ICO’s dedicated GDPR helpline officially opens

The service launched on 1 November and, as well as advice on preparing for the General Data Protection Regulation, gives information on existing rules

The Information Commissioner’s Office has launched a telephone advice line to help charities and small organisations prepare for the new data-protection law the General Data Protection Regulation.

The service, which was officially opened on 1 November, complements the resources on the ICO website designed to help organisations that employ fewer than 250 people, and offers additional, personal advice.

Callers dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support. As well as advice on preparing for the GDPR, callers can ask questions about existing data-protection rules and other legislation regulated by the ICO, including that concerning electronic marketing and the Freedom of Information Act.

Information Commissioner Elizabeth Denham said: “Small organisations want to be ready when the new law comes into force in May 2018, but they often struggle to know where to start. They might have less time and money to invest in getting it right and are less likely to have compliance teams, data-protection officers or legal experts to advise them what to do.

“Our new phone service and all the other resources already on our website, plus even more advice and guidance yet to come, will help to steer small businesses through the new law.”

The ICO is expected to publish a guide to the GDPR by the end of the year, which will expand the content of the existing overview to make it a comprehensive guide along the same lines as the current Guide to Data Protection.

Source link

ICO launches dedicated GDPR helpline

The service opened on 1 November and, as well as advice on preparing for the General Data Protection Regulation, gives information on existing rules

The Information Commissioner’s Office has launched a telephone advice line to help charities and small organisations prepare for the new data-protection law the General Data Protection Regulation.

The service, which was officially opened on 1 November, complements the resources on the ICO website designed to help organisations that employ fewer than 250 people, and offers additional, personal advice.

Callers dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support. As well as advice on preparing for the GDPR, callers can ask questions about existing data-protection rules and other legislation regulated by the ICO, including that concerning electronic marketing and the Freedom of Information Act.

Information Commissioner Elizabeth Denham said: “Small organisations want to be ready when the new law comes into force in May 2018, but they often struggle to know where to start. They might have less time and money to invest in getting it right and are less likely to have compliance teams, data-protection officers or legal experts to advise them what to do.

“Our new phone service and all the other resources already on our website, plus even more advice and guidance yet to come, will help to steer small businesses through the new law.”

The ICO is expected to publish a guide to the GDPR by the end of the year, which will expand the content of the existing overview to make it a comprehensive guide along the same lines as the current Guide to Data Protection.

Source link

No definitive way to deal with the GDPR, says Direct Marketing Association

John Mitchison of the DMA tells a seminar that charities will have to make their own decisions on complying with the General Data Protection Regulation

Charities and other organisations will not be given fully comprehensive guidance telling them what to do in every scenario under the General Data Protection Regulation, according to John Mitchison of the Direct Marketing Association.

Mitchison, who is head of preference services, compliance and legal at the DMA, told delegates at a Westminster Social Policy Forum seminar on charity fundraising yesterday that, in the absence of definitive answers, charities would have to make their own decisions about how best to do things in a compliant way.

But he added that the open nature of the legislation, which will impose higher data-protection standards on all organisations and is due to come into force in May 2018, could prove to be a positive for charities and other organisations.

“I think we’re lucky that the GDPR is a principles-based regulation and is not prescriptive” he said.

“So if you’re a glass-half-empty person, you might take this to mean you’re never going to have all the answers. There are just too many variations on what people do to have a prescriptive rule on what to do in every situation.

“If you’re more of a glass-half-full person, you’ll see this as giving you flexibility: you make the judgements yourself on how to do it and the way you do it is through the process of accountability.”

Mitchison said accountability was embedded in the GDPR in a way that meant it was not enough for organisations simply to comply – they also had to demonstrate that they were complying.

To do this, he said, organisations would need to put in place technical, organisational measures, as well as training programmes, policies and audits, to ensure they had got the evidence there to justify what they had done if anybody came asking.

He said: “Ultimately, you take into consideration the legislation but, because there’s going to be no definitive answers, you have to make a business-risk choice about how you’re going to go. If you can ensure you’ve got an accountability process in place, the chances are you’re going to be doing all right.”

But if organisations viewed the GDPR as a burden to be dealt with until they could carry on treating data in the same way as they had before, they were really not making the best of the situation, said Mitchison.

And he warned that the GDPR was a big deal for everyone within organisations that handled any sort of data, not just those in marketing or fundraising.

But he added: “It might be a big change, but I don’t think it’s the apocalyptic disaster that a number of GDPR consultants who have conveniently appeared out of the woodwork would have us believe.”

Rowenna Fielding, data protection lead at the consultancy Protecture, warned that charities should want to comply with the legislation even if they felt they could get away with a lower standard of behaviour. She pointed out that charities would not consider using child slavery, even if it were legal or poorly regulated, because they would feel they had a moral obligation not to – similarly, she argued, that moral standard should be applied to how data was treated.

“Character is who we are when nobody’s watching, and for 10 years the Information Commissioner’s Office has not really been watching,” Fielding said. “It’s been under-resourced and understaffed, and it has had too much work to do.

“But we’re supposed to be the good guys, the ethical ones that people look up to to do things right.”

Source link

Breaking GDPR rules ‘could put charities out of business’, says data strategist

Ilja de Coster of Amnesty International in Belgium tells the International Fundraising Congress in the Netherlands that failing to tell donors what information they hold on them could cost charities dear

Charities will face fines that could put them out business if they cannot tell donors what information they are holding about them after the General Data Protection Regulation comes into force, delegates at the International Fundraising Congress in the Netherlands have heard.

Ilja de Coster, fundraising data strategist at Amnesty International in Belgium and director of donor relationship management at the fundraising agency The DonorVoice, warned that charities needed to prepare their systems to deal with the implications of the EU legislation, which is due to be implemented from 25 May next year.

Under the GDPR, people will have the right to approach any organisation and demand to know what data the organisation is holding about them.

De Coster said he recommended that charities should ensure their customer relationship management system has a simple mechanism to allow them to extract all the data on a particular subject into a single report.

“That’s an important thing,” he said. “Every person has the right to access data and, in the whole fine and penalty system, if you do not comply with that I guarantee you will get a high penalty.

“If you will not answer that request from a donor, you are out of business – that’s it. The fee will be the maximum.”

Under the GDPR, the Information Commissioner’s Office will be able to levy fines on organisations for data protection breaches of up to 4 per cent of their turnover or €20m (£18m), whichever is larger.

De Coster also told delegates that charities operating in more than one country needed to be aware that any fines would be calculated on the basis of turnover of the global organisation, not just the turnover of the charity in the country in which the breach happened.

He said the GDPR should be viewed as human rights legislation, because it was designed to protect people’s right to privacy, guaranteed under Article 8 of the European Convention on Human Rights, and many of the requirements of the GDPR were not new.

“The GDPR is the continuation of existing data protection law in Europe,” he said. “There’s some details stuff and some optimisation stuff based on the evolution of technology, but basically everything you’re not allowed to do in GDPR you are not allowed to do today.

“But what is new is that from now on it’s serious; playtime is over.”

Source link

Charities exempt from ICO fees ‘likely to remain so under GDPR’

Paul Arnold, deputy chief executive of the Information Commissioner’s Office, reveals this on the ICO website, but it has yet to be confirmed by ministers

Charities that are exempt from paying fees to the Information Commissioner’s Office are likely to remain exempt under the new fee structure due to be introduced under the General Data Protection Regulation, the regulator has said.

The ICO has said it is recalculating the fees it charges data controllers to notify the regulator of how and why they are collecting data, something data controllers are required to do under the Data Protection Act 1998.

Data controllers must currently pay a notification fee of £35 or £500, depending on the size of the organisation, but many charities are exempt from the rules unless they sell or swap data with other organisations or they own their own premises and operate CCTV on them.

The GDPR, new data protection legislation due to come into force on 25 May 2018, says that data controllers will no longer be required to notify the ICO.

But Paul Arnold, deputy chief executive of the ICO, said in a statement on the ICO website today that such organisations would still be required to pay the ICO once the GDPR was introduced because they would switch to paying a data protection fee, which was introduced by this year’s Digital Economy Act.

The fees would be used to fund the ICO’s work, Arnold said.

He said the ICO expected those organisations that were exempt under the existing regime would remain exempt under the new system, but this had yet to be confirmed by the Department for Digital, Culture, Media & Sport.

In the statement, he said: “The amount of the data protection fee is being developed by the ICO’s sponsoring department, the DCMS, in consultation with the ICO and representatives of those likely to be affected by the change. The final fees will be approved by parliament.”

Arnold said the size of the data protection fee each organisation was required to pay would still be based on the organisation’s size and turnover and would take into account the amount of personal data it was processing.

There were likely to be three categories of fees, he said, but he did not give an indication of how much these fees were likely to be.

The new model would come into force in April, Arnold said, but added that any notification fees would remain valid for a year, so charities would not need to pay the data protection fee until their current fee expired.

Source link

Regulator launches consultation on GDPR changes to fundraising code

The Fundraising Regulator has launched a consultation on the changes it plans to make to the Code of Fundraising Practice to include the requirements of the General Data Protection Regulation.

The regulator is asking for views from charities, fundraisers and members of the public on an updated version of the code covering GDPR, stringent data protection laws due to come into force from March.

The consultation will run until 8 December and the new version of the code will be released in the spring, the regulator said in a statement today.

The regulator said the updated code would also address the issues raised by the fines levied by the Information Commissioner’s Office against 13 charities over data protection breaches in the past two years.

The new version of the code will ensure the regulator’s guidance and terminology is consistent with that used in the GDPR legislation and will signpost users to other guidance from the regulator and the ICO, the statement said.

The updated version of the code includes three new sections to explain areas where there have been calls for greater clarity and guidance on what the new rules mean.

One of the new sections explains what counts as processing someone’s personal data and when data protection rules apply. This section says data matching and wealth screening, two of the activities that led the ICO to issue fines to charities that had carried them out without donors’ knowledge, count as processing someone’s data. 

Another section focuses on consent, which will use the ICO’s draft GDPR guidance to explain how charities can obtain consent to process people’s data.

The final new section offers advice on legitimate interest, which allows organisations to process people’s data without obtaining consent.

The ICO has not yet published guidance on legitimate interest, so the information in the code will be drawn from the GDPR legislation itself and the recommendations of a working group on donor communications set up by the National Council for Voluntary Organisations.

The new code also warns charities must keep up to date with the latest guidance from the ICO.  

Suzanne McCarthy, chair of the Fundraising Regulator’s standards committee, said: “Protecting personal data is a fundamental part of meeting the key principles of legal, open, honest and respectful fundraising within the code.

“We welcome views on whether the changes proposed are clear in communicating fundraisers’ legal and ethical responsibilities on data.”

The consultation document is available here. 

Source link

IoF urges minister to set up ‘GDPR hotline’

The Institute of Fundraising has written to digital minister Matthew Hancock asking him to give as much support on the issue to charities as to businesses and other organisations

The Institute of Fundraising has called on the government to provide a “GDPR hotline” to help charities prepare for its implementation next year.

The membership body has written to Matthew Hancock, the digital minister, calling on him to ensure that charities receive the same level of support as businesses and other organisations to prepare for the General Data Protection Regulation, more stringent data-protection rules that come into force in May.

The IoF said it also wanted Hancock to provide a GDPR hotline for charities from six months before the legislation comes into force and a targeted scheme to help charities upgrade their database systems.

It called on the government to raise awareness of the changes among smaller charities and to work with sector bodies to offer more data-protection training.

The IoF penned the letter after a survey, carried out by the IoF and published today, found that nearly half of charities felt they lacked the internal expertise needed to prepare for the introduction of the GDPR.

Of the 332 charities that responded to the survey, 72 per cent said they felt there was a lack of clear guidance available on the GDPR, and 48 per cent said they did not feel they had the level of internal skills and expertise they needed to prepare properly.

The IoF survey found that the problem was particularly acute for small and medium-sized charities, with 49.5 per cent of small charities and 58 per cent of medium-sized organisations saying they lacked expertise, compared with 29 per cent of large charities.

And 33 per cent of small charities said they had not done anything to review data protection or prepare for the GDPR, compared with 3 per cent of medium-sized charities.

All of the larger charities polled said they had begun preparing, but almost no charities of any size said they believed they were ready for the introduction of the GDPR.

Peter Lewis, chief executive of the IoF, said: “A large majority of charities are working to prepare for data protection changes, but there is a clear need for much more support, especially for smaller organisations.

“It is really important that sector bodies, regulators and the government all step up to help raise awareness of the changes and to ensure there is support in place to help charities through this transition.”

He said the IoF would be developing support materials and webinars in the months to come, but a wider approach was needed across the sector.

Mandy Johnson, chief executive of the Small Charities Coalition, said the results did not surprise her.

“The GDPR is a complex regulation and there has not been enough support to help hard-working volunteers and charity workers to understand exactly what they need to do,” she said. “The SCC is working to change that.”

Vicky Browning, chief executive of the charity leaders body Acevo, said the findings reflected concerns Acevo was hearing from its members about a lack of resources and in-house skills to tackle the GDPR.

“Members from larger charities tell us they’re having to divert significant funds to deal with the challenge, but this isn’t an option for smaller organisations,” she said. “The sector is crying out for clearer guidance.”

The Department for Digital, Culture, Media & Sport was unable to respond in time for Third Sector’s deadline on Friday morning.

Source link

Legislation to introduce GDPR into UK law begins its journey through parliament

Legislation to introduce the requirements of the EU General Data Protection Regulation into UK law has had its first reading in the House of Lords.

The EU’s GDPR legislation is due to come into force on 25 May 2018 and will bring in stricter requirements for organisations that process data than are currently required under the Data Protection Act 1998. It will allow the Information Commissioner’s Office to levy fines of up to £17m or 4 per cent of global turnover on organisations that breach the rules.

The Data Protection Bill, which updated the Data Protection Act 1998 by incorporating the GDPR requirements, was introduced by Lord Ashton of Hyde, the culture, media and sports minister in the House of Lords.

Bills are typically not debated at their first reading but will be discussed by peers at the second reading, which is due to take place on 10 October.

In overview guidance, the government said the bill would implement the GDPR standards, but also provide clarity on the definitions used in the GDPR in the UK context.

The bill includes a number of modifications to the GDPR on areas in which the EU allowed individual countries to set their own policies, such as the age from which parental consent is not needed to process data online, which the bill sets as 13, and exemptions to the rules for academic research, financial services and child protection.

The Charity Commission had previously expressed concern about the GDPR’s requirements for processing sensitive personal data, particularly concerning someone’s criminal convictions, which say that only “bodies vested with official authority” can process such information.

It is unclear whether this would include the commission. The commission said that if it did not, this could impede its ability to regulate effectively.

But in a statement announcing the bill, the government said the bill would allow the processing of sensitive and criminal conviction data without consent “where it is justified”, suggesting the commission would be able to do so.

“Organisations which already operate at the standard set by the Data Protection Act 1998 should be well placed to reach the new standards,” the guidance document says.

“The bill will mean that UK organisations are best placed to continue to exchange information with the EU and international community, which is fundamental to many businesses.”

It said the Information Commissioner was already working to help businesses comply with the new law from May 2018 and would be taking “a fair and reasonable approach” to enforcement after it enters the statute book.

In a statement on the ICO website, Elizabeth Denham, the Information Commissioner, said: “The introduction of the Data Protection Bill is welcome as it will put in place one of the final pieces of much-needed data protection reform.

“Effective, modern data-protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime.”

She said she would provide her own input as necessary during the legislative process.

Source link

Fines will be last resort under GDPR, says Information Commissioner

In a blog, Elizabeth Denham says it’s nonsense to suggest her office will be handing out huge fines routinely once the General Data Protection Regulation comes into force

Fines will be the last resort under the General Data Protection Regulation, Elizabeth Denham, the Information Commissioner, has said.

In a blog published on the Information Commissioner’s Office website yesterday afternoon, Denham said she was concerned by reports suggesting the data regulator would be routinely handing out massive fines once the GDPR came into force on 25 May next year.

The EU legislation will impose more stringent privacy and consent rules on data-sharing and processing by charities, companies and other organisations, and will allow breaches to be punished with fines of up to £17m or 4 per cent of annual global turnover, whichever is larger.

Under the Data Protection Act 1998, which the GDPR will replace, the maximum fine is £500,000.

But in her blog Denham dismissed as “nonsense” predictions of huge fines based on previous penalties levied by the ICO and scaled up to the level allowed under the GDPR.

She said: “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”

Heavy fines for serious breaches reflected the importance of personal data in the 21st century, Denham said, but the ICO intended to use the powers the GDPR will grant it “proportionately and judiciously”.

In late 2016 and early 2017, the ICO investigated and issued fines totalling £181,000 to 13 charities for breaching data-protection rules after the Daily Mail and The Mail on Sunday newspapers carried out investigations into fundraising practices involving several major charities.

In February, Denham revealed that she had used her discretion to reduce the fines handed out by as much as 90 per cent because they were being issued to charities.

In her blog, Denham said the watchdog had always “preferred the carrot to the stick” in its approach to regulation.

“Just look at our record,” she said. “Issuing fines has always been, and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.”

She said the ICO had yet to invoke the maximum powers available to it under the DPA.

“While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective,” she said.

Source link