GDPR // What to do in February

02.02.18

GDPR has got a lot of heads spinning, but what does it all mean? The General Data Protection Regulations (GDPR) will be implemented from May 2018.

Every month until next May, we will bring you one or two actions directly from the Information Commissioner’s Office to help you make sure you’ve covered everything. Our best advice is to read the ICO’s Overview of GDPR and consider how it applies to your organisation.

What to do in February

Children and Young People

Does your organisation work with or hold information about individuals under 16? Start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking.

If your organisation offers online services (‘information society services’) to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.

This could have significant implications if your organisation offers online services to children and collects their personal data. Remember that consent has to be verifiable and that when collecting children’s data your privacy notice must be written in language that children will understand.

You can find references to where special consideration needs to be given in your GDPR procedures if you work with children and young people, here via the ICO website

Remember:

  1. GDPR follows the same principles as the Data Protection Act- these new regulations tighten up existing legislation.
  2. GDPR applies to data held about individuals.
  3. GDPR has implications for your whole organisation, not just fundraising.
  4. There is no definitive list of what you must do to comply. Our best advice is to read the ICO’s Overview of GDPR and consider how it applies to your organisation.

Please note: content for this article comes from the Information Commissioner’s Office website.