GDPR The General Data Protection Regulation May 2018
NAME ANTONY CULLUP
DATE MAY 2018
GDPR comes in on the 25th May 2018 and it affects every organisation that processes personal data, which includes charities and voluntary organisations. It is a piece of EU legislation but the UK Government have confirmed that Brexit will not affect the implementation of the GDPR.
The Majority of GDPR is reaffirmation of existing data protection legislation. It does however introduce new duties, rights and constraints. The implications of the GDPR for charities are on the whole, not as great as they are for some other organisations.
GDPR is largely common sense. It is concerned with protecting the rights of individuals, but not to do so in a may that imposes unreasonable demands or obstacles
- Personal data should be kept secure at all times.
- Personal data should not be uses for anything other than the clear purposes for which it was collected.
- Personal data should be processed fairly, and in a transparent manner.
- Personal data should only be processed where here are ‘lawful grounds’ (see below)
- Privacy of personal data should be designed into every process.
- Data breaches must be reported and can incur fines.
- Parental consent is required for processing data of children, which in the UK the government has determined to be under 13
GDPR is concerned with personal data in a form which would allow the individual to be identified. It is not concerned with properly anonymised data about an individual, nor is it concerned with the aggregated data about a group.
1 Legitimate interests- a charity may process data on the basis of ‘legitimate interests’ where it is necessary to do so in order to carry out the functions of the charity / organisation and that the data subject would reasonably expect us to do.
In the case of CPG we have a legitimate interest in capturing data to assess suitability to provide a service, to provide such a service, follow on or return to service and if required debt recovery once a data subject is no longer a user of our services.
2 Performance of a contract - personal data may be processed where this is necessary in order to perform a contract with the data subject.
Typical examples within CPG would be a tenancy or licence agreement
3 Consent of data subject - The data subject being the person whom the data relates. There are instances where Cambridge Pringle wishes to process personal data , for which ‘legitimate interest’ or ‘performance of a contract’ are not reasonable ‘lawful grounds’ in these circumstances it is almost certain that CPG will require the consent of the data subject. Examples include: adding contacts to a newsletter mailing list, where they have not explicitly requested this; retaining resident personal data as a case study for media or reporting purposes,by which the client could be identifiable.
GDPR has some clear guidelines around gaining consent. Consent must always be :
- Clear - the data subject must know what use of their data they are consenting to.
- Distinct - a range of diverse data uses must not be bundled within a single consent, consent for data processing must not be hidden within other agreements.
- Active - the data subject ust actively and knowingly give consent; consent cannot be assumed; assumption must always be that the subject does not give consent, unless they have clearly signalled that they do.
- Right to withdraw - it must be clear to the data subject that they have the right to withdraw consent at any time. And they must be given a clear means of doing so.
4 Protecting the vital interests of the data subject where the data subject is incapable of giving consent.
CPG has residents that have profound learning disabilities, in such cases the information will be held under legitimate interest with the addition of protecting the vital interests of data subject by including statutory case managers and guardians within the data group for that individual.
CPG will share information in the event that the data subject is perceived to be a risk to themselves or another person.
5 Compliance with legal obligations
As above or when asked by a statutory authority eg Polic
6 Performance of a task carried out in the public interest, or in the exercise of official authority.
It is not expected that this will apply to CP
Data Subject Rights
Under GDPR legislation, data subjects (the person to whom the data relates) has a number of specific rights:
1 Right to be informed - the purpose for which their personal data is held; the ‘lawful basis, for processing the data; how long the data will be retailed; what their rights are ; who they should contact at CPG if they have any data protection questions; the consequences for them if they do not provide data.
2 Right to Correction - a data subject has the right to have their data corrected, if it has errors.
3 Right to object- a data subject has an absolute right to object if their data is used for direct marketing.
4 Right to restrict processing - a data subject has a right to restrict processing’ if they believe their personal data may be incorrect. CPG will still be able to store the data, but not do anything with it until the matter is resolved.
5 Right to be Forgotten - a data subject has the right for their data to be erased in three instances
- Where the data subject gave specific consent, and has withdrawn that consent.
- Where they object to CPG processing of their data, and we cannot demonstrate compelling legitimate grounds.
- If data is no longer needed
6 Right to know what data is held - otherwise known as ‘Subject Access Request’.
7 Right to complain - A data subject has a right to complain about the retention or processing of their personal data.
Personal data must be kept secure at all times and must only be used for the legitimate purposes for which it was obtained. The definition of a data breach is quite ranging . It is a breach of (data) security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, access to, personal data transmitted, stored or otherwise processed’.
Examples of data breaches could include
- Emails containing personal data that are copied to the wrong address.
- Paperwork left visible in a public place, and observed by an unauthorised person.
- An ex employee being able to access ata after their departure
CPG will keep an ‘internal breach record’ for all data breaches. This documents the facts relating to the breach, its effects and the remedial action taken, and a record of it being reported to the trustees.
The decision will be taken by the data controller and the trustees as to whether the data breach needs reporting to the ICO
CPG Data Controller is the Chief Executive.
The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals
0303 123 1113