Data Protection Reform – May 201821-Nov-2017
The revisions for Data Protection law are due to take effect from 25th May 2018, and organisations are being advised to prepare for the changes.
In roughly six months’ time, the rules surrounding Europe's data protection policies will be going through their biggest changes in nearly 20 Years.
Since their creation in the 90s, the amount of digital information we create, the information we capture, and the amount of information we store has vastly increased:
As a result, the existing regulations can be seen as no longer fit for purpose.
The solution is the mutually agreed General Data Protection Regulations (GDPR), which will come into force on 25th May 2018. It will change how businesses and sector organisations can handle the information of customers and clients.
GDPR will replace the existing Data Protection Directive from 1995 and is designed to work with and complement data privacy laws across Europe, as well as protect and empower all EU citizens’ data privacy and reshape the way organizations across the region approach data privacy.
This will mean that every organisation or group that processes the personal information must adapt their data handling, information security, compliance processes and contractual relationships by 25th May 2018.
The sentiment from the National Council for Voluntary Organisations (NCVO) is that the new laws will cover everyone whom companies and businesses keep personal data about; this includeS employees, volunteers, service users, members, supporters and donors.
The NCVO say that the legislation:
- Will ask organisations to register if they keep records
- Will govern the processing of personal data; this including 'personal sensitive data'
- Will require organisations to recognise and abide by the eight principles for data protection
- Will give employees, service users and other contacts the right and freedom to request to see the personal data held on them.
The NCVO advises that every organisation should have a written policy and procedure that is specific to their context about how they handle personal data and enforce privacy principles.
GDPR, however, is not just a tick box exercise - it will need all staff and volunteers to take on and recognise new methods of work.
Although this is seen to possibly be the biggest overhaul of data protection laws for over 20 years, and is introducing new requirements for how organisations process personal data, GDPR is an evolution, not a revolution.
The existing Data Protection Act already requires that data is processed fairly and lawfully, so charities should NOT have too much more to do.
So there is no need to panic – the changes to the existing laws can be taken as an opportunity to review how you process data already and make sure you have plans in place to make the changes needed to be ready for May 2018.
The Information Commissioner's Office (ICO) is the regulator for data protection and privacy law, and their website is a source of information and support to help organisations and charity groups prepare for the changes. Their help includes:
- A code of practice for writing privacy notices; they also explain how to comply with both the existing Data Protection Act and the upcoming GDPR.
- A self-assessment toolkit to help small and medium enterprises.
- General guides on data protection and freedom of information (FoI)
At the time of writing, ICO will also provide an advice service by phone.
You will be able to call them on 0303 123 1113 or 0162 554 5745. You can also email ICO at firstname.lastname@example.org.
MVA will also be publishing a series of articles based around the ICO’s 12-point plan to help organisations prepare for the changes.