Implementing the General Data Protection Regulation (GDPR) has been an interesting transition for charities. In some ways, very little needed to change; in others the changes have been substantial. For many charities, understanding the changes and the risks has been difficult, and bedding in new processes requires a cultural shift that is still taking place more than a year after the GDPR became law.
Changes great and small
Charities that were fully compliant with the Data Protection Act 1998 had very little to do in relation to their outward-facing compliance to get ready for the GDPR. Overall, the requirements did not change; each charity still needed to:
- Understand the data processing that it undertook
- Provide information to those whose data was processed
- Respond to access requests
- Pay an annual fee to the Information Commissioner’s Office (ICO), and
- Manage any data breach.
However, some big changes still needed to be considered, including those on:
- Managing data relating to children
- Changing how data relating to criminal information was managed
- The reporting regime in relation to data breaches
- The management of different conditions permitting the processing of personal data, and
- Managing the changes in exemptions to certain areas of compliance, especially in relation to the management of health records, social services and the prevention of crime and apprehension of offenders.
A free pass
Charities that struggled with compliance under the 1998 Act suddenly had a free pass in relation to compliance. They could, in effect, start again and ensure that they were compliant with the requirements of the GDPR. It was a lot of work, but outward compliance was achieved by many more organisations – helped by the publicity and the new guidance issued by the ICO and professional organisations.
While the framework for personal data processing compliance is set out in the GDPR, much of the detail on how processing is undertaken in the UK is set out in the Data Protection Act 2018. This has caused a great deal of confusion for organisations as not only do they need to comply with the GDPR but also they have to meet additional requirements under the 2018 Act. Understanding the interaction between the two can be complicated. Specifically, the 2018 Act sets out exemptions where compliance with the GDPR depends on the circumstances. Examples that apply to charities include child protection and safeguarding, the prevention of crime and some areas of social work.
Consent and legitimate interests
Probably the biggest area of concern related to the conditions under which processing of personal data is permitted, specifically consent. Many charities relied on informed consent to allow for the processing of sensitive personal data. However, this changed under the GDPR; consent could not be relied upon if, without it, the data could not legally be processed.
At the same time, the extension to the legitimate interests condition under the GDPR removed restraints on many charities to process special categories of data – this was a positive change. In order to use legitimate interests as a basis for processing, a legitimate interests assessment must be undertaken in relation to each use. While the ICO has provided template assessment questions and set out the test in an easy-to-use manner, the process is time-consuming and not always completed by charities. In summary, the assessment requires three tests to be satisfied:
- The purposes test
- The necessity test, and
- The balancing test.
Where the assessment clearly shows a legitimate interest, the condition can be used; however, if it is borderline or where the use of the data could result in a significant impact on the data subject, it is possible that a full data protection impact assessment will also need to be undertaken before processing is started. Each legitimate interests assessment must be kept under regular review.
Another area where there is change is the requirement to notify the ICO in relation to many types of data breach. While in the past a breach could be managed internally, now with a requirement to report certain breaches the ICO is more likely to be involved. Notifying the ICO means that your organisation’s policies and procedures will be subject to external review, which could give rise to potential liability.
One year on
The introduction of the GDPR was not a one-time event; while most activity was focused on May 2018, the compliance requirements are ongoing. Organisations are required to ensure not only that their day-to-day activities comply with the GDPR, but also that all new activities are assessed and that the work that was undertaken when the GDPR was introduced is kept under review.
With the introduction of the GDPR, each organisation should have undertaken a number of actions, including:
- Identifying all personal data under its control
- Creating or amending its data protection policy
- Undertaking all necessary data protection impact assessments
- Putting in place systems to ensure that article 13 and 14 statements have been provided to all existing and future data subjects
- Putting in place revised data processing arrangements with third parties
- Ensuring that security was appropriate in respect of personal data held, and
- Ensuring that conditions applied to each type of data processing and undertook legitimate interests assessments where necessary.
Now that the GDPR is bedding in, the actions that need to be considered have changed. These are:
■Undertaking a review of your data protection policy
■Making sure that the actions set out in the data protection policy are being undertaken, eg:
- Statements are being sent to all new data subjects
- Security protocols are being followed
- Legitimate interests assessments have been undertaken in respect of any new application of legitimate interests
- Impact assessments have been considered in respect of new processing or the application of a new condition, and
■ Reviewing legitimate interests assessments to ensure that they remain correct and relevant.
Data protection compliance is continual and a system of ongoing monitoring is required to ensure that the process is actively managed and that actions continue on a daily, weekly, monthly and annual basis. It is easy for a breach of the GDPR or the 2018 Act to occur. A breach of the GDPR or the 2018 Act that does not amount to a data breach but which is nevertheless reported to the ICO can result in the ICO serving an assessment notice or an enforcement notice requiring action by the organisation. A failure to comply can result in a penalty notice, including a fine up to the equivalent of €10m.
Probably the biggest ongoing risk under the GDPR regime is a data breach. A data breach occurs when personal data of which the organisation is in control is released to one or more third parties. When this happens, it is important to undertake an immediate assessment to establish if:
- The breach involves the personal data of living individuals, and
- It is likely that the breach will result in a risk to individuals.
If the answer to both questions is yes, a report must be provided to the ICO within 72 hours of the breach becoming known to the organisation. Where the answer is no, the organisation may still report but is not obliged to make a report. Once a report is made, the ICO will investigate and will usually publish its findings. The report can be accompanied with a penalty notice including a fine of up to the equivalent of €20m or 4 per cent of the organisation’s worldwide turnover. The liabilities will also include the professional costs of dealing with the breach, the costs of notifying the affected individuals and possible lost donations or trading income.
The best way to avoid liability under the GDPR and the 2018 Act is to have in place policies to ensure that breaches do not occur. However, they can still happen. In these circumstances, liability can be managed where compliance is being actively managed. Mitigating factors that reduce liability include having a clear data protection policy that covers the relevant area, contracts to manage third-party data processing, and up-to-date legitimate interests assessments and data protection impact assessments.
Insurance is also a possibility and some cyber insurance policies cover a data loss by hacking or a technical failure. It is also possible to insure for a specific data breach, but these policies are expensive and may not cover all circumstances. However, it is difficult to get cover for administrative breaches and it is also unlikely that you will be able to insure against a potential fine.
Consider data protection compliance as a living and breathing organism. It needs to be fed, watered, walked and managed. Without adequate controls in place, a breach of administrative requirements or data loss could result in potentially crippling liability.
Benjamin James is a partner and head of charities at McCarthy Denning, and chair of trustees at Adoption Focus and at Dartmoor Zoo