Regulation (GDPR) Documentation Toolkit

Accelerate your GDPR compliance implementation project. The GDPR Documentation Toolkit delivers all the critical documents any organisation needs to ensure compliance with the new Regulation, including project documents covering data protection policy, DPO requirements, privacy impact assessments, incident response and breach reporting.

EU General Data Protection Regulation (GDPR) Data Flow Mapping Tool

Gain full visibility over the flow of personal data through your organisation to meet the terms of the EU General Data Protection Regulation (GDPR).

The Data Flow Mapping Tool simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred. The Data Flow Mapping Tool is a Cloud-based application, licensed for up to five users and can be accessed via any compatible browser.

EU General Data Protection Regulation (GDPR) Data Flow Mapping Tool Logo

Information & Guidance:

EU GDPR – A Pocket Guide

Gain a clear understanding of the GDPR with this essential pocket guide, which explains the terms and definitions used within the Regulation in simple terms, the key requirements, and how to comply with the Regulation.

EU GDPR – A Pocket Guide Logo
EU General Data Protection Regulation (GDPR) - An Implementation and Compliance Guide Logo

EU General Data Protection Regulation (GDPR) - An Implementation and Compliance Guide (Second Edition)

This must-have guide details what you need to do to comply with the GDPR. It covers the GDPR in terms you can understand, how to set out the obligations of data controllers and processors, what to do with international data transfers, data subjects' rights and consent, and much more.

Consultancy Services:

GDPR Data Flow Audit

This is the essential step to prepare for compliance with the EU General Data Protection Regulation (GDPR).

Receive a thorough audit of the personally identifiable information (PII) in your organisation and receive a data flow map that will help you to identify where your data resides. This will enable you to implement measures to reduce your risk of an information security breach.

Meet GDPR requirements by taking this essential first step in the implementation process.

GDPR Gap Analysis

The GDPR gap analysis service provides an assessment of your organisation’s current level of compliance with the Regulation, and helps identify and prioritise the key work areas that your organisation must address ahead of May 2018.

Need Further GDPR Info?

We've taken time to extract various aspects of information, from the incoming EU GDPR - do make use of it, to increase your knowledge and direction that you are likely required to head in.