General Data Protection Regulation – Charities’ responsibilities and protection

‘Data is the new oil’ is a phrase that has been heard many times in recent years but for some, charities and small businesses in particular, data may feel like more of a burden.

In this article we will explore the impact of the General Data Protection Regulation (GDPR) on day to day administration of charities, the consequences of falling short of Information Commissioner’s Office (ICO) requirements and how organisations can protect themselves going forward. The introduction of the GDPR in May 2018 brought with it seven key principles which should ‘lie at the heart of your approach to processing personal data’. From the perspective of day to day administration, this article will focus on four of these principles in particular.

  1. (Principle c) Data minimisation – Many charities will hold personal data, often in paper format, going back over many years. This data should be adequate for the purpose it is being processed, relevant to that purpose and limited to what is necessary.
  2. (Principle e) Storage limitation – Put simply, personal data must not be kept for longer than it is needed. Consideration needs to be given to establishing policies and procedures for retention, erasure and anonymisation of data. The lower the volume of data held, the easier it is to manage.
  3. (Principle f) Integrity and confidentiality (security) – Ensuring personal data is processed responsibly is at the heart the GDPR guidelines. Information, in all media forms, should be protected by measures appropriate to both the charity’s circumstances and the nature of personal data held.
  4. Accountability principle – Those in a position of responsibility within a charity, namely its trustees, must be able to demonstrate compliance with the GDPR through implementation of a range of technical and organisational measures.

Whilst they are by no means more important than the three remaining GDPR principles (Lawfulness, fairness and transparency / Purpose limitation / Accuracy) the four principles listed above could be prioritised chronologically to ensure a time efficient approach to GDPR compliance. For example, there would be no need to verify the accuracy (Principle d) of personal data if it is to be erased due to its relevance (Principle c) or age (Principle e).

The web link includes a step by step self-assessment of how well your organisation complies with data protection law, at the end of which a report is generated to provide practical guidance to improve knowledge and compliance. Click here

The ICO website publishes details of enforcement action it has taken over recent months. Reassuringly, many of the enforcement and penalty notices issued are against firms who have breached data protection rules relating to telemarketing activity or large organisations (including some charities) found to have misused or failed to protect personal data. Smaller organisations and charities should be conscious that they are obliged to comply with the same regulations however, even with comparatively limited resources.

On 28thNovember, the ICO website announced that since September it had issued more than 900 ‘notices of intent to fine’ to organisations over non-payment of mandatory data protection fees. Of these, more than 100 remain unpaid for which penalty notices have now been issued. The fines under this section of the GDPR range from £400 to a maximum of £4,350 depending on company size by turnover and number of staff. For comparison, data protection fees range from £40 to £2,900 according to size.

Whilst many charities may be exempt from payment of data protection fees, not all are and some will be subject to the Tier 1 £40 fee, regardless of size. The ICO website includes a self-assessment questionnaire (within which is a dedicated non-profit organisations page) for organisations to determine whether or not they are exempt. A web link is provided click here

Following on from the data protection fee fines scenario above, it is important to note that this is deemed to be a civil offence under the GDPR whereas it was deemed to be a criminal offence under the previous Data Protection Act 1998. Criminal offences are not insurable by law whereas civil offences, where permissible by law, are insurable. Whilst serious breaches of the GDPR may result in criminal offence proceedings it is useful to know that some form of protection is available for lesser breaches which result in a civil fine.

  1. Cyber & Data Insurance – many insurers now offer policies to cater for the risk exposure faced by organisations reliant on IT infrastructure and/or responsible for handling data, including personal data.
  2. Management Protection Insurance – provides protection for the assets of individuals holding a position of responsibility within an organisation as well as protection for the assets of the organisation itself.

Both types of insurance policy listed above should be given in-depth consideration by charity trustees. The process to obtain quotations is very straightforward, in most cases, and entry level premiums are as low as £200.