Ashley Smith-Hammond

Come 25 May 2018, your organisation will be responsible for complying with the General Data Protection Regulation. Marketers, fundraisers, outreach professionals, box office or front of house staff and operations managers should start looking at the key changes now.

You may have heard whispers of new data protection regulations coming. They’re true. Come 25 May 2018, your organisation will be responsible for complying with the General Data Protection Regulation. This will be enforceable across the EU. And before you ask, BREXIT will have no impact on the rollout of GDPR in the UK.

At the start of 2017, Culture Republic hosted speakers from the Information Commissioner’s Office as part of our First Wednesday event series. It was so popular we had to run one in February and one in March. Marketers, fundraisers, outreach professionals, box office or front of house staff and operations managers should start looking at the key changes now.

What we learned

These regulations will put higher demands on your organisation than the current Data Protection Act (1998). So, now is a great time to start changing practice, changing policies and improving your systems. It’s happening. Lets get ready.

As a rule of thumb, rights belong to people and responsibilities belong to organisations. It’s their personal data after all. The direction of change is that individuals’ rights are getting more robust and organisations’ responsibilities are getting more demanding.

There are eight rights you need to live up to:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights related to automated decision making and profiling

A bit more on the top four rights

The right to be informed is being extended. It is already a fundamental right, but under GDPR you will need to give people ‘fair processing notice’. Basically it is a statement that you handle personal data responsibly and for a good reason. We are all going to need to do this. Processing is a really general term. It essentially means anything you might do with a piece of data including collecting it, using it or classifying it. Here’s an example from the Government. You can see it lets everyone know the legal basis for processing data and the purpose of processing data.

The right of access is also being extended. If they ask for it, you will need to give people a permanent copy of the data you hold about them. You’ll also have to share the legal basis under which you hold it.

The right to rectification is getting more robust. Under DPA it was an issue for the courts, but under GDPR the ICO will be the enforcers.

The right to erasure is a new right. For organisations this might mean using a suppression list rather than deleting records outright (otherwise how will you know they’ve asked not to be contacted!). If there’s a compelling reason to hold onto information you may still be able to keep it for use in limited circumstances. For example, you could hold on to parents’ information in the interests of the safety of a child.

Other important GDPR provisions

There are entirely new provisions your organisation will have to take into account.

  • Accountability and governance In the new system you will need evidence of your compliance with GDPR. This means having a written policy on data protection. You’ll be required to provide training to team members around good data protection practice. Crucially, you have to maintain evidence (i.e. keep a record of) of when/how people opted in to receive information from you. No more ‘soft opt-ins’ – people will have to actively opt in by taking “a clear affirmative action”. When you share T&Cs around your data handling it will need to be clear. This means no legalese. Keep things succinct and write your policies in accessible language for young people and people with disabilities.
  • Breach notification From May 2018, if you discover you’ve had a data protection breach you’ll have to fess up. You will have a legal obligation to report the breach within 72 hours of discovering that it has happened. When you report, you are required to inform both the ICO and people who are affected by the breach.

Where to go when you need more information

All the in depth information on the GDPR is available on the ICO website. They are providing running updates as decisions are made and as they generate new guidance.

Our advice? Start making plans and taking steps now to align with the regulations when they kick in next May. GDPR preppers should check out the user-friendly ICO guidance 12 Steps to Take Now. It’s a simple way to get started.

 

Main image credit: Research Data Management by Janneke Staaks (CC BY-NC 2.0)