The biggest change in data protection law for 20 years is now firmly in place. We now live in the GDPR world in which personal information has gained added value, given the level of fines which organisations face should they fail to adequately protect the information they hold.
However, many myths surrounding the GDPR persist, whether through misinformation, lack of awareness or snake oil solutions being offered by some advisers. In advising charities and social enterprises, we come across many of these myths. In this article, we look to debunk some of the most common misunderstandings we see when advising charities and social enterprises on their responsibilities when it comes to data protection.
Myth 1: we don’t need to worry about the GDPR, that’s only for Facebook and Google
Much of the hype before the GDPR came into force was concerned with how the tech giants would change the way they handled our personal information. However, data protection is relevant to every organisation and compliance is not an optional extra for charities and social enterprises.
It is important that charities look closely at their current data protection compliance documents and update them in light of the GDPR. This is done through a process of mapping what the organisation is doing with personal data, analysing those activities to establish a lawful basis for each activity under data protection law, then adopting appropriate documents to reflect the mapping and analysis.
There is no set list of documents that organisations need to adopt and much will depend on the nature and size of the organisation. However, almost all organisations will require:
- A privacy notice (or possibly multiple notices, for example one to employees and another to beneficiaries), explaining to those whose data the organisation processes how they do so;
- A data protection policy, outlining internal procedures for handling personal information such as what to do when a data subject exercises their rights or when a security breach is identified;
- A data breach register, which will act as a record to show where a breach has been identified, actions taken, whether it has been reported to the Information Commissioner’s Office (ICO) and/or the data subject and the reasoning for these decisions; and
- A retention and destruction policy, outlining the periods for which personal information will be retained (or the criteria under which the periods will be determined).
While further documents may be required if the organisation is large or undertakes significant processing of personal information, the above is a good starting point to ensure that organisations comply with their data protection obligations.
Myth 2: our policies are all sorted, we got them for free online
Now, first things first, this isn’t a lawyer’s plug for ensuring completely bespoke documents are adopted. Many organisations can and do adopt GDPR-compliant privacy notices, data protection policies and other data protection documentation from sector-specific or general precedents. The ICO has even issued a template privacy notices for small organisations.
However, no precedent will ever be good enough on its own. Proper GDPR compliance requires organisations to examine how they operate. Senior teams from across the organisation should be looking at what they do with personal information, how their own procedures operate and how this should be reflected in their policies and procedures. A template or precedent is never going to be sufficient unless it has been adapted to reflect the individual organisation’s processes and requirements. Anecdotally, we have found that the more detailed an organisation’s data mapping, the better their data protection compliance documents have been.
Myth 3: consent is top dog, we’ll rely on this for all our data processing so no one can complain
We have found that this misconception is stubbornly persistent. Many think that consent is a panacea for compliance with the GDPR. However, the standard of consent required and the conditions attaching to consent under the GDPR mean that it is far from preferable to rely upon this lawful basis for processing personal information.
Consent must be freely given, informed, specific and unambiguous and it can be withdrawn at any time. As a result, some of the key issues with relying on consent as the norm are:
- Employees are extremely unlikely to be able to give free consent given the imbalance in the relationship with their employer. The Greek office of accountancy firm PwC was recently fined €150,000 after it had sought to rely on consent to process its employees’ personal information;
- An opt-out, a long list of activities with a single opt-in or a general catch-all consent will not be sufficient to satisfy the requirements of consent. Where a lot of personal information is being processed, it is likely to be impractical to obtain consent for each individual processing activity;
- Consent needs to be regularly obtained and, where long-term processing is being undertaken, will need to be refreshed. This causes administrative headaches, particularly where a fresh consent is requested but not received; and
- If consent is withdrawn, all processing of personal information on the basis of that consent must stop. There is no opportunity to object to the withdrawal or apply a further justification for processing that personal information as a second bite of the cherry. This can cause particular issues where there is a breakdown in an organisation’s relationship with a data subject and a matter becomes contentious.
Other lawful bases under the GDPR are therefore likely to be preferable for the vast majority of processing of personal information by organisations in their day-to-day activities. However, it should be noted that there are some circumstances where consent is the only option available (eg certain types of marketing activity).
Myth 4: we’re a charity so we don’t need to register with the ICO
While charities do benefit from exemptions to the ICO’s registration requirement, this only applies to charities that only process information relating to its members. It does not extend to charities that work with other beneficiaries, and therefore most charities are likely to need to register with the ICO (and pay the annual registration fee). The ICO has produced a useful self-assessment tool to help organisations determine whether they need to register, which can be found at: ico.org.uk/for-organisations/data-protection-self-assessment/.
Myth 5: we’re free to send our newsletter out to our donors by email to save paper, they’ll want to hear from us and it’s not as if we’re trying to sell them something
Unsolicited email communications are subject to additional regulation under data privacy law. In addition to having to justify using personal information to send the communication under the GDPR (a first hurdle), where electronic communications (email, text etc) are unsolicited they are also subject to an additional regime known as the PECR (the Privacy (Electronic Communications) Regulations) (a second hurdle).
The PECR has a wide definition of what is classed as an unsolicited email and includes the sending of newsletters, donation requests and advertisements for products. Before sending such communications to individuals, organisations are generally required to obtain the individual’s consent to do so unless they have previously bought goods or services from the organisation (and, importantly, this does not include those who may have donated to the charity previously). In most circumstances, charities will therefore require consent to send an unsolicited email to individual donors under the PECR.
Myth 6: it’s all gone wrong, we’ve not complied with our obligations, we may as well close the charity down now because we’re going to face a big fine
The headline-grabbing story from the introduction of the GDPR was the vastly increased fines that could be levied under the new regime. Recently British Airways became the first organisation to receive a fine under the GDPR for a security breach for which it was fined over £183m.
However, much of the ICO’s work uses its other powers to take regulatory action without imposing significant fines. With appropriate procedures to identify data breaches, proper policies in place to inform staff and other data subjects of how their personal data is used and that proportionate security measures in place an organisation can show the ICO that it has taken steps to reduce the risk of such a breach occurring. This, together with evidence of an effective response, can be used as mitigation to minimise any fine or action taken by the ICO should a breach occur.
Myth 7: we’ve done the GDPR and have all of our policies in place, there’s nothing further for us to do
The GDPR is an ongoing obligation. As the organisation develops (whether through the introduction of new IT systems, learning points from a data protection issue that has arisen or an expansion into a new area) and as understanding of best practice in data protection compliance advances, an organisation will need to ensure that its policies keep pace with such changes.
A regular review of an organisation’s policies should take place (we would suggest at least every two to three years), while those with responsibility for handling data protection issues which arise day-to-day (whether appointed as a data protection officer or otherwise) should look to refine and improve policies based on their experience within the organisation and attend training courses.
One particular example of ongoing compliance is the requirement to undertake data privacy impact assessments in relation to large or new data processing activities such as the use of a third party marketing platform.
Peter Parker is a partner and Nick Dunn a solicitor at Wrigleys Solicitors
Charity Finance wishes to thank Wrigleys Solicitors for its support with this article