Last summer, the third sector was rightly caught up in a flurry of activity and concern about preparing for GDPR. Since then, things have gone quieter on the GDPR front, to the extent that some people see it as last year’s news.
For any charity to think of it that way would be a huge mistake. Year two of GDPR will see the start of more stringent enforcement by the Information Commissioner’s Office (ICO), and the end of the informal education phase.
One year on, the ICO has warned that its focus for the second year will go ‘beyond baseline compliance’, and that it will not hesitate to act in the public interest when organisations break the new law.
In the first 11 months of GDPR, the ICO received over 40,000 data protection complaints from the public. Two-thirds of Data Protection Officers in different organisations told them they had seen an increase in customers and service users exercising their information rights.
Charities beware – size or charitable status cannot be relied upon as an excuse for getting things wrong.
Based on first-year experience, there are several areas where organisations, including charities, are commonly at risk of breaches that could lead to significant fines if left unchecked. They include:
- Being unable to recognise a Subject Access Request (SAR) and treating it as an inappropriate request for information, or mishandling the SAR and failing to respond within the legally stipulated time;
- Not taking seriously the obligation to register with the ICO, or mistakenly expecting to fall within an exemption or to ‘get out of’ a fine due to lack of awareness;
- Using data gathered for one legitimate purpose for a different purpose, without checking or understanding whether an appropriate legal basis exists for that use;
- Not knowing they have to document their processing activities and map out how they deal with data; and
- Engaging data processors or sharing data without appropriate written contracts.
First-year experience also shows that some charities and social enterprises are focusing their GDPR compliance on marketing and fund-raising, and perhaps HR too, at the risk of leaving other areas exposed.
For example, you may be meeting your obligations in terms of the data you hold on employees, volunteers and donors, but failing to do so on personal data relating to service users, contractors, suppliers and other contacts.
Or another example: your HR and fundraising teams may know how to deal with requests to view, move or delete data, but other teams may have any idea how to spot a Subject Access Request, let alone deal with it correctly.
Much of this comes down to staff training. A common scenario is that a single member of staff has received data protection training but hasn’t trickled it down to colleagues – perhaps because they don’t have the time to plan and hold regular training sessions or even because they’ve subsequently left the organisation without being replaced by a suitable data privacy manager or data protection officer.
Unfortunately, such situations may not end well. The light-touch enforcement stage of GDPR is now over, and you could well get stung if your GDPR focus ended at last year’s 25 May deadline. In fact, charities’ GDPR story is only just beginning.
This article featured in the latest issue of Third Force News (July 2019).