1.
GDPR: WHAT DOES IT MEAN
FOR YOUR CHARITY?
18 OCTOBER 2017
GARY SHIPSEY, PROTECTURE

2.
WHAT IS THE GDPR?
HOW DOES GDPR DIFFER
FROM THE CURRENT LAW?
2

3.
3

4.
Same
• Principles-based law (not rule based)
• Principles
• Key definitions
• Risk
4
Greater emphasis
• Transparency
• Accountability
• Fines
shall be responsible
for
and
be able to
demonstrate
compliance with
the principles

5.
5
5
Our Organisation’s Name
Data Protection Policy
“Our policy is to comply
with the

6.
6
New
• Breach reporting – to ICO… to individuals
• DP by design and by default
• Compensation
Medical status…
What’s in an
email
address?
London clinic leaks HIV status of patients
HIV patient tells of fears of disclosure after details
leak

7.
7
731
£180,000

8.
REVOLUTION OR REVOLUTION?
WHAT ARE THE KEY TERMS?
8

9.
9
Personal data
Processing
Consent
any freely given,
specific,
informed and
unambiguous indication of [their]
wishes…
[either] by a statement or by a clear
affirmative action
BOTH
…it depends where you are now…

10.
10
Vital interests
Life or death
Contract with
the individual
Fulfil contract;
Employment terms;
Steps taken at their
request before
entering into a
contract
Comply with a
legal obligation
Required by UK or
EU law to process
the data
A public task
Official functions or
a task in the public
interest Consent
Legitimate
interests
Necessary for your
needs unless
outweighed by the
harm to the
individual’s rights
and interests.
You need consent when
no other lawful basis
applies.
Purpose and lawful basis

11.
11
Breach
notification
Rights

12.
12
“it depends...”
Some rights only apply in limited
circumstances
Deciding factors = purpose and lawful
“I withdraw my consent”
“Delete my data NOW!”
“I object to your use of
legitimate interests”
“I object to Direct Marketing”
“I want my data…in 30 days”
What does this apply to?
Do I delete all of it?
What does this apply to?
What marketing do we
do… and what’s admin?
Where is it all? And
can they see it all?

13.
WHAT IS A DPO AND DO YOU NEED ONE
KEY ROLES AND
RESPONSIBILITIES
13

14.
14
systematic
monitoring
public
authority
special categories /
criminal convictions
and offences.
Core activities = large scale
• Document internal analysis & position
• If choose DPO = same requirements
apply
• “DP Lead” – ensure there is no
confusion regarding their title, status,
position & tasks
1 2 3

15.
15
Existing employee (if no conflict of interests) or
contract out.
Employer
duties:
• Reports > to highest management level.
• Operates > independently
• Adequate resources > so can meet their
obligations.
IT Fundraising HR
Service
delivery
DPO / DP Lead

16.
WHAT YOU NEED TO DO NOW
YOUR ACTION PLAN
16

17.
17
• Get senior management on board
• Allocate DP Lead and resource (and support)
• Not a “tick the box” exercise – a reflection of how you
value and manage personal information
• Key stakeholders across organisation
• Document team activities and information flows
• Relate to your organisation’s structure and
activities.
1. Awareness and
leadership
2. Get to know
yourself
3. Document purposes and lawful
basis

18.
18
• Role out key process / standards / procedures,
e.g.
• Breach reporting
• Focus on key information security risks
• Sharing (esp. via email)
• Updated privacy notices and policy
• Demonstrate to ICO your activity beyond 25th May 2018
4. Address the quick wins
5. Follow a plan to embed changes…
…and manage ongoing compliance as
your organisation changes / case law
develops
• Subject
access
• Remote working

19.
NCVO champions the voluntary sector and
volunteer movement to create a better society.
We connect, represent and support over 13,000
voluntary sector member organisations, from the
smallest community groups to the largest
charities.
This helps our members and their millions of
volunteers make the biggest difference to the
causes they believe in.
Search for NCVO membership
visit www.ncvo.org.uk/join
email membership@ncvo.org.uk