Enforcement of the GDPR commences on 25 May 2018, led by the Information Commissioner’s Office (ICO). The GDPR was introduced in May 2015, and organisations were given two years to put in place the necessary mechanisms to ensure they are compliant with this new regulation.
The penalties for non-compliance are 4% of the annual turnover of the organisation, or £17m (whichever is higher).
The GDPR focuses on Personally Identifiable Information. This is any data which identifies an individual, such as names, telephone numbers, email addresses, computer IP addresses – basically, anything that can be used to identify someone.
GDPR affects staff and volunteer personnel files as well, so every organisation regardless of size must comply with this regulation. Organisations will have to prove their legal right to hold, use, retain or share any personal data. This is now enshrined in law.
Data protection is not just an IT issue. It may properly be described as protecting people against the unwarranted adverse effects arising from the processing of their personal data.
The GDPR introduces special protection for children’s personal data. Broadly, for a child under 13, there will be a need to have consent from a parent or guardian in order to process any data lawfully.
A charity working with children and young people will need to put in place (if it has not already done so) a “Data Collection of Children and Young People Policy”. This policy should stipulate what data is to be collected, by whom, how is it to be stored, how long it will be held etc. It will caution about copying or storing this data except as specified. This might include prohibiting the storing of a child or young person’s data on a telephone, for example.
A charity working with children and young people must conduct a Data Protection Impact Assessment (DPIA) to prove that they require the data they hold, and that it is not excessive. It also needs to analyse the risks to the individual of the data being misused. It is important to understand that these are the risks to the individual and not the charity. This is fundamental.
With regards to the right to be forgotten, although an individual’s record cannot be deleted, the DPIA should dictate that any extraneous data collected (religion, diet, etc.) should be removed.
Interestingly, Article 6(1)(f) Recital 38 states that parental consent does not necessarily need to be required in the context of preventative and/or counselling services offered directly to a child, although this suggestion does not appear to be reflected in the articles of the GDPR itself.
The GDPR will particularly hit charities offering after-school clubs for children. This includes faith charities providing religion-based activities for children after school or in the school holidays.
The ICO has already signalled that it intends to enforce the law after the May 2018 deadline. In 2017, the ICO fined 13 charities, some relatively small, for improper use of personal data. Elizabeth Denham, the Information Commissioner, has been quoted as saying: “These fines draw a line under what has been a complex investigation into the way some charities have handled personal information. While we will continue to educate and support charities, we have been clear that what we now want, and expect, is for charities to follow the law.”
The GDPR demands that, even for small charities, the electronic collection and use of personal data is thought about, managed, and tested in advance.
For activities with children organised by charities, consents will be required for children to attend, lists generated for group leaders, and contact details stored and made available as necessary. Extra protection is required for “sensitive data”, such as medical conditions, allergies, parental access restrictions etc. A charity running activities for children will inevitably need to obtain sensitive data about the children to ensure that helpers can make properly informed decisions during club activities. As such, the controls of that data are critical. For faith charities, attendance may indicate religious preferences (even if by implication) and this also falls into the category of sensitive data.
The list below sets out the absolute minimum requirements for a charity working with children or young people.
4. Consent notices
5. Subject Access Request (where someone asks an organisation to supply them with all the data that organisation holds about them)
6. Data Breach
7. Appointment of a Data Protection Officer
8. Staff / volunteer training
9. Data Protection Impact Assessment (DPIA)
The DPIA will reveal various critical undertakings. For example, where are the DBS checks on staff/volunteers stored, or what forms of email communications are undertaken?
The important questions to ask are, “Am I working with this data both within the law and with the consent of the individual who owns the data, and are my activities upholding the rights of that individual?”