The Data Protection Act is dead…
…well, perhaps not quite but it’s dying due to the arrival of General Data Protection Regulation (or GDPR for short). The GDPR is an EU regulation meaning that no-ifs, no-buts all organisations need to be compliant by its inception on 25th May 2018. Brexit is no help either – not only does the GDPR come into force before we will have exited the EU but both due to the Government’s Great Repeal Bill and because we will need to comply with its rules in order to transact with Europe, the GDPR is here to stay.
And… just in case you feel it is of minor significance be aware that the maximum fine is set at the higher of €20million or 4% of turnover.
The GDPR is therefore relevant to all of us handling personal data but, given the emergence of the UK’s Fundraising Regulator, it is going to be something that charities need to consider now and address shortcomings in their processes. Amongst other areas, it will affect how CRM systems store data, how it can be accessed and the security around servers holding data.
In this piece we are picking out three key areas; what they have in common is passing control of an individual’s data to that individual.
From the inception of the GDPR all consent must have an audit trail showing date, channel and the piece of communication that led to the consent. Where such an audit does not exist then the data cannot be used unless it is re-permissioned.
Charities therefore need to check not only the permissioning of their data but also that they can provide a robust audit trail of when and how it was provided.
From 25th May 2018 blanket consent will not be permissible, rather a granularity of consent will be required enabling an individual to state what they are signing up to and where/when their data can be used. This will have major implications again on front-end, database and CRM design.
Wealth screening was a specific area considered by the Fundraising Regulator and the GDPR considers this under Profiling. Whilst profiling is permissible it is only acceptable when the individual is fully aware of the work being undertaken and the impact to the individual of any outcome. Again, considered from the viewpoint that the GDPR exists to pass control back to the individual, we can assume that the hurdle around profiling will be set high.
The GDPR confers on the individual a legal right to request their data be removed and no longer processed either by the primary holder of the data or any third party that it has been passed to. Organisations will need reliable systems to know which 3rd parties have received the data in the past and be able to demonstrate robust auditable control of the data.
So, whilst not forcing organisations to have single depositories of data, the requirements of GDPR certainly encourage it. All organisations must equally have robust auditable processes and training of staff to ensure data rights and control remains with the individual.
The ICO is running a consultation until the end of March on the impact of GDPR. To participate please visit: https://ico.org.uk/about-the-ico/consultations/gdpr-consent-guidance/