The two versions of GDPR
Post-Brexit, data protection in the UK is governed by the Data Protection Act 2018. This is basically a lightly amended version of the EU’s General Data Protection Regulation (GDPR). It’s probably safest to assume that you need to comply with both sets of rules.
The good news is that complying with one version of GDPR will take you almost all the way to complying with the other.
For completeness, you should also be aware of the impending introduction of new ePrivacy regulations. This is an EU initiative but is very likely to find its way into UK law.
The key concepts of GDPR
People are considered data subjects. Any individual or organization who/which oversees the processing of personal data is considered to be a data controller. They are responsible for ensuring compliance with GDPR. Data controllers need to be registered with the ICO.
Any individual or organization who/which deals with the practicalities of collecting and managing data is a data processor. Any data controller who/which contracts out data processing must ensure that the data processor is fully compliant with GDPR.
Data can only be collected for one (or more) of six lawful bases. These are:
- Contractual Obligations
- Legal Obligation
- Legitimate Interests
- Public Task
- Vital Interests
Although consent is often listed first, it’s generally considered to be the weakest justification. It is therefore best to avoid relying on it whenever possible. If you do need/choose to use it, then you must be able to demonstrate that the consent was both informed and freely given.
All data must be kept safe
Realistically, most charities are going to need to outsource their IT security. The good news is that this doesn’t need to be difficult or expensive. If you stick to reputable cloud-based applications and storage, you can have your external security managed by the vendor.
That leaves your internal security. For practical purposes, this is likely to consist of managing user accesses. Charities may be able to manage this internally, with a bit of common sense. If not, there are plenty of managed IT vendors which can help.
Similarly, data will need to be backed up/archived and then deleted when no longer needed. Again, this is an area that is usually best managed by a third-party vendor.
Avoid taking payments directly
Payment data is some of the most sensitive data you can get. As such it’s a magnet for criminals. This means that the safest option by far is to stick to third-party solutions rather than taking payments directly over your own website.
These solutions can charge high commissions/transaction fees, but these are still a lot lower (and less embarrassing) than sanctions from the ICO.
Minimize access to data
The fewer people have access to data, the less scope there is for human error. Charities must ensure that anyone with access to data is suitably trained. Wherever possible, however, there should be automated safeguards in place, or, at the very least, human double-checks.
This can also be assessed during document retention, as the less data you have ‘lieing around’ the better. Of course, you may not want to destroy documents that still appear essential and this where document storage or even document scanning can be a useful alternative to cloud storage.
Is your Charity GDPR compliant?
Just like any other business, charities still hold personal data and therefore the laws of GDPR still apply. If you feel you could benefit from help and advice from an off-site storage facility, we can help! Get your documents in order with our range of document storage and document management services.
Feel free to get in touch with our team. We can explain in more details the service and benefits you would receive as well as the different types of documents you can store in our security facility.