1. Data Protection: From DPA to GDPR
April 2018

2. This presentation is intended to help you understand aspects of the Data Protection Act 1998, the General Data Protection Regulation and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

3. What Data Protection is about: 1
Protecting data
Protecting people 
Clients Service users Beneficiaries
Employees Volunteers Trustees
Donors Members Customers
Supporters Professional contacts
Keeping information in the right hands (and knowing what the ‘right hands’ are)
Holding good quality data 4

4. What Data Protection is about: 2
Give us more money!
Support our campaign!
But of course we shared your data
Privacy, transparency & choice

5. What Data Protection is about: 3
Recognise individual rights, such as:
Right of Subject Access 
Right to opt out of direct marketing
Right to compensation for harm

6. The current legal basis
EC Directive 95/46/EC
 Data Protection Act 1998
 Similar legislation in most other European countries
Privacy & Electronic Communications (EC Directive) Regulations 2003
Codes of Practice and non-statutory Guidance:
Information Commissioner
Fundraising Regulator

7. The EU General Data Protection Regulation (GDPR)
Replaces our Data Protection Act on 25th May 2018
Will continue to be part of UK legislation – a new Data Protection Bill is going through Parliament
It’s an evolution of what we have now, based on:
Experience with the existing law
Technological changes
The Principles remain essentially the same

8. GDPR themes
Data Protection built into the way you work – “by design and by default” Data Controller evidence of compliance Emphasis on reducing risk Limited extension of individual rights More control over online services and large commercial organisations, especially multinationals

9. Personal data (Article 4(1))
“'personal data' means any information relating to an identified or identifiable natural person ('data subject');
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

10. QUIZ Which of the following could contain personal data?
The membership list of a self-help group, kept on someone’s home computer
A database of voluntary organisations in your area, used for printing a directory
Statistics about your clients, for reporting to a funder
s sent by a member of staff about a forthcoming event for clients
A discussion that you overhear between two clients
Photographs of your staff and volunteers, used for making identity badges
A list on your work computer of people you intend to invite to a family wedding

11. Data Protection and Confidentiality overlap a lot, but they are not the same
Clear boundaries

12. Confidentiality
How do you decide who needs access to what information for what purposes?
When and how might confidentiality have to be breached?
Does everyone understand the same thing?

13. Data Protection or confidentiality (or both, or neither)?
Someone posts a letter about an individual’s medical condition to the wrong person by mistake
Someone harvests a list of names and addresses from the web and uses them to advertise an event
Someone discloses the outcome of a meeting about a possible merger with another organisation
Someone publishes a photo without the permission of one of the people in it

14. Taking confidentiality seriously
Chat &
Gossip
Scams/ mistakes
‘Too onerous’ security

15. Weak points on confidentiality
Discussing confidential information with partner or friend
Posting confidential information on social media
Talking about confidential information in public
Working on confidential material in public
Losing confidential documents/leaving them around
Giving out information over the phone without checking
Sharing information without people’s permission
Sharing or disclosing computer access details
Disposing of paperwork carelessly

16. Legal basis for processing (Art 6)
At least one of the following:
With consent of the Data Subject
For a contract involving the Data Subject
To meet a legal obligation
To protect any person’s ‘vital interests’
Government & judicial functions
In your ‘legitimate interests’ provided the Data Subject’s interests are respected

17. Legitimate interests
[Processing is lawful if it is] “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data …” (Article 6(f) )

18. ICO guidance on legitimate interest
“Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”
The test:
What is our legitimate interest?
Why is the processing necessary?
Does our interest outweigh the data subject’s interests?

19. Action
Be sure that you know – and can justify – the basis of all your processing, especially if you are relying on legitimate interests

20. ‘Special categories’ of data
Known as ‘sensitive data’ under DPA
Some differences – list in GDPR is:
racial or ethnic origin
political opinions
religious or philosophical beliefs
trade-union membership
processing of genetic data, biometric data for the purpose of uniquely identifying a natural person
data concerning health
data concerning a natural person's sex life or sexual orientation

21. Processing special categories is prohibited unless:
The data subject has given explicit consent to the processing of those personal data for one or more specified purposes
Processing is necessary … in the field of employment and social security and social protection law
… and eight other situations, including vital interests, not-for-profit membership processing, confidential and in the “substantial public interest”, data manifestly made public by the Data Subject …

22. Action
Identify any processing of special categories of data and determine your legal basis for processing them

23. Consent
Consent is “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed” (Article 4(11)) “Silence, pre-ticked boxes or inactivity should … not constitute consent.” (Recital 32)

24. Action
Determine whether any of your current processing is based on assumed consent and stop, unless you can get consent or have another legal basis for the processing

25. Obtaining valid consent
“[A] request for consent must be presented in a manner which is clearly distinguishable from … other matters, in an intelligible and easily accessible form, using clear and plain language.” (Article 7 (2))
“The data subject shall have the right to withdraw his or her consent at any time.” (Article 7 (3))
“When assessing whether consent is freely given, utmost account shall be taken of whether … a contract … is made conditional on [consent to processing] that is not necessary for the performance of this contract.” (Art 7 (4))

26. Action
Review all the statements where you ask people for consent to ensure that they are clear and unambiguous

27. Record-keeping
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
This means keeping some record of who gave consent, when, how and what for.
… but only where consent is your legal basis, of course

28. Action
Make sure that your CRM and other record-keeping systems have the capacity to record enough details of consent given – or withdrawn

29. What are the Data Protection Principles?
A legal obligation for all organisations
ICO recommended good practice
A standard you can apply for
A statement of intent on which GDPR is based
How many are there?

30. The Data Protection Principles1
Data ‘processing’ must be ‘fair’ and legal
You must limit your use of data to the purpose(s) you obtained it for
Data must be adequate, relevant & not excessive
Data must be accurate & up to date where necessary
Data must not be held longer than necessary
Data Subjects’ rights must be respected
You must have appropriate security
Special rules apply to transfers abroad 2 3 4 5 6 7 8

31. The Data Protection Principles
New
Now
Data ‘processing’ must be ‘fair’ and legal
You must limit your use of data to the purpose(s) you obtained it for
Data must be adequate, relevant & not excessive
Data must be accurate & up to date where necessary
Data must not be held longer than necessary
Data Subjects’ rights must be respected
You must have appropriate security
Special rules apply to transfers abroad
limited to what is necessary

32. First two Principles (Art 5(1)(a) & (b))
“Personal data shall be:
processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');”
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
This means that people must know enough about what you want to do, or are doing, with their data, and in some detail

33. Transparency Data Subjects must usually be made aware of (Article 13):
the identity and the contact details of the controller
the purposes as well as the legal basis of the processing
where relevant the legitimate interests
any recipient(s); any overseas transfers
the storage period or criteria for deletion
right of access to data and rectification or erasure
right to withdraw consent at any time
the right to lodge a complaint to a supervisory authority
whether the provision of personal data is [contractually] required [or] the data subject is obliged to provide the data and … possible consequences of failure to provide [it]

34. The ‘layered’ approach
A full transparency statement, setting out your purposes and processes in some detail, which people can click through to or obtain on request (or get sent with a welcome pack, for example)
A succinct privacy notice each time you obtain data, to ensure that the Data Subject knows enough to make the decision on whether to provide their data or not

35. Actions
Carry out an exercise to document what you do with personal data in detail and work out how best to explain this to your Data Subjects in a full privacy statement
Write a set of appropriate short privacy notices – based on your full privacy statement – for use in different situations and ensure that they are used consistently across your organisation

36. The next three Principles (A5 (1)(c-e))
Data must be:
adequate, relevant and limited to what is necessary in relation to the purposes … ('data minimisation')
accurate and, where necessary, kept up to date; every reasonable step must be taken to [erase or rectify] personal data that are inaccurate …without delay ('accuracy')
kept in a form which permits identification of data subjects for no longer than is necessary (‘storage limitation’)

37. Action
Should be nothing much to do if you are compliant with the current DPA Principles
– but you might want to check
You may, in particular, want to draw up a full retention schedule, showing how long you keep different kinds of data, and why
– and don’t forget s

38. Data Subject rights Subject Access (no fee & 30-day limit)
Rectification (correction and completion)
Erasure (“right to be forgotten”)
Restriction of processing
Portability
Profiling & automated decision-making
Complaints and compensation
Direct Marketing (coming up)

39. Action
Make sure you are aware of all these rights and find out more about any that might affect your processing

40. Marketing is affected by:
Data Protection Act
Privacy & Electronic Communications Regulations
GDPR
Code of Fundraising Practice
Fundraising Preference Service

41. What RSPCA & British Heart Foundation got into trouble for
£18,000
£25,000
without the Data Subjects’ knowledge or consent
Data sharing on a massive scale, through Reciprocate
Data matching to amend or add to the contact data they held
Wealth screening and profiling their donors

42. What counts as direct marketing?
DPA: the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
GDPR: [not defined]
ICO Guidance: All promotional material falls within this definition, including material promoting the aims of not-for- profit organisations. … It will also cover any messages which include some marketing elements, even if that is not their main purpose.
ICO practice: Asking someone to change their marketing preferences also counts as marketing

43. Direct marketing (GDPR)
Every Data Subject has the right to opt out of receiving direct marketing
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” (Recital 47)
So … you don’t need consent
… or you wouldn’t if not for the Privacy & Electronic Communications Regulations 2003 (currently under review by the EU, but unlikely to come into effect with GDPR)

44. Privacy & Electronic Communications Regs. 2003
Mailing preference: voluntary, not PECR
Telephone preference: mandatory, PECR
You must not make a marketing call to anyone whose number is on the Telephone Preference Service (or Corporate TPS) unless they have given prior consent
/SMS: confusing, PECR
Applies to private /SMS facilities, not business
Marketing similar products/services to existing customers permitted
Otherwise, must have prior consent

45. Marketing strategy Many charities are adopting the following:
Fundraising, campaigning, free events, promotion:
Mail under legitimate interests (with robust opt out)
Consent for , text and phone
Trading, paid events, membership:
Mail under legitimate interests with robust opt out
existing customers under legitimate interest (with robust opt out & unsubscribe)
Consent for phone (and sometimes text)

46. Action Decide on your strategy and How you are going to get there
How you are going to handle your existing database(s)

47. Children
Special protection, involving parental consent, particularly when:
Offering “information society services”
Providing information to children
Considering legitimate interests
UK Government is setting the cut-off age at 13 and excluding [online] “preventive or counselling services”

48. Action
If you provide any kind of services directly to children, ensure that you understand what you need verifiable parental consent for and check that your privacy notices are sufficiently easy to understand

49. Security breaches
A volunteer is carrying out a home visit to a client on behalf of a charity. This involves collecting information about the client’s personal circumstances. After the visit, the volunteer leaves the file in her car while she pops into a shop, not noticing that the window is open. When she comes back the file has gone. Who has done what wrong?

50. Sixth Principle (Article 5(1)(f))
Aiming at 'integrity and confidentiality'
Must protect against:
unauthorised or unlawful processing and
accidental loss, destruction or damage
Must use ‘appropriate’ ‘technical or organisational measures’
‘Data minimisation’ also helps

51. Penalties £500,000 €20,000,000 or 4% of turnover
Current maximum penalty:
GDPR maximum:
Most penalties up to now have been for:
security breaches
blatant marketing without consent, by phone, or text
€20,000,000 or 4% of turnover

52. Recent events
Alzheimer’s Society: Enforcement notice because they were allowing volunteers to hold sensitive data on personal equipment and without adequate training
Thirteen charities fined for sharing donor data without consent and marketing to each other’s donors, plus other activities

53. Penalties for security breaches
British Pregnancy Advisory Service website hacked into – made easy because the default administrator password had not been changed; store of highly personal messages from 9,700 clients stolen
£200,000
Charity social worker left four sets of highly confidential adoption reports outside a house when the intended recipients were not in to receive them
£70,000
London HIV support group disclosed addresses when mailing out an e-newsletter, some of which identified the individuals
£250
An Aberdeen social worker, working from home, inadvertently allowed her computer to upload confidential documents to an unprotected web site
£100,000

54. Key security measures Protect ‘data in transit’
access/encryption on phones, tablets USB devices and laptops
extreme care when ing (encryption?)
care of confidential documents
Network security – anti-virus, firewall, log-ons, etc.
Website security
‘Bring Your Own Device policy’ and working from home policy
Policy on use of cloud applications
Access to building, clear desks, locked filing cabinets
Secure destruction – shredding, etc.
Staff reliability: checks, supervision, monitoring
External contractors (‘Data Processors’)

55. Action
If your current security measures are fit for purpose, you are unlikely to need to do much more
However, it would be worth reviewing these to ensure they are up to date with the latest technology and threats
Don’t forget that procedures, guidance and training are just as important as physical and electronic measures

56. Breach notification
Must notify serious breaches to ICO within 72 hours
Must inform affected people if there might be serious consequences for them

57. Action
Make it clear to your staff (and volunteers) that, while anyone can make a mistake, failing to report a breach (or potential breach, or near miss) immediately to the relevant person in your organisation will be treated as gross misconduct. Otherwise you run the risk of not finding out about a breach quickly enough to meet the 72hour deadline

58. Keeping records Must be able to demonstrate how you are complying
Basic information you must hold:
The purposes of your processing
The types of Data Subject and Personal Data you use
Recipients you will disclose the data to
Any overseas transfers
Retention periods, where possible
A general description of your security measures, where possible

59. Action
Start maintaining a set of relevant records. Don’t leave it until May 2018, because any decisions or actions you take now will affect your future data processing

60. Data Protection by design & by default
Action
Make sure that everyone responsible for starting projects or setting up systems is aware of the need to incorporate Data Protection as a matter of course. Make Data Protection a standard check point before any project or system is signed off

61. Relations with other organisations
Set out respective responsibilities in a ‘transparent manner’
Action
Review all your collaborative projects and activities to ensure that, where applicable, your agreements are clear on each party’s Data Protection responsibilities.

62. Data Processors Action Contract must meet the requirements of GDPR
Processors can be directly liable
Action
Make sure you can identify all Data Processors your organisation uses, and review your contracts against the GDPR list of matters that must be covered

63. Data Protection Impact Assessments
Required in highly risky situations
Action
Make relevant staff aware of the situations when an impact assessment is likely to be required

64. Data Protection Officer
Required for public bodies or organisations doing risky processing
Must be suitably qualified and have authority
Most organisations need someone in the role, in order to have oversight of Data Protection compliance
Action
Review the Data Protection Lead role in your organisation and make changes if necessary

65. Transfers abroad: Action
Note the new requirement for Data Subjects to be informed if their data is being transferred abroad. Make sure you know where all your data is being stored or processed

66. Thank you
Any questions: