The Department for Media, Culture and Sport (DCMS) recently published a consultation, calling on businesses and charities alike to offer their views on potential exemptions within the upcoming General Data Protection Regulation (GDPR) legislation.
The EU’s GDPR will come into force in the UK from 25 May 2018 and the legislation contains certain derogations where the UK can exercise discretion over how provisions will apply. The consultation paper splits the legislation into 14 themes and responders are encouraged to consider the derogations in the Articles relating to each specific theme. Themes which may be of particular interest to charities include:
- Theme 6 – Third Country Transfers
- Theme 7 – Sensitive Personal Data and Exceptions
- Theme 12 – Processing Data
- Theme 14 – Rules surrounding Churches and Religious Associations
This consultation has now closed. CTG has responded, highlighting the need for the implementation of the GDPR to recognise the practical implications for charities at an operational level, where there are conflicting obligations to contact donors for administrative reasons. The response also calls for further discussions between HMRC, the ICO and charities to establish what is and is not permitted in respect of donor contact and Gift Aid.
The 1995 EU Data Protection Directive (95/46/EC) established a harmonised framework for the processing of personal data and for the free movement of such data within the EU. The UK implemented the Directive through the Data Protection Act 1998 (DPA), which is the main piece of legislation that governs the protection of personal data in the UK today.
The rapid growth of the digital economy over the last decade has resulted in an enormous increase in the volume of exchanges of personal data. Delivery of services and content on the internet is often linked to the collection of information about users and their habits and preferences. These developments have raised issues around the need to strengthen the rights of individuals and protection of personal data online.
In 2012, the EU Commission published proposals for the reform of data protection legislation. In April 2016, the GDPR, which repeals and updates the Data Protection Directive, was formally agreed. It is directly applicable legislation and hence automatically will become part of UK law from 25 May 2018.
From that date, all businesses and public bodies will have to comply with the GDPR and its new and different requirements. UK citizens will benefit from new or stronger rights:
- to be informed about how their data is used
- around data portability across service providers
- to erase or delete their personal information
- over access to the personal data an organisation holds about them
- to correct inaccurate or incomplete information, and
- over automated decisions and profiling
Charities must be aware of all of their requirements and should prepare for the GDPR prior to its launch. This may mean, for example, putting new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. The Information Commissioner’s Office has published a helpful briefing on the 12 steps to take now in order to prepare for the GDPR coming into force.