What Will The Effect of GDPR Be On My Third Sector Organisation or Micro-Business?
GDPR was officially enacted on May 25th, 2018, in Europe and it will likely have a significant impact on organisations of all sizes, all around the globe. Whilst in the UK the Information Commissioner's Office, (ICO) who is the country's Supervisory Authority.
Introduced to keep pace with the modern digital landscape, the GDPR is more extensive in scope and application than the previous Data Protection Act (DPA) 1998. The Regulation extends the Data Rights of Individuals, and requires organisations to develop clear Policies and Procedures to Protect Personal Data, and adopt appropriate Technical and Organisational Measures.
The Key Changes Introduced by the Regulation
Article 35 of the GDPR states that data protection officers must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.
Firms whose core business activities are not data processing are exempt from this obligation.
The GDPR does not specify credentials necessary for data protection officers, but does require that they have “expert knowledge of data protection law and practices.
Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified.
Where the risk to individuals is high, then the data subjects must be notified, although a specific timescale is not specified by the Regulation.
Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regime.
The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept.
There is also a requirement that controllers should only collect data necessary to fulfil specific purposes, discarding it when it is no longer required, to protect data subject rights.
Penalties for Non Compliance to the GDPR
On 5 April 2017 the Information Commissioner’s Office (ICO) fined 11 major charities for data protection breaches, including Cancer Research UK, Macmillan Cancer Support and NSPCC. These fines totalled £138,000 but under the GDPR regulation that became eforceable on the 25th May 2018, these fines could be significantly higher.
The ICO said that some of the charities had been fined because they had;
Screened millions of donors so they could target them for additional funds, while others had traced and targeted new or lapsed donors by piecing together personal information obtained from other sources. And some traded personal details with other charities creating a large pool of donor data for sale.
The Regulation mandates considerably tougher penalties than the DPA: organisations found in breach of the Regulation can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater. Fines of this scale could very easily lead to business insolvency.
However, the ICO has consistently stated that fines are their last option and they will prefer to be seen to utilise a proportionate approach where possible. This cannot be your cue to now tread GDPR with corporate ignorance and apathy though, as this on the other hand is likely to be met with rather large raised eyebrows by the ICO, thus increasing your chances of monetary penalties.
Data breaches are commonplace and increase in scale and severity every day. As Verizon’s 2016 Data Breach Investigations Report reaffirms, “no locale, industry or organisation is bulletproof when it comes to the compromise of data”, so it is vital that all organisations are aware of their new obligations so that they can prepare accordingly.
IS Know How’s Partnership with IT Governance can help Charities, Social Enterprises and Micro-Businesses Comply with the EU GDPR.
Certified EU General Data Protection Regulation Foundation (GDPR) Training Course
Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course
Certified EU General Data Protection Regulation (GDPR) Foundation and Practitioner Combination Course
Data Protection Impact Assessment (DPIA) Workshop
EU GDPR Compliance Gap Assessment Tool
EU General Data Protection Regulation (GDPR) Documentation Toolkit
EU General Data Protection Regulation (GDPR) Data Flow Mapping Tool
Gain full visibility over the flow of personal data through your organisation to meet the terms of the EU General Data Protection Regulation (GDPR).
The Data Flow Mapping Tool simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred. The Data Flow Mapping Tool is a Cloud-based application, licensed for up to five users and can be accessed via any compatible browser.
Information & Guidance:
EU GDPR – A Pocket Guide
EU General Data Protection Regulation (GDPR) - An Implementation and Compliance Guide (Second Edition)
GDPR Data Flow Audit
This is the essential step to prepare for compliance with the EU General Data Protection Regulation (GDPR).
Receive a thorough audit of the personally identifiable information (PII) in your organisation and receive a data flow map that will help you to identify where your data resides. This will enable you to implement measures to reduce your risk of an information security breach.
Meet GDPR requirements by taking this essential first step in the implementation process.
GDPR Gap Analysis
We've taken time to extract various aspects of information from the Information Commissioner's Office EU GDPR Guidance - do make use of it, to increase your knowledge and direction that you are likely required to head in, regarding this critical matter.
You may also be interested to read the statistics that IS Know How have extrapolated from the ICO's Quarterly based Data Security Incident Trends and specifically for 'Charitable & Voluntary' that they provide for "Data security incidents (breaches of the seventh data protection principle and personal data breaches reported under the Privacy and Electronic Communications Regulations)"