General Data Protection Regulation (GDPR)
What is the GDPR?
You may have heard of the GDPR, and may have questions about what this means for your organisation.
GDPR stands for General Data Protection Regulation. The GDPR is EU legislation that will provide a single data protection law for all EU countries. GDPR will come into effect for the UK on 25th May 2018. GDPR will replace the Data Protection Act, and may represent a significant change for organisations that hold and process personal data.
GDPR is intended to update data protection laws, ensuring they are responsive to the more recent threats of the internet age, in order to prevent the loss of personally identifiable information in the case of security breaches and cyber-attacks. Charities will have to comply with GDPR just as businesses will. If your organisation holds personal data, such as contact information, bank account or credit card information, information about ethnicity or religious belief – then the new regulations will apply to you.
Non-compliance with GDPR may result in serious consequences – organisations may be fined up to 4% of their turnover or up to £17 million, depending on the severity of the breach. Organisations will be obliged to inform the Information Commissioner’s Office (ICO) of any breach that is likely to result in a risk to the rights and freedoms of individuals within 72 hours of the organisation becoming aware of it.
GDPR applies across the board, but one area of specific concern to many charities is direct marketing, which includes fundraising. There are different legal conditions for communicating by different channels.
For instance, you need consent to be able to send direct marketing by email or SMS, or to make phone calls to individuals on the Telephone Preference Service (TPS). For post or live calls to phone numbers not on the TPS, you may send direct marketing if your organisation has a legitimate interest in contacting them, and they have not opted out of receiving this kind of communication from you.
Legitimate interest enables you, in certain circumstances, to be able to send direct marketing to an individual without having their prior consent. You must consider what the individual would have reasonably expected their personal information to be used for at the time they provided it. If they would not have reasonably expected the information to be used for direct marketing, you cannot rely on the legitimate interest condition.
The individual’s right to not be contacted is paramount – if they have indicated that they do not wish to receive a specific kind of communication from you, or any communication at all, you must respect this and not contact them in this way.
GDPR does not require that all direct marketing is ‘opt in’ – but this will be the case for email or SMS communications. This could be a tick box approach, where people show their consent by ticking a box, or choosing between a yes/no option. Consent does not have to be in writing – it can be given verbally. Individuals must take a positive action in order to give consent – silence or pre-ticked boxes do not count as valid consent. Where ‘opt in’ consent is not necessary (e.g. where there is a legitimate interest and you are contacting an individual by post or phone and they are not on the TPS), you must provide the opportunity for the individual to opt out of receiving future direct marketing, e.g. through an ‘opt out’ tick box.
Where communication is for genuine administrative purposes, unconnected with direct marketing, the rules for direct marketing do not apply.
Data Protection Officer
Any organisation is able to appoint a Data Protection Officer (DPO), but the majority of small and medium-sized charities will not be obliged to appoint one. You must appoint a DPO if you:
- Are a public authority (except for courts acting in their judicial capacity);
- Carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
A Data Protection Officer can be a current staff member or a contractor, but the role must be designated on the basis of professional qualities and expert knowledge of data protection laws. The responsibilities of the Data Protection Officer are to:
- Inform and advise the controller or the processor and the employees who are processing personal data of their obligations pursuant to this Regulation.
- Monitor compliance with this Regulation, including the assignment of responsibilities, awareness-raising, and training of staff involved in the processing operations, and the related audits.
- Provide advice where requested with regard to the data protection impact assessment and monitor its performance pursuant to Article 35.
- Cooperate with the supervisory authority (the ICO).
- Act as the contact point for the supervisory authority on issues related to the processing of personal data.
- Information Commissioner – Self-Assessment Toolkit
- NCVO – 12 point plan
- Institute of Fundraising – GDPR: The Essentials
VAS will be holding a GDPR workshop later this year – we will keep you posted via VAS id.