Fat Beehive What does GDPR mean for small/medium charities?

Transcription

1 Fat Beehive What does GDPR mean for small/medium charities? 27th March 2018

2 Agenda Host Steve Reed MP Shadow Minister Digital, Culture, Media and Sport Chair Mark Watson CEO Fat Beehive Deputy Cabinet Member, Digital, Culture, Leisure and Sport, Croydon Council. Speakers 1. Skip Fidura F IDM, Strategy and Insight Director, DotMailer Ltd 2. Karen Holden Managing Director, A City Law Firm Ltd 3. Stuart Brown Business Development and Partnerships Manager, Small Charities Coalition 4. Caroline Taylor Head of Client Partnerships, Fat Beehive Ltd 5. Richard Nevinson Group Manager Policy & Engagement, Information Commissioner s Office Panel discussion

3 Mark Watson Deputy Cabinet Member, Digital, Culture, Leisure and Sport, Croydon Council. CEO FatBeehive Leading digital agency for the third sector

4 Skip Fidura F IDM Strategy and Insight Director, dotmailer Ltd

5 Karen Holden Managing Director, A City Law Firm Ltd

6 GDPR General Data Protection Regulation All you need to know about the new rules and how you can ensure your business is fully compliant before 25 May 2018

7 GDPR: Don t be scared, be prepared! The GDPR is an evolution of the existing law. If you are already complying with the terms of the DPA1998, and have an effective data governance programme in place, then you are already well on the way to being ready for the GDPR. You are not required to automatically refresh all existing DPA consents in preparation for the GDPR. But it s important to check your processes and records in detail to be sure existing consents meet the GDPR standard. If existing DPA consents don t meet the GDPR s high standards or are poorly documented, you may need to seek fresh GDPR- compliant consent

8 How will this effect charities? It is not just a fundraising issue about holding donor data and contacting potential fundraisers. The requirements will apply across the board in charities, for campaigning, marketing, managing volunteers and recording information about service users anything that involves processing an individual s personal data Its volunteers will also have to understand the new policies not just employees There is no specific exemption for charities Risk Assessment what data you hold and where; how secure is this data; for what purposes is it being held; how long are you holding it; do you have consent for example Have a policy and process for all staff and volunteers across the board

9 Fundamental & key changes You must have a lawful base for processing data? Governed by Article 6 of the GDPR. At least one of these must apply: (1) Consent: the individual has given clear consent. (2) Contract: the processing is necessary for a contract you have with the individual. (3) Legal obligation: the processing is necessary for you to comply with the law. (4) Vital interests: the processing is necessary to protect someone s life. (5) Public task: the processing is necessary for you to perform a task in the public interest function has a clear basis in law. (6) Legitimate interests: the processing is necessary for your legitimate interests unless protection of their data overrides those legitimate interests.

10 Fundamental & key changes Express consent / Opt in and Opt out You can no longer imply consent if you continue with this call For valid consent it must be specific & informed if they don t understand why you are holding their data then informed consent cannot really be argued Consider your methods of obtaining consent as silence is not consent (Tick boxes)! Consent is not valid where there is a clear imbalance between the parties. A charity s legitimate interest in furthering their cause must not override the rights of the individual, so the reasonable expectations of the individual based on their relationship with the charity must be taken into account. The controller must also be able to evidence consent There is the right to withdraw consent at any time subject to exemptions The key with GDPR is to ensure that a charity meets a set of lawful conditions to process data for direct marketing. Remember that under eprivacy laws you do need consent to send or SMS direct marketing

11 Can children provide consent If you are relying on consent as your lawful basis for processing personal data, when offering an online service directly to a child, only children aged 13 or over are able provide their own consent For children under this age you need to get consent from whoever holds parental responsibility for the child - unless the online service you offer is a preventive or counselling service. Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved

12 Right to erase/right to be forgotten An individual has the right to request the deletion of personal data if there is no compelling reason for its continued processing This is not an absolute right e.g. it can be refused if it is to exercise the right of freedom of expression, to comply with legal obligations, public health/ public interest, defence to legal claims. Data has to be kept up to date and accurate so think through how you will make sure you are keeping data for no longer than is necessary. If you have disclosed to third party you have to notify them of the request

13 Right of access Under the GDPR an individual has the right to access their personal data. Charities should plan how you will handle any requests within the new timescales to avoid making it too onerous and time-consuming for themselves This must be FREE OF CHARGE unless it is manifestly unfounded or excessive (e.g. copies of the same information). Any fee has to be the actual administrative cost. The information has to be provided within ONE MONTH of a request unless it is complex or numerous (where it can be extended by two months but you have to inform within one month and explain the extension). SO CAN YOUR IT/PHONE/SERVER HOST PROVIDER ACCOMMODATE THIS?

14 Right to Rectification An individual has the right to have their personal data rectified if it is inaccurate or incomplete. If the information has been disclosed then you should notify the third party of any rectification. The time-limit to rectify is ONE MONTH. CAN YOUR IT /TELEPHONE/SERVER HOST PROVIDER ACCOMMODATE THIS?

15 What Data does GDPR cover? Employees, volunteers, clients, users, donors, partners name and addresses. Marketing database Images, GPS tracking data, fingerprints, CCTV footage, DNA, pseudonymous data that can be linked back to the person. Personal data available in the public domain is still personal data and Data Protection still applies to it

16 Do I need to appoint a data protection officer (DPO)? Under the GDPR, you must appoint a DPO if you: - are a public authority; - your core activities include large scale systematic monitoring of individuals (for example, online behaviour tracking); or, -Your core activities include large scale processing of special categories of data or data relating to criminal convictions and offences. Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure your organisation has sufficient staff and skills to discharge your obligations under the GDPR.

17 Data breach notification Report within 72 hour of the data breach notification If the breach is likely to result in a high risk of adversely affecting individuals rights and freedoms, you must also inform those individuals without undue delay. Keep records of all notifications and investigations Have a robust and documented policy and procedure in place

18 Takeaway points to consider 1. Is the processing of your data fair and lawful do you satisfy the reasons? 2. Is any of the data sensitive data? 3. Are you transferring any data cross-border? 4. What is the purpose for which you are collecting the data? 5. Do you need the data that you are processing? 6. How long do you intend to retain the data? 7. How will you keep the data secure? 8. How will you transfer any data? 9. How will you delete data if requested? 10. Have you secured express consent?

19 Next steps for your business Develop a GDPR compliance programme and define your data privacy governance structure - how can you delete personal data? How will you provide it electronically? How will you get consent? How will you verify ages? What will you do if there is a data breach Determine whether you need to appoint a data protection officer (DPO) Map your data where it s held, how it s collected, used and where it s transferred Review third party agreements and where you transfer any data review current policies and practices, terms and conditions and agreements Review data security measures and how you will deal with and report a breach Determine how to ensure ongoing and demonstrable compliance, including use of Data Protection Impact Assessments (DPIAs).

20 W: acitylawfirm.com T: + 44 (0) F: +44 (0)

21 Stuart Brown Business Development and Partnerships Manager, Small Charities Coalition

22 What GDPR means for Small Charities What Where Who

23 Structured Approach Don t leave it too late Involve your whole organisation Audit Plan Embed You don t know how much work you ll have until you ve audited Even if it s not on fire GDPR might touch everyone in your organisation They can help! Breaches are rarely intentional

24 Don t trust everyone else to be as good with data as you Use what s already out there Have an audit trail 70% of breaches occur when a data processor is involved Your organisation is still responsible ICO IoF Facebook groups Digital GDPR tool Document your journey Write your policies Cement it in your organisation

25 Caroline Taylor Head of Client Partnerships, Fat Beehive Ltd Leading digital agency for the third sector

26 What do you need to do to make your website GDPR ready? 5 Key elements: 1. Online Privacy Information Notices 2. Forms 3. Just in Time Notices 4. Data Deletion 5. Security

27 Privacy Information Notices Layered User Friendly: Plain English Easy to understand

28 Forms Context - sell the benefits Clear: worthwhile & transparent Granular: separate types of processing Unbundled: presented in distinguishable manner Donation Forms: simplify for conversion rate optimisation!

29 Just in time notices Given in context Brief messages & short descriptions User Friendly eg. phone numbers Layered Approach

30 Data Deletion 1) Right to withdraw consent 2) Right for data deletion How Much data & how long do you legitimately need to store it?

31 Secure User Privacy at Core CMS: updated & secure SSL Certificate 3rd Party Integration

32 How much can you do? How much is hard coded? Follow through with what you say you re doing! Get digital at the heart of what you do

33 Richard Nevinson Group Manager Policy & Engagement, Information Commissioner s Office

34 Steve Reed MP Shadow Minister Digital, Culture, Media and Sport

35 Panel discussion

36 Fat Beehive Thank you