If you work in the charity sector it’s hard to avoid the General Data Protection Regulation (GDPR). It’s in the papers, on the blogs and there’s even whole conferences dedicated to it. (If you weren’t at the SCVO’s Data Protection: Get Ready for GDPR conference on 21st of September then see what you missed here.) But just what does the GDPR mean for organisations? And what’s going to happen on the 25th of May 2018 when it comes into force?
This is the start of a series of 6 blogs where I’m going to delve into the key areas of the GDPR and hopefully allay some of your fears. For today I’m going to start off lightly with a brief overview of the legislation and what it means for your organisation, but next week I’ll be jumping in feet first to fair and lawful processing and the importance of transparency.
The papers say we’re doomed!
No you’re not! All that stuff about small businesses and charities not being able to afford to comply with the GDPR is, as a certain US president likes to say, fake news. If you don’t believe me then check out this blog by our Information Commissioner Elizabeth Denham where she talks about GDPR misinformation.
GDPR is an Evolution, Not a Revolution
I stole that catchy phrase from our Deputy Commissioner (Policy) Steve Wood’s blog as it describes GDPR in a nutshell. While there are new rights for individuals and responsibilities for organisations a lot of the current Data Protection Act (DPA) transfers over into the GDPR. For example, the data processing principles set out in the GDPR are similar to those in the DPA however there is a new accountability requirement which puts responsibility on an organisation to evidence their compliance.
There are also a lot of the same rights, they’ve just been enhanced so that we, as individuals, have more control over our data. You’ve probably seen the Right to be Forgotten under GDPR popping up, but did you know this right exists in the current DPA? The main difference, and this goes for other rights like restriction of processing, is that under GDPR individuals can exercise this right without a court order so organisations need to think about how they’re going to respond to these requests.
It’s Not Just GDPR…
This is the technical bit but it’s important. In May next year it’s not just the GDPR you need to comply with, it’s also the Data Protection Bill (DPB). The GDPR doesn’t cover everything to do with personal data, things like exemptions and the powers of the regulatory authority (that’s us, the ICO!) are left up to member states to decide. The DPB will also encapsulate the Law Enforcement Directive so if you were wondering where that was in the GDPR (it can’t just be us legislation nerds that have read the GDPR?) you’ll find it in Part 3 of the DPB.
Does the GDPR apply to us?
Whether your organisation processes personal data electronically or the “old fashioned” way the answer is probably yes.
The ICO is here to help
I promise we don’t bite (unless we need to). We have a whole section of our website dedicated to Data Protection Reform and we’ve produced 12 Steps to Take Now to help you get ready for the GDPR. We even have a Getting Ready for the GDPR self-assessment tool and if you want to make sure you’re totally up to date with everything happening in data protection you can subscribe to our monthly e-newsletter. Most importantly, all of our resources are FREE so head over to our website and start making the most of them and I’ll see you in my next blog.