GDPR // What to do in November
GDPR has got a lot of heads spinning, but what does it all mean? The General Data Protection Regulations (GDPR) will be implemented from May 2018.
Every month until next May, we will bring you one or two actions directly from the Information Commissioner’s Office to help you make sure you’ve covered everything. Our best advice is to read the ICO’s Overview of GDPR and consider how it applies to your organisation.
What to do in November
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
The GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling
On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements. If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy. This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion? Find out more from ICO: Individual rights.
The right to data portability is new. It only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means.
Find out more from ICO: Data portability
You should consider whether you need to revise your procedures and make any changes. You will need to provide the personal data in a structured commonly used and machine readable form and provide the information free of charge.
Subject access requests
You should update your procedures and plan how you will handle requests to take account of the new rules:
- In most cases you will not be able to charge for complying with a request.
- You will have a month to comply, rather than the current 40 days.
- You can refuse or charge for requests that are manifestly unfounded or excessive.
- If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.
If your organisation handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly. You could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online. Find out more from ICO: Subject Access Requests
- GDPR follows the same principles as the Data Protection Act- these new regulations tighten up existing legislation.
- GDPR applies to data held about individuals.
- GDPR has implications for your whole organisation, not just fundraising.
- There is no definitive list of what you must do to comply. Our best advice is to read the ICO’s Overview of GDPR and consider how it applies to your organisation.
Please note: content for this article comes from the Information Commissioner’s Office website.