Daradjeet Jagpal explains why charities need to consider upcoming changes to data protection laws now

Data protection has been in the headlines and with even multinational businesses suffering breaches it goes without saying that every organisation which handles personal data should make sure they have their house in order.

However, adding to the existing responsibilities is the looming prospect of data protection reform.

The new EU General Data Protection Regulation (GDPR), is expected to be finalised before the end of 2015, and will come into force in the UK in 2018.

While that may seem some time away, in organisational terms it’s not. Now is the time to think about what steps your charity should take to prepare for the changes it will bring.

Fines could range from between 2% to 5% of a charity’s turnover, which for larger charities could represent a fine of up to £500,000

Daradjeet Jagpal

What’s changing?

This will be the most significant overhaul of data protection legislation for over 25 years, with important updates to the Data Protection Act 1998 (DPA).

Data protection statements included within forms and correspondence will need to set out additional information, including how long the personal data will be retained and details of individuals’ rights and the right to complain.

Charities will not be able to rely on individual consent alone to justify use of personal data where there is a significant power imbalance between the charity and the individual, such as where the individual is an employee or service user.

If the individual’s consent to the use of their personal data is given in a document that concerns other matters, such as a contract, the consent statement will need to be distinguishable from the other content.

Charities will need to respond to requests for access to personal data received in electronic format if the request was made in that format. Charities will not be able to charge for responding, unless the request is excessive, and the time limit drops from 40 days to one month.

Individuals will have a right to request a copy of their personal data from one organisation for further use of that data by another organisation. This could be used where an employee or volunteer moves to another charity.

Data breaches are to be notified to the Information Commissioner's Office (ICO) and, where the breach puts individuals’ data at risk, to the individuals.

Annual data protection registration with the ICO will be abolished. However, the ICO will have more extensive powers of audit and charities will need to maintain comprehensive audit trails.

Finally, fines could range from between 2% to 5% of a charity’s turnover, which for larger charities could represent a increase on the ICO’s current power to impose a fine of up to £500,000.

7 practical steps to take now

In order to make sure that your charity will not fall foul of the new rules when they come into affect, you should take action immediately.

1. Complete a data protection audit to determine compliance levels.
2. Ensure compliance with the DPA. If a charity cannot tick all of the DPA boxes, it will struggle with the new GDPR.
3. Provide staff and volunteers with data protection training.
4. Review existing forms and correspondence and any other data protection statements used within the charity.
5. Implement a data breach management policy to contain the impact of any breach.
6. Improve data security by limiting access to personal data within the charity, using encrypted e-mail for communication of personal data and monitor the network to minimise the risk of threats entering the charity’s system; and
7. Consider cyber insurance, to protect against the financial consequences of a data protection breach.

Daradjeet Jagpal is an associate at law firm Harper Macleod. He specialises in advising charities and other organisations on regulatory, governance and compliance issues.