Preparing for GDPR
On 25 May 2018, the GDPR will come into force bringing the biggest change to data protection law in 20 years. The changes will mean new requirements for how charities gather, process and use personal data. Our Conference focused on not only the new GDPR requirements, but also highlighted how both government departments and charities are putting new processes in place to ensure they are ready for the changes. Due to demand for the conference we ran it in first in May and again in June and had over 300 charity leaders and trustees in attendance over the two events.
We opened the conference by gauging the knowledge and readiness for the GDPR in the room. Results from our poll can be viewed here.
Our CEO, Seamus McAleavey opened the event and stressed that while data protection issues traditionally sat with the IT department, with GDPR this needs to be a boardroom issue. Not preparing properly for the new regulations is a threat to voluntary and community organisations’ both in terms of cost and reputation he added. Seamus also announced that after consulting with the sector, we have invited the Fundraising Regulator to oversee and regulate fundraising in Northern Ireland.
We were delighted to have a special key address from the Information Commissioner, Elizabeth Denham, on how the third sector must be a beacon of good practice. She highlighted that one of the key requirements in GDPR is accountability, which is being able to demonstrate that you are compliant with data protection law. Elizabeth also gave a special mention to our NICVA / ICO Data Fridays partnership – an initiative that has been replicated across the UK.
Shauna Dunlop and Rachael Gallagher from the Information Commissioners Office in Belfast, took us through some of the key changes between the current data protection law and GDPR specifically;
Accountability - The new accountability principle requires organisations to demonstrate that you comply with the data protection principles. This means greater emphasis on the documentation that organisations must keep to demonstrate compliance, staff training, having policies in place and, where appropriate, appointing a data protection officer.
Transparency - GDPR will strengthen individual’s rights including the right to be informed, right of access, rectification and erasure. It places an emphasis on making privacy notices understandable and accessible. The GDPR also contains new provisions intended to enhance the protection of children’s personal data. Where services are offered directly to a child, you must ensure that your privacy notice is understandable by them. In certain cases a child under 16 will need consent given by a parent unless related to preventative or counselling services.
Consent – Under GDPR consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in and consent cannot be inferred - meaning an end to pre-ticked boxes on websites and marketing material. Evidence of consent must be kept and should be easy for people to withdraw at any time. Remember there are alternatives to consent if it’s necessary for vital interests, a contract with the individual or a public task.
Privacy by Design – GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. Organisations need to show that they have considered and integrated data protection into their activities and processes as part of risk management planning from the outset.
Breaches – Charities need to put procedures in place to effectively detect, report and investigate a personal data breach. GDPR brings a duty to notify the ICO when they suffer a personal data breach within 72 hours or risk a significant fine.
Next up we had John Morgan from the Department of Finance, the lead department for implementing GDPR in the NI Civil Service. A group has been set up across all 9 departments and they are using the ICO’s 12 steps document as guidance. A number of sub-groups have also been created to take forward specific areas of GDPR and report back. John noted the importance of awareness raising among staff and keeping them updated with developments. His concluding remarks were to just get started with preparing for GDPR today!
Our Head of Information Management, Stephen Gray was our next speaker and he presented on how NICVA are preparing for GDPR. Similar to DoF, NICVA are using the ICO’s 12 steps guidance to both put procedures in place and keep staff updated. A GDPR Readiness Group has been established from representatives from across the organisation. Starting with Step 2 – Information you hold, Stephen explained that an Information Asset Register has been set up to document the information we hold, where it’s held, why we hold it and our retention and disposal policy. It also highlights the likelihood of a breach/ loss and what impact this would have. An escalation / notification process will be added to this. Stephen’s key takeaways were, inform people of the changes and start an audit of the information you hold.
The final session of the day was delivered by Kieran Dunne from Microsoft Ireland. Data can be a huge force for good or bad, which is why data protection is so important he said. Kieran reiterated the need to take stock of all the data you hold, both electronic and hard copy and plan and manage who can and should have access to it. He posed the question ‘It's a "post-breach" world assume that you're going to have a breach, now how would you mitigate that?’
The conference wrapped up after a Q&A session with our speakers, where queries regarding changes in consent, capacity of small charities to comply, cloud storage and registering with the ICO were all raised.
GDPR has instilled fear in charities in our sector, however our key message is, take this as an opportunity to review the data you currently hold and make a plans to get ready for the incoming changes to ensure compliance.
NICVA will be helping the sector get ready by continuing our Data Friday’s series of monthly sessions with the ICO. The sessions focus on a different topic every month and you can view upcoming workshops here or follow the hashtag on Twitter.