The importance of data protection

In April this year, the Information Commissioner’s Office (ICO) issued fines to eleven charities for contraventions of the Data Protection Act and the Electronic Communication Act.

The ICO investigations found many of the charities secretly screened millions of donors so they could target them for additional funds. Some charities traced and targeted new or lapsed donors by obtaining personal information on them from other sources, while some traded personal details with other charities to create a larger pool of donor data for sale. The fines were not insubstantial either – in some cases, up to £18,000.

Information Commissioner Elizabeth Denham commented:

Millions of people will have been affected by these charities’ contravention of the law. They will be upset to learn the way their personal information has been analysed and shared by charities they trusted with their details and their donations. No charity wants to alienate their donors. And we acknowledge the role charities play in the fabric of British society. But charities must follow the law.”

This comes as a timely reminder to all charities not only of the importance of compliance with data protection laws and regulations, but also that the law charities must follow will soon be changing.

The General Data Protection Regulation

The General Data Protection Regulation (GDPR), a directive approved by the European Parliament on 14 April 2016, seeks to update the European Union’s Data Protection Directive 1995, and will be directly applicable in all member states from 25 May 2018.

The new regulation recognises that a lot has changed in terms of personal data since 1995, with the growth in use of emails, smartphones and social media. Its key aim therefore is to strengthen the individual’s control over third party handling of data.

Key Points on Personal Data

  • The GDPR has a much wider geographical scope than the previous data protection regime. The GDPR applies if any of the following are based within the EU:

    • the data controller i.e. the organisation that collects data from EU residents;

    • the data processor i.e. the organisation that processes data on behalf of data controller; or

    • the data subject i.e. the person whose personal information is being used.

  • The GDPR also contains a much wider definition of personal data. As well as the information traditionally considered to be personal information, such as name, home address, medical information and bank details, the GDPR will cover things like email addresses, social media accounts and IP addresses.

  • Under the GDPR, an individual’s consent to the use of their personal data must be freely given, specific, informed and an unambiguous indication of the individual’s wishes. Consent under the GDPR must be affirmative (meaning silence, pre-ticked boxes or inactivity does not constitute consent) and verifiable (meaning some form of record must be kept of how and when consent was given). Any consent given for use of personal information under the old data protection regime must be sought again if it falls short of the standard of consent required under the GDPR.

  • Individuals will have increased control over the way in which data controllers and data processors handle their personal information. For example:

    • Individuals are entitled to request organisations to rectify their personal data if it is inaccurate or incomplete;

    • The right to erasure or ‘the right to be forgotten’, meaning an individual can request the deletion or removal of personal data where there is no compelling reason for its continued processing;

    • The right to object to the use of their personal information for things like direct marketing or scientific or historical research; and

    • The right to object to automatic profiling.

Key Points for Organisations

The GDPR comes into force in all member states on 25 May 2018, and with less than a year to go, the ICO has called on all organisations to act now to ensure they are compliant by then.

Many of the GDPR’s main concepts and principles are the same as those in force under existing legislation. The ICO recommends however that organisations review their guidance to ascertain the main differences between the current law on data protection and the GDPR, and has published a useful twelve-step chart for organisations including charities to follow, and which can be found at:

Steps the ICO recommends organisations take now to ensure compliance by 25 May 2018 include:

  • Organising an information audit across the organisation to ensure personal data held is accurate, where it came from and whom it is shared with;

  • Reviewing and updating privacy notices to take account of the changes under GDPR, such as explaining to donors the lawful basis for processing data, information on date retention periods and how individuals can complain to the ICO if they believe their personal data is being mishandled;

  • Reviewing data protection procedures to ensure they cover all the rights individuals have, including the new rights under the GDPR, such as data portability. Organisation should also consider whether they need to revise procedures and make any changes;

  • Reviewing the procedures in place as to how the organisation seeks, records, and manages consent, as well as refreshing any existing consents that are not up to the standard required under the GDPR. The key issue for organisations to consider is that consent cannot be inferred from silence, pre-ticked boxes or inactivity – it must be freely given, specific, informed and unambiguous;

  • Consider the organisation’s policies in relation to children, as the GDPR brings in special protection for children’s personal data, including a requirement for a parent or guardian’s consent for online services in order to process their data lawfully; and

  • Designating someone as ‘data protection officer’, to take responsibility for data protection compliance. Those that hold and process personal data will also be subject to a new accountability principle that requires them to demonstrate compliance with the principles of the GDPR and is explicitly stated to be their responsibility, for example, keeping records of processing activities, recording impact assessments and drawing up codes of conduct.

Infringements of the basic principles of the GDPR, including the conditions for consent, are subject to the highest tier of administrative fines. This could mean a fine of up to €20 million, or 4% of total worldwide annual turnover, whichever is higher.

The ICO will continue to publish guidance leading up to 25 May 2018, including any guidance issued by the EU working group on data protection, which will most likely be published in the second half of 2017, and it is recommended that organisations that will be subject to the GDPR should keep up to date with such guidance.

The impact of Brexit

A statement issued by the ICO immediately after the EU referendum result in June 2016 stated:

The Data Protection Act remains the law of the land irrespective of the referendum result… If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018”

The British Government is aiming for a withdrawal from the European Union by 30 March 2019. Given that the GDPR comes into force in all member states before then, on 25 May 2018, it will become law in England and Wales from that date. In any case, the GDPR will apply to organisations outside of the EU that are involved in processing the data of EU residents. The GDPR will still therefore apply to many UK organisations following Brexit.