In May 2018, a new legal framework will be introduced across the EU to replace the existing Data Protection Act. The General Data Protection Regulation (GDPR) promises to shake up existing laws surrounding data protection.
It’s the biggest change to data protection policy for 20 years and will see businesses facing hefty fines for any blunders.
So what does this mean for data protection for charities? A data breach under the new GDPR could carry a heavy cost, particularly for charities at the higher end of the income scale, since regulators can issue a penalty of between 2-4% of an entity’s global gross revenue.
Charities rely heavily upon donations and the work of volunteers. Yet failure to comply with the GDPR could see them lose their reputation and a large chunk of hard earned, potentially life saving, cash.
What the GDPR means for charity data protection
In light of the growing digital economy, the GDPR introduces some distinctly modern elements. For example, the GDPR covers genetic and biometric data, and online identifiers such as IP addresses.
Consent also features heavily in the GDPR, particularly in regards to opting in or out of a service. To confirm consent, a clear affirmative action must be taken by the individual - gone are the days of pre-ticked boxes and implied consent. Why information is being asked for and how it will be used must also be declared by charities under the GDPR.
Charities will also have to rethink how potential donors are approached and how individuals’ data is processed. Individuals have the right to access whatever information is held for them - so a smooth, efficient process to access this information must be put in place. Under the new act, data breaches (lost data or cyber attacks, for example) must be reported within 72 hours.
What do charities stand to lose?
UK charities could face significant fines for violations of record-keeping, security, breach notification, or other data protection obligations. Regulators could issues fines equal to €10 million or 2% of an entity's global gross revenue - whichever is greater. More severe penalties of €20 million or 4% of the entity's global gross revenue may apply for serious violations such as those relating to consent, individual rights and cross-border data transfers.
How does this translate into real world examples? Well, in the UK, most of the top earning charities (those with an income of above ten billion pounds) tend to fall within the ‘advancement of health and saving lives’ category. These charities include: Cancer Research UK, Wellcome Trust, Change Grow Live, and Cardiff University. Money raised by these organisations funds research into disease and offers services to help people live happier, healthier lives.
If, for example, Wellcome Trust, Cancer Research UK or Change Grow Live were to receive the most severe fine for breaching GDPR guidelines, they’d face penalties of £15.6m, £25.4m and £6m, respectively.
That’s a combined total of £47m which could have contributed to potentially life changing causes.
Looking at a recent data protection case, in 2016 the British Heart Foundation was fined £14,400 for breaching the DPA. If that were to happen once the GDPR comes into effect, it would amount to £12m. These figures show the stark reality charities face if they are not GDPR compliant.
How charities can prepare for GDPR
As it stands, the GDPR will remain unaffected by the UK’s exit from the EU, and UK based organisations which offer goods or services to individuals in the EU will still be covered. So it’s essential charities in the UK start preparing for the GDPR sooner rather than later.
Adopting GDPR best practice now, is an excellent way to ensure you’re up to speed by the time the new legislation is in place. Training staff of all levels - including volunteers - is imperative to ensure new guidelines are rigorously followed.
Our GDPR e-learning coursesoffer a definite resource for charities looking to prepare themselves for changes brought about by the new framework, and our GDPR compliance checklistwill give you an excellent starting point.