What are the latest GDPR developments?

Protecting client data is a top issue among compliance teams. Since the implementation of the EU General Data Protection Regulation (GDPR) framework, charities of all sizes have to ensure that personal data stays private.

 

The data includes personal details, IP addresses, and anything that could be used to directly or indirectly identify an individual. For charities, information around race, religion, ethnicity, political opinions, or age is considered sensitive and should be protected.

 

Brexit means space for the existing framework to change. Under the current legislation, the EU’s GDPR framework was considered under the UK’s Data Protection Act (DPA).

 

With Brexit now in full force, the country has an opportunity to amend existing laws. For charities, it’s important to get up to speed on GDPR and keep ahead of possible developments.

 

 

What’s happened in GDPR?

 

Prior to Brexit, GDRP and DPA frameworks meant that charities needed to consider whether they need to collect data or not. Earlier, we outlined a three-part test of legitimacy.

 

In addition to testing whether data is needed, charities are required to employ a designated ‘controller’ – someone who determines how the data is processed and stored.

 

The laws also mandate that charities inform and get consent from audiences about what’s being collected and how it’s used. CAF summarises the situation in an infographic.

 

To put it neatly, charities are obligated to ensure that only essential data is collected, that audiences are aware of it, and that data is stored for a limited amount of time.

 

 

Post-Brexit, what’s next?

 

In the post-Brexit world, the UK government has an opportunity to overhaul legislation from the EU. This includes reviewing GDPR laws and assessing whether to amend them or not.

 

The first thing to understand is that the EU’s GDRP frameworks and the depth of that piece of legislation no longer applies. That means that the detailed structure around the rights and obligations are not enforced. However, the DPA still applies.

 

So far, nothing has been amended in the legislation but there are rumblings of change. Oliver Dowden, Minster for Culture (since, he has been removed from this post) says change is coming: “[Brexit] means reforming our own data laws so that they’re based on common sense, not box-ticking. And it means having the leadership in place at the Information Commissioner’s Office to pursue a new era of data-driven growth and innovation.”

 

In practice, the Guardian reports that potential GDPR rules could change how Britons browse the Internet. Amending certain pieces of legislation could spell the end of annoying pop-ups, cookies, and consents.

 

 

Common pitfalls to avoid

 

While there is still much uncertainty around GDPR and DPA changes, charities can avoid missteps. Fines are relevant for charities. Unchanged by Brexit, they are administered by the Information Commissioner’s Office.

 

There have been a few fines issued to charities. The most high-profile breach of privacy involves HIV Scotland. The charity sent an email to 105 recipients and failed to use the blind-copy function.

 

Consequently, 65 recipients, whose names formed part of their email addresses could be identified. Sadly, the message inferred the HIV status of certain individuals.

 

The ICO issued a fine because the charity didn’t do enough to protect sensitive data. To avoid that mistake, identify key risks before implementing migrations. Then, proceed cautiously along a fixed timeframe so that compliance isn’t compromised.