Data Protection Toolkit - Getting Started
A good place to begin is to think about the changes that the GDPR makes to previous data protection laws.
The GDPR may the biggest overhaul of the EU and UK law on data protection in 20 years, but the basic principles and the requirements of existing legislation continue to apply. The lawful bases and the definition of special category data (sensitive personal data) are very close to those established by the 1998 Data Protection Act.
One of the most important elements of the GDPR are the accountability and governance requirements for data controllers. All organisations processing personal data must provide evidence of how they comply with the data protection principles and implement data protection by design and by default in their projects and activities.
Consent is brought to a higher standard. However, consent is not required for each and every use of personal data, so make sure that you understand where you do and don't need consent.
Enhancements to individual rights that people have over their own data is another area of change with the Regulation. You will need to make sure that you protect these rights in how you plan and carry out your activities. Data subjects continue to have the right of access to data held about them, but a fee can no longer be charged to provide this and the time frame for responding is shorter. Their right to be informed about how their data is collected and used is stronger, and your privacy notice will need to cover more detail, but it also has to be clear and easy to understand. And the right to be forgotten (to have one's own data erased on request) gives people more control over their own information.
Organisations are now required to report personal data breaches to the regulator (the Information Commissioner's Office) - and must do so within 72 hours of becoming aware of an incident.
The potential fines for breaching the principles or infringing the rights of individuals are higher. But if you take care to ensure that your practices are in line with the law, you don't need to worry about that.
In the words of the Information Commissioner, the GDPR is 'evolution, not revolution' in data protection.
The new laws are not intended to stop you doing what you do currently, but they might have an impact on how you do it.
If your organisation cares about protecting the personal information of your staff, volunteers and the people you help, you shouldn't have any reservations about complying.
Your initial focus will be to prioritise getting into line with the accountability and transparency requirements of the GDPR.
In the long-term, you should be aiming to move to best practice and developing a culture of privacy and transparency.
1. Familiarise yourself with the data protection principles
These are, in effect, the same as those established by the 1995 EU Directive (via the 1998 Data Protection Act). If you've not come across them before or need a refresher, do it now because you'll need to be able to have confidence that all of your processing is compliant with these principles.
Personal data must be:
processed lawfully, fairly and in a transparent manner
collected for specific, explicit, legitimate and limited purposes
adequate, relevant and limited to what is necessary
accurate and, where necessary, kept up to date
kept in an identifiable form for no longer than is necessary (if it can be anonymised it can be kept for longer, but anonymisation is more difficult than you might think)
processed in a manner that ensures appropriate security
In most cases, you'll be a data controller (the one who decides why and how personal data will be processed), unless you process data on someone else's behalf, in which case you're a processor. As a controller, you are accountable for demonstrating that these principles are being complied with.
2. Document your current data processing activities
The GDPR is quite clear about the records you must keep in order to show that the effect of your data processing activities on people's privacy is clearly understood by your organisation.
The records you keep can be referred to as your Data Processing Register.
You might have to produce these records on request of the ICO, so make sure that they reflect what you do.
Read our guide to documentation and templates to get you started.
3. Understand what your lawful bases are
Under the GDPR there are six lawful bases for processing personal data. Each of your processing activities must satisfy at least one of these or it will not be legal!
- Getting permission from your data subjects through consent is an option, but it is only one of these lawful bases. Remember that it's far from the only option, and in many cases, you'll be able to rely on another of these permissions and therefore won't need consent. Obtaining consent should be your last option if you aren't able to satisfy another lawful basis, as it does require a fair amount of extra effort to make sure what you have obtained meets the standard for consent, which is higher under GDPR.
- It could be that you consider the legitimate interests option for some processing relating to your organisation's purpose. If you do, it's important that there is a clear need to use the personal data for the purpose, and that you balance this with the rights and freedoms of the data subject before deciding on if it can apply. If so, you need to keep a record of how this was decided, and refer to the reasoning in your privacy notice.
Use the Legitimate Interests Assessment template to help you decide whether you can use legitimate interests as a legal basis.
- In some cases you under a legal obligation to process personal data to fulfil another law. In the case of employment law, employers in Northern Ireland have to provide monitoring information on their workforce to the Equality Commission. This means that their employees' personal data will be processed, but can be done without their specific consent, due to it being a legal obligation - which forms another lawful basis.
- If you have a contract with the data subject you may need to process some of their personal information in order to fulfil that contract. This should be limited to what is actually necessary in order to fulfil the contract. Note that a general service contract or contract with a funder does not apply here, it has to be with the person themselves.
There are two less-commonly used lawful bases: to protect someone's life (for example in emergency situations) or to carry out a public task (generally applying only to public authorities or an organisation carrying out a public task set out in law).
You should pick the most appropriate basis for each processing activity. For example, if you have to collect some personal information because it's a legal obligation, then that is the most appropriate basis. It would be a mistake to pick consent in this case as individuals would believe they have the right to withdraw their consent (you can start to see the sorts of bother this might get you in).
You can record the choice of lawful basis in your documentation, and expand on why you've made that decision. This means that if the responsibility for data protection in your organisation falls to someone else, they're not left to second-guess your thinking.
4. Update your privacy notice
So you've thought about all of your data processing activities and started to document these. It seemed like a lot of work - why do all this?
The documentation task isn't just about keeping records for your own purposes and to satisfy a legal requirement. The concern for transparency and the individual's right to be informed means that you need to communicate these activities to your data subjects, but in a more straightforward manner.
You can choose the most appropriate way to present this information, but having a privacy notice is the most common means. The GDPR contains a useful overview of the information that you need to provide at a minimum.
Though there's quite a lot of detail involved, you also must make sure that your notices are clear and easy to understand (especially if they cover data on children or people with a limited comprehension). Remember, the point of having a privacy notice is so that people understand what you do with their data and can make informed choices, so put yourself in their position when you write it.
Once you've updated your privacy information you can then let people know that's it's changed. Also, make sure that the privacy notice is provided when collecting information from people you've not been in contact with before (or when collecting more information from people who you have worked with before), either by pointing them to a link or giving them the relevant information at the time.
There are lots of good (and bad) examples of privacy notices out there. If you're not going to write one from scratch the important thing is to make sure that is appropriate for your organisation's processing activities. Also, make sure that your data subjects will be able to understand it and that you will implement the practices that you're putting across.
Use the privacy notice checklist and template to make your privacy information easy to access, read and understand.
5. Put the right processes and practices in place
There's no point putting this effort into updating your policies if you don't put the changes into practice. If you say you'll delete someone's data after a year, you need to make sure that you actually do it. You need to plan for how you are going to implement your data protection measures or it you will fall behind on your compliance.
Thinking about data protection should inspire a culture in your organisation where transparency and privacy are central to what you do. Data protection is very much a boardroom issue, and can't be left to individual members of staff to implement for themselves. It is not a one-off or a tick-box exercise—you must keep these practices under review.
Senior management should be involved in making decisions about internal data protection practices and security policies. The very worst approach would be to leave sole responsibility to the IT department. Data protection (and cyber security) can impact on reputation and operations if not taken seriously.
- Appoint someone to take the lead on data protection matters. This doesn't have to be a fully-fledged Data Protection Officer (unless you are required to have a DPO), but someone with the level of oversight of compliance and business-wide processes. It is not a case of making that person solely responsible—it is the organisation that is accountable—but it gives someone the ability to ensure that good privacy practices are taking place across the organisation.
- Update your staff handbook to reflect policies and outline best guidelines. Embed the data protection principles in your policies and ensure that they're reflected in how you handle personal data.
- Train your staff, including volunteers, in recognising their responsibilities. How you do this depends on what your staff need to know. It could be provided in-house by a knowledgeable member of staff.
- Make sure that staff know who to report a data protection issue to if they don't know how to deal with it themselves.
- Review data sharing and contracts with suppliers or partners, especially anyone who processes data on your behalf (processor). You have a responsibility to ensure that anyone you share data can provide sufficient assurance that they are also compliant under the GDPR. This includes third-party services that you use to upload or collect personal data (such as Mailchimp, Survey Gizmo, cloud storage services, etc).
- Keep records of issues and plan how you will address them. This includes any breaches, requests from data subjects, security risks and issues with compliance. Report these as part of your organisational risk register or information asset register.
- Asses your technical security measures. Make sure they're appropriate and up to date. If you are using old software that is out of support this may need to be addressed. This needn't be a task solely for IT professionals. The National Cyber Security Centre guidance for charities has practical steps you can take now to assess and improve security.
- If you work with children think about how you will protect their data. There aren't many hard and fast rules about using children's data, but the principle of the GDPR requires you to ensure that their data is given specific protection. Our guide covers what you need to consider.
Read our guide to implementing data protection policies for your organisation
Read our subject access request guide on how to recognise and deal with requests for copies of information
Read our data breach guide to know what to do in the event of a breach
Read our practical guidance on how to encrypt data to protect it from unauthorised access
How you do it is down to you. You know what your organisation does best, and you know who the right people are to engage with.
As with the implementation of any change in organisational practices, there are a number of things to make sure you do:
- Make sure your staff and volunteers are aware of the changes that the organisation will be going through, and engage them early on in getting their input.
- Assess what you do currently, and record it. Making sure that your information processing activities are thoroughly documented is an important part of being accountable. Address any gaps in your current data processing activities.
- Review your current policies and procedures. You may find that you only need to make small tweaks to your current practices. If you've not done this in a while, there might be a bit more work in it. Concentrate on the highest-risk areas e.g. where there might be sensitive information or the activities relate to your main purpose.
- Plan for what to do when things go wrong. This doesn't mean that the worst-case scenario can be made entirely avoidable, but if you can show that you're prepared for when it does, the negative effects will be limited.
The ICO's self assessment checklist can help you find any areas you might be deficient in.