GDPR // What to do in January

31.12.17

GDPR has got a lot of heads spinning, but what does it all mean? The General Data Protection Regulations (GDPR) will be implemented from May 2018.

Every month until next May, we will bring you one or two actions directly from the Information Commissioner’s Office to help you make sure you’ve covered everything. Our best advice is to read the ICO’s Overview of GDPR and consider how it applies to your organisation.

What to do in January

Consent

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

Consent must be freely given, specific, informed and unambiguous. There
must be a positive opt-in – consent cannot be inferred from silence, preticked
boxes or inactivity. It must also be separate from other terms and
conditions, and you will need to have simple ways for people to withdraw
consent. Public authorities and employers will need to take particular
care. Consent has to be verifiable and individuals generally have more
rights where you rely on consent to process their data.

You are not required to automatically ‘repaper’ or refresh all existing DPA
consents in preparation for the GDPR. But if you rely on individuals’
consent to process their data, make sure it will meet the GDPR standard
on being specific, granular, clear, prominent, opt-in, properly documented
and easily withdrawn. If not, alter your consent mechanisms and seek
fresh GDPR-compliant consent, or find an alternative to consent.

Read the detailed guidance the ICO has published on consent
under the GDPR
and use the ICO consent checklist to review your practices.

Remember:

  1. GDPR follows the same principles as the Data Protection Act- these new regulations tighten up existing legislation.
  2. GDPR applies to data held about individuals.
  3. GDPR has implications for your whole organisation, not just fundraising.
  4. There is no definitive list of what you must do to comply. Our best advice is to read the ICO’s Overview of GDPR and consider how it applies to your organisation.

Please note: content for this article comes from the Information Commissioner’s Office website.