David Mills examines the questions that charity staff are asking about GDPR
You’re probably fed up hearing about GDPR? What are the real questions asked during training?
As training providers to SCVO, and having delivered courses to various thirrd sector organisations so far this year, here are the five most common GDPR questions we’ve been asked.
Do we really have to complete a data audit?
The answer, is yes!
Without it, how can your organisation know; what data it holds? Where it is held/stored? How long it is kept for? Who it is shared with? Who has access to it? What purpose does it serve? What legal basis is allocated to the processing?
Without the above, having it documented and following the chain of processing, organisations will struggle with most other areas of GDPR. There is also a requirement to do so, Article 30 of the EU GDPR.
Surely we need consent to process the data?
The answer, no, not in all cases. In fact, only in certain circumstances. There are six legal bases that make processing lawful and consent is only one of them. There will be occasions when consent is an appropriate legal basis to process, but there are five other legal bases and some will better serve certain organisational needs. They are:
Contract: Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
Legal obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject.
Vital interests: Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Public interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Legitimate interest: Processing is necessary for the purposes of the legitimate interests pursued by the controller except where such interests are overridden by the fundamental rights and freedoms of the data subject.
I get confused with data controllers and data processors - are our staff the data processors?
This confuses many people. The fact that employees might physically 'process' the data during their work doesn't mean that they are processors.
Data controller - The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data
Data processor - The natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Employees are NOT processors, they are part of the controller.
Will we really get fined by the ICO?
This is the tricky question!
GDPR / DPA is law. As with any law, if you fall foul of it and are caught, you can be punished. If an organisation has not made any effort to try and get to grips with GDPR and subsequently becomes known to the ICO (as the result of a data breach, or failure to comply correctly with a subject access request, etc.) the chances are that some form of investigation, action and/or punishment will be forthcoming.
However, if organisations have taken appropriate steps toward compliance; have processes, procedures, have undertaken training and all the other ‘good things’ required to demonstrate their accountability, the chances are that the I.C.O. will be more pragmatic in their approach.
In fact, they have stated: “Those organisations that self-report, who engage with us to resolve issues and who can demonstrate strong information rights accountability arrangements, can expect us to take these into account when deciding how to respond”
We were told we needed a data protection officer. Do we?
It depends on your organisation, what it does and how much / what categories of data it processes.
Article 37 of the GDPR states: The controller and the processor shall designate a data protection officer in any case where:
The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
The core activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
David Mills is a director of Computer Law Training Ltd