WCVA launch new resources to help you prepare for GDPR
Date published: 15/05/2018
Whatever size or structure your organisation is, if it collects and uses personal data (such as contact details) from donors, beneficiaries, volunteers, staff or any other individuals, the GDPR is likely to apply to you.
The General Data Protection Regulation (GDPR):
The GDPR is a new European law that has been introduced to improve and unify data protection across the EU. All member states will have to comply with the GDPR from 25 May 2018, so the GDPR will replace the Data Protection Act 1998 in the UK from that date. Any organisation that processes personal data of EU citizens will be required to comply with the GDPR, regardless of where the organisation is based globally, so the fact that the UK is due to leave the EU does not mean that the GDPR will not apply to UK organisations in the future.
The Information Commissioner's Office (ICO) will regulate the implementation of the GDPR in the UK.
While there are many similarities between the Data Protection Act and the GDPR, there are some key changes to be aware of, including:
- a reduction in the number of data protection principles, from 8 to 6 (although they remain very similar in content to the 8 principles set out in the Data Protection Act), and a new overarching principle of accountability;
- a change of terms used, so that 'sensitive personal data' will be referred to as ' special category data' instead;
- a requirement for more detailed privacy notices to be provided to individuals when data is collected from them, including information such as the lawful basis that the organisation is relying upon to process that individual's data;
- the need for certain organisations to legally appoint a Data Protection Officer (if specific criteria is met);
- enhanced data protection rights for individuals, including the right to erasure (also known as the right to be forgotten) and a new right of data portability;
- a requirement for consent to be 'opt in' (where the lawful basis for processing data is consent), rather than implied, and it must also be clear, specific and easily withdrawn;
- a duty for all organisations to report certain breaches of personal data, within 72 hours of becoming aware of the breach;
- the need for some organisations to carry out a data protection impact assessment if their processing of personal data is likely to result in a high risk an individual's rights;
- a significant increase in the level of fines that the ICO can impose for breaches of personal data.
Read more here >>>
Return to news list