The European General Data Protection Regulation (GDPR) that comes into force in May 2018 is the most radical change to data protection legislation in over 20 years. The single biggest change from the existing Data Protection Act (DPA) is that the DPA essentially requires a set of actions to be taken – a box checking exercise. The GDPR requires far more than that – it essentially requires an entirely new, and dynamic, approach to be taken to the collection, storage, protection, security, processing and management of personal data that will affect the entire organisation. The EU has decided to implement these new rules both to improve protection of an individual’s personal information and to reflect changes in technology which affect the way personal information is obtained and used.
As we discuss in a recent blog, the fact that it’s a regulation means it comes into force across the EU without requiring local legislation. The UK won’t have exited the EU by the time this new regulation comes into force, so it will apply in the UK, although there are some areas which are being left to individual states to decide precisely how to implement them. The UK government published a kind of consultation document, a “call for views” which has already closed for comments!
GDPR’s requirements extend those in existing data protection regulations such as the UK Data Protection Act (DPA). One of the most significant changes is the extension of the definition of “personal data” to include any information that can be associated with an individual, even if you don’t know the name of the individual concerned. This means it includes browser cookies, computer and smartphone IP addresses and even radio frequency ID (RFID) tags which are increasingly being embedded in items we buy, wear and carry with us.
A further major change is to the concept of “consent”. Currently silence, inaction, pre-checked boxes or continuing to access a website are acceptable as consent. This will no longer be the case under GDPR which requires active consent to be provided. As now, it requires the individual to be told the purpose(s) for which their data will be used; it further requires the organisation obtaining the consent to document, record and be able to prove that it has the appropriate consent.
Read about the key provisions of GDPR by requesting a copy of our 4-page white paper.
If you don’t have time to read this, we’ve prepared a one-page GDPR executive summary.
The ICO has recently fined 13 charities (2 in December 2016, 11 in April 2017) for breaches of data protection legislation; this has raised public awareness of how charities implement data protection (see left).
As a charity you depend on your good reputation and the generosity of your donors to continue to provide services. Complying with data protection legislation is key to this – donors who don’t think their personal data is safe, or think it may be shared without consent, are less likely to donate.
Clearly practices adopted by some charities don’t comply – as this page on the ICO website details. With GDPR the provisions become more stringent, so each charity must take immediate action to ensure both current and future compliance. As recent events have demonstrated, just because it’s a charity doesn’t mean the ICO will be less diligent in ensuring the safety of personal data.
Benefits of working with Cameo Innovations
Cameo Innovations (CI) is a Microsoft partner specialising in helping its clients implement and use Office 365, Dynamics 365 CRM, Project Online and Microsoft Cloud technologies in the most efficient and cost-effective way. CI can assist you in conducting a data audit, so you can find out what personal data you hold, where it’s held, whether it’s up to date, whether you need to continue to hold it, and what consents you have to use it. We can help you design processes to secure the data and document the consent you hold, and if necessary request new consents in advance of the May 2018 deadline. We can also help you implement notification systems and customer portals to provide individuals access to their own personal data, as GDPR suggests is advisable.
We are working with Microsoft on its GDPR initiative which means CI can assist wherever a Microsoft product can be configured to help you, and your staff and volunteers, comply with GDPR – for example you can configure your email system to alert if, or even prevent, emails containing personal data being sent.
Contact us to find out more about how we can help, both with GDPR compliance and how to get more value from the cloud.
The EU GDPR Regulation itself – 204 pages of complex legislation. It provides the requirements and regulations, but doesn’t suggest how to achieve them.
Cameo Innovations GDPR White Paper – our four-page summary of the key provisions, the major changes from the UK DPA, and some suggestions on first steps to take.
ICO’s guide to the GDPR – much more accessible than the regulation itself, this is regularly updated to include guidance and interpretation of the regulation.
ICO 12 Steps to take now – the ICO’s suggestions for achieving GDPR compliance.
Questionable charity practices – what the ICO found some charities were doing, in breach of the UK DPA.