What is the GDPR?
The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018.
What information does the GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. You can find more detail in the key definitions section of our Guide to the GDPR.
As a small charity what do I have to do to ensure we comply with the GDPR?
You can find the latest ICO guidance on the new legislation in our Guide to the GDPR. It will be updated regularly and you can check it for the latest position.
We’ve also created a package of tools aimed at small and micro organisations, including charities:
- Getting ready for the GDPR– a practical self-assessment tool
- Our 12 steps to take now checklist
- A dedicated advice line for small organisations
The GDPR is an evolution of the existing law. If you are already complying with the terms of the Data Protection Act 1998, and have an effective data governance programme in place, then you are already well on the way to being ready for the GDPR.
Our Deputy Commissioner Steve Wood explained how the GDPR need not be a burden in his blog from August 2017.
Can I have specific guidance for charities?
Our guidance focuses on the general application of the GDPR. But we are engaging with representatives from the charity sector to assist them in producing their own sector-specific advice and guidance.
Can you help me decide what to include in my privacy notice?
The GDPR sets out the information you should supply and when individuals should be informed.
The information you supply about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
There’s more information in our Right to be informed section of the Guide to the GDPR.
I work for a health charity and I am concerned we will not be able to continue once the GDPR comes in as there seems to be no condition of processing that allows us to process special category personal data.
Special category data is broadly similar to the concept of sensitive personal data under the Data Protection Act 1998. The requirement to identify a specific condition for processing this type of data is also very similar.
The conditions for processing special category data under the GDPR in the UK are likely to be similar to the Schedule 3 conditions under the 1998 Act for the processing of sensitive personal data. Conditions for processing special category data are set out in the Data Protection Bill and more detailed guidance will follow when it is finalised.
How do I know if the consent I have for marketing under the DPA is good enough for the GDPR?
Our consent checklist sets out the steps you should take to seek valid consent under the GDPR. This checklist can also help you review existing consents and decide whether they meet the GDPR standard, and to seek fresh consent if necessary.
You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard.
You will need to be confident your consent requests already met the GDPR standard and that consents are properly documented. You will also need to put in place compliant mechanisms for individuals to withdraw their consent easily.
If existing DPA consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR- compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.
You are also likely to need consent under ePrivacy laws for many marketing calls, texts and emails. These rules are currently found in the Privacy and Electronic Communications Regulations 2003 (PECR). For more about PECR please see our Guide to PECR.
Do I always need consent for marketing and does it have to be opt in or can it be opt out?
No. You won’t always need consent e.g. for postal marketing but you will need consent for some calls and for texts and emails under PECR. See our Guide to PECR for more on when you need consent for electronic marketing.
If you don’t need consent under PECR you can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object. See our legitimate interests guidance for more detail.
If you do rely upon consent it requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. See our consent checklist for more detail.
I want to know more about the rules on security under the GDPR
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. You can find more guidance in the security section of our Guide to the GDPR.
Do I need to appoint a data protection officer (DPO)?
Under the GDPR, you must appoint a DPO if you:
- are a public authority (except for courts acting in their judicial capacity);
- Your core activities include large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- Your core activities include large scale processing of special categories of data or data relating to criminal convictions and offences.
You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size.
Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure your organisation has sufficient staff and skills to discharge your obligations under the GDPR.
How do I access the ICO’s advice services?
We’ve set up a dedicated advice line for small organisations including charities. But you can also get in touch via live chat or email. Click on the ‘Contact us’ link on the blue footer from any page of the ICO website.