The General Data Protection Regulation (GDPR) represents a long overdue update to legislation which pre-dated Facebook, Google and the iPhone. GDPR, together with the UK’s Data Protection Act 2018 and the Privacy (Electronic Communications) Regulations 2003 (PECR), refreshes and updates the rulebook for organisations to follow when handling individuals’ personal information such as names, addresses and other information relating to them (known as personal data). But, as it stands, there are still many organisations that have yet to comply with the new rules.
The key message, however, is that it is never too late. Burying heads in the sand will only compound what might currently be a technical breach of the new rules. By following a three-stage process of first undertaking a data mapping exercise, then a lawful basis analysis, and finally putting in place policies and documentation in light of these exercises, trustees can ensure compliance with the legislation and minimise risks to the organisation.
This three-stage process is explored step by step below.
Data mapping is an exercise to identify the personal data held by an organisation, and the types of processing carried out in relation to that personal data. Processing for these purposes includes collecting, using, storing, sharing and deleting personal data. In undertaking the exercise, trustees will ask questions concerning the personal data coming in and going out of an organisation (including where it has come from and where it is going to), as well as what happens to the personal data within the organisation in the interim. The exercise should involve a cross-section of people from across the organisation, which will help to ensure that the data mapping exercise is comprehensive and covers all areas of the organisation.
Following a data mapping exercise, trustees will be in the best position to complete their lawful basis analysis (see below), to understand how they can lawfully process the personal data identified through the mapping exercise, and start to draft the necessary documents. There are data mapping questionnaires available, which can help trustees to complete the data mapping exercise.
Lawful basis analysis
Once the trustees have mapped the personal data they process, they must then ensure that they have a lawful basis for each processing activity.
Each data processing activity must fall within one of the following prescribed legal bases for processing personal data under GDPR, each of which has its own conditions which must be satisfied:
- the data subject has given consent to the processing for one or more specific purposes
- processing is necessary for entering into or performing a contract with the data subject
- processing is necessary to comply with the organisation’s legal obligations
- processing is necessary to protect the vital interest of the data subject
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the organisation or a third party to whom the data is disclosed, or
- processing is necessary for the purposes of legitimate interests pursued by the organisation or a third party, except where such interests are overridden by the rights and freedoms of the data subject.
There is no silver bullet which will act as a basis for every processing activity. Consent, for example, can seem the easy option for many, however the right of the data subject to withdraw consent at any time and the high standard of consent required by GDPR means that this basis will be inappropriate for many processing activities.
Some processing activities, for example direct marketing activities (ie unsolicited communications) additionally require compliance with PECR, while some special categories of personal data (such as information relating to health, race, ethnic origin, political opinions and religion) are afforded further protection by GDPR such that they can only be processed on the basis of explicit consent or on other limited grounds.
In undertaking the lawful basis analysis, trustees will need to analyse the categories of personal data and processing activities revealed by the responses to the data mapping exercise and decide, in each case, the lawful basis for the processing of personal data. The lawful basis (or bases) for each processing activity should be recorded. The basis upon which any additional requirements (such as those under PECR or for special category data) have been satisfied should also be noted in the analysis.
The final stage of achieving compliance is to implement the findings of the data mapping exercise and lawful basis analysis. The previous steps will help determine whether the organisation will need to register with the Information Commissioner’s Office (ICO), whether a data protection officer is required and/or whether a written record of processing needs to be prepared (further guidance as to which can be found on the ICO’s website), taking further advice as appropriate. Additionally, where data is being shared with third parties, data processing and/or sharing agreements may need to be put in place (depending on the nature of the relationship with the third party and the data shared). In all cases however, there will be certain key steps each organisation will need to take:
Each organisation will need to have in place relevant privacy notices. At the point when personal data is obtained, the individual must be provided with certain information in respect of the processing of their data. This is commonly done in the form of a privacy notice. Updated privacy notices (containing all of the required information) should also be sent to all individuals for whom the organisation holds personal data as soon as they are available.
Privacy notices must include various pieces of information, including:
- the identity and contact details of the organisation and their data protection officer (if applicable)
- the purposes for which (and the lawful basis upon which) the personal data is to be processed (and, if indirectly obtained, how the data was obtained)
- where the processing is based on legitimate interests, the legitimate interest being pursued
- the third party recipients of the personal data (including details of any international data transfers)
- the period for which personal data will be stored (often by reference to a retention and destruction policy)
- a statement notifying the data subject of the existence of their rights in respect of their data;
- the right to lodge a complaint with the ICO, and
- details of whether individuals are under a statutory or contractual obligation to provide the personal data.
Where personal data is subject to automated decision-making (such as profiling), the privacy notice must also give details of how such decision-making is undertaken. Further, where data is obtained from a third party, additional information will need to be given as to how the personal data was obtained.
The reasoning behind the privacy notice is to ensure that the data subject is aware of what is happening to their personal data and their rights in respect of that data. As such, each privacy notice will be unique and should be proportionate to and suitable for its target audience. It may be appropriate to have separate privacy notices for different types of data subject (such as employees and service users) depending on the nature of the personal data the organisation handles and this should be considered by the trustees when preparing the privacy notices.
Data protection policy
An internal data protection policy, setting out how the organisation should handle personal data, the security measures in place and how to report a breach, can assist in guiding employees and volunteers and therefore improve internal compliance with data protection. The policy should act as a reference and be accompanied by training to ensure all those within the organisation help to protect personal data processed by the organisation.
Personal data breaches
Irrespective of the level of compliance within an organisation, breaches of data protection law will happen, a fact recognised by GDPR itself. The emphasis under GDPR is on minimising the risk of a breach and the effective handling of a breach as and when it occurs.
GDPR requires organisations to notify a personal data security breach to the ICO without undue delay (and, where feasible, not later than 72 hours after becoming aware of it) unless that breach is unlikely to result in a risk to the rights and freedoms of natural persons. Further, where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the organisation is also required to communicate the personal data breach to the data subject without undue delay.
The trustees will need to agree a process and timetable for assessing and reporting (where necessary) personal data breaches and record these in their data protection policy. They should also ensure that appropriate reporting channels are in place within the organisation to ensure personal data breaches are identified and reported. All of this should be communicated to the organisation’s personnel through training.
Regardless of how many documents and procedures are put in place, there can be no compliance without genuine and continuing trustee engagement. Trustees might wish to attend training on the effects of GDPR and how they can be aware of data protection issues in their organisation.
Data protection compliance should feature on the agenda of trustee meetings going forward and, regardless of whether a data protection officer is required, a senior, board-level representative for data protection matters should be appointed to ensure the organisation’s compliance.
Much has been made of GDPR and many organisations have been fearful of the potential consequences of breaching the current regulations. However, with personal data becoming ever more central to the way we live and work, a level-headed, proportionate approach to data protection reassures both the data subject and the organisation using the information.
Peter Parker is a partner at Wrigleys Solicitors
Charity Finance wishes to thank Wrigleys Solicitors for its support with this article