General Data Protection regulations (GDPR)
BACKGROUND
On 25 May 2018 the new General Data Protection Regulation (GDPR) will come into operation. This is the first major review of data protection laws for 20 years and will seriously impact how many organisations communicate with their audiences.
The legislation has primarily been introduced to protect the privacy of individuals whilst harmonising legislation across the EU member states.
In reality it was intended to shine a light on some of the behaviour by commercial organisations and fundraising charities. However, the legislation will affect any organisation which processes “personal data”. Personal data is defined as any information relating to an identified or identifiable natural person.
The legislation (The Data Protection Bill) is finishing its passage through parliament therefore although all indications are that there will be no changes to the detail or timescales, there still cannot be total certainty at this point.
The Information Commissioner’s Office (ICO) which will oversee the legislation has made clear that after 25 May there will be a period when they are looking for organisations to demonstrate that they are “taking steps” to be compliant even if they haven’t yet reached that point.
INTERPRETATION
Unlike most legislation GDPR is “principles based” meaning that interpreting the rules to fit the special circumstances of your own organisation is vital.
There are six lawful reasons that can be used to justify the utilisation of personal data to communicate with your audience. Only one of the six is required and it can and will differ depending on the audience we are referring to.
The six are:
1. Consent – this is the one which has been seen most widely in the press. The requirement has been strengthened to mean that the individual must have clearly, specifically and unambiguously demonstrated their wishes. This means that no longer will pre-ticked boxes be allowed or an option to “opt out”. In simple terms the individual will be “opted out” unless they explicitly advise (by ticking a box for example) otherwise. In addition there must also be an understanding of how the data will be used.
2. Necessary for performance of a contract – this is where there is a situation where a transaction has occurred, and in order to satisfy the contractual relationship that now exists the communication would be required.
3. Necessary for compliance with a legal obligation – an example of this would be the retention of financial documentation for 6 years.
4. There is a “legitimate interest” – this would refer to the interest to sell something or raise money for a cause. The key questions to ask ourselves is; would the individual reasonably expect to hear from us? and would there be any negative impact on the individual through our communicating with them?
5. Vital Interests – essentially refers to “life and death” situations.
6. Public Interest – this refers to Public Authorities or those working within the public interest.
There is also the additional criteria of “Implied consent”. Implied consent is created when a contract is created. For example if an individual pays to attend an event then it would be deemed as appropriate to notify them about upcoming events.
Communicating with our members communications sent to members to notify them of upcoming events or items of interest would fall within the criteria of both:
• Performance of a contract;
• Legitimate interest.
Members of local Societies automatically become members of The Arts Society in a nonvoting capacity (as per the Articles of Association).
Performance of a contract and legitimate interest both override the need to gain specific consent around the utilisation of personal data for the purpose of communications.
Opting Out of Communications
The legislation gives the individual the right to opt out of communications (or certain types of communications).
A process must be in place whereby individuals can be removed from any mailing list immediately if they request to do so.
The Right to be Forgotten
The legislation introduces the “right to be forgotten”. This gives the individual the right to request that not only are they removed from any listings but any historic information is also deleted. Caution is required as this request cannot be used to override the legal requirement to hold information. The example of this being that anything relating to financial or contractual matters must be kept for 6 years. This legal basis would take precedence over the request of the individual.
Subject Access Requests
Individuals are able to ask what personal data is being held relating to them and for what purpose. In the event that this is requested then the request must be responded to within one month.
Retention of Data
The legislation does not stipulate how long data should be retained for. However, on inspection you must be able to explain and justify why you have chosen a specific timeframe. As a general principle 6 years is a very good starting point as this is the length of time for which data would be required in the event of needing to comply with either a financial investigation, or a breach of contract case.
Data Security and Data Access
Any personal information must be kept securely and only accessed by those who have a legitimate reason to do so.
A common sense and proportionate approach around data security and access will need to be followed depending on internal governance and operational structures. In terms of data security if information is kept in a hard copy / paper form this should be kept as securely as possible. Electronic data should be either on a password protected computer or as a password protected document.
The access to data should be at the very least restricted to a Committee and further drilled down within this to those responsible for specific communications. In some cases this would be the Programme Secretary (for the purpose of notification of events) and Treasurer (for the purposes of subscriptions and charges).
Outsourcing of Processes
In the event that personal data is transferred to a third party for processing then we will have a responsibility to ensure that the third party is GDPR compliant. As part of any agreement a statement from the third party should be included confirming that they are complying with the GDPR regulations.
Demonstration of Compliance
The Information Commissioner’s Office will only investigate an organisation if a complaint has been received. In the event of an investigation because of the wide scope for interpretation in the legislation, rather than looking at strict compliance, they will be focussing on reviewing the overall plan that is in place and the processes that have been implemented.
Data Breach
A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorised to do so.
In the event that this occurs, the organisation has 72 hours to inform the Information Commissioner’s Office unless it is unlikely to result in a risk to the rights and freedoms of the individual.
Next Steps
The key principles underpinning the legislation is the requirement for the processing of personal data to be:
• Lawful;
• Fair;
• Transparent.
Although we have interpreted the legislation and feel that our communications fall under the joint umbrellas of contract fulfilment and legitimate interest, in the aid of transparency we feel that we need to be able to clearly answer two specific questions:
1. Why do you want my data?
2. What are you going to be doing with my data?
As part of the membership joining / renewal process we feel it would be good practice to include a narrative on the form. Template membership application and renewal forms can be downloaded at the bottom of this page.
A draft narrative for inclusion on the form should state:
• Members’ details will be processed fairly and lawfully in order to satisfy the agreement entered with you on your admittance to membership. This will ensure that you receive the latest news and information about all upcoming events.
• Members’ details will be passed to “The Arts Society” to enable inclusion on the mailing of the quarterly magazine and other communications including information about any upcoming national events or items of legitimate interest.
• Members’ details may be passed to “The Arts Society Area”, or other affiliated societies for the purposes of disseminating relevant information of legitimate interest .
• Your details will be kept safely and securely and you have the ability to opt out of our communications at any time.
IN SUMMARY
We have interpreted that the processing of personal data by Societies is legal on the basis of performance of the contract entered into when the individual joined the Society.
Additionally the legal basis of “legitimate interest” is appropriate as we can be confident that a member would expect their information to be used for the purposes of disseminating information to them in accordance with their membership of the Society, and there is no reason to think that the communication of this information would negatively affect the member in any way.
Therefore consent is not required but as a matter of good housekeeping we would suggest that this is confirmed at the time of joining / renewing. It would also be good for transparency purposes to confirm how they would like to receive communications. GDPR is a very complex area but is not designed to adversely affect the relationships which exist between the Societies and their members. In terms of data security a common sense approach is requested. As long as we are able to satisfy ourselves that we acted in the most appropriate and proportionate way then the ICO would accept the procedures.
Once the legislation has been formally adopted we will provide a further update to confirm if there have been any material changes which would affect our interpretation.
Below is a link to the ICO website which does contain some useful additional resources.