DCMS announces plan to enshrine GDPR in law

The Data Protection Bill includes clauses that allow the UK to maintain the General Data Protection Regulation even after it leaves the EU

The Department for Digital, Media & Sport has announced plans to formally bring the General Data Protection Regulation into British law in its new Data Protection Bill.

The EU’s GDPR legislation is due to come into force on 25 May 2018 and will bring in stricter requirements for organisations that process data than are currently required under the Data Protection Act 1998 and will allow the Information Commissioner’s Office to levy fines of up to £17m or 4 per cent of global turnover on organisations that breach the rules.

A statement of intent on the proposed bill, published today, makes it clear that the government intends to maintain the requirements of the GDPR even after the UK leaves the EU in March 2019.

It acknowledges that the GDPR applies only to areas of law for which the EU has oversight.

But it adds: “This means that our own laws will need to apply data protections to other areas, and we intend to apply substantively the same standards to all general data in order to create a clear and coherent data-protection regime.”

Although charities will be required to adhere to the GDPR across all aspects of their work, the most controversial area it will have an impact on is fundraising, and the statement of intent reiterates the government’s commitment to enforce the GDPR’s more stringent requirements on consent.

“We will ensure that the default reliance on the use of default opt-out or pre-selected ‘tick boxes’ – which are, in any case, largely ignored – will become a thing of the past,” it says.

In a letter to stakeholders accompanying the announcement, Matt Hancock, the Minister of State for Digital, said the government would work with the Information Commissioner to ensure that guidance was available to help organisations navigate the new requirements.

Latest headlines

Daniel Fluskey, head of policy and research at the Institute of Fundraising, said: “Reading today’s announcement, we understand that the new Data Protection Bill’s focus is on bringing the GDPR requirements into domestic law ready for the post-Brexit world.

“Charities are continuing to adapt and change how they work, not just to meet new legislative requirements, but to ensure that they are giving the best experience to their supporters. We’ll be looking closely at the details when the bill is published later in the year to ensure any issues affecting fundraisers are considered in the new legislation.”

The DCMS also published the responses to its consultation on the areas of the GDPR where the UK has been able to exercise some discretion in how the law is applied.

The Charity Commission was among those organisations that responded to the consultation.

In its response, the regulator expressed concerns about the GDPR’s requirements for processing sensitive personal data, particularly concerning someone’s criminal convictions, which say that only “bodies vested with official authority” can process such information.

It is not clear whether this would include the commission, and the commission expressed concern that it could “significantly impede its regulation of charities” if it was unable to access information about someone’s previous convictions that would disqualify them from serving as a trustee.

But in its statement of intent, the government says it listened to such concerns and would legislate to extend the right to process personal data on criminal convictions and offences to other organisations.

A spokesman for the DCMS said the bill would be put before parliament after the summer recess and the government was committed to ensuring it was passed before the GDPR came into force.

Source link

GDPR will bring 50 or 60 changes to code, says regulator’s head of policy

Gerald Oppenheim of the Fundraising Regulator says the General Data Protection Regulation, due next year, will have to be written into the Code of Fundraising Practice at some point

The introduction of the General Data Protection Regulation will require 50 to 60 changes to the Code of Fundraising Practice, according to Gerald Oppenheim, head of policy at the Fundraising Regulator.

Speaking at the Institute of Fundraising’s fundraising convention in London yesterday, he said the regulator was working through the code to find out how it would be affected by the GDPR, new European data-protection legislation that is due to come into force in May 2018.

He said updating the code to take the new rules into account would be a complicated undertaking.

“The GDPR will have to be written into the code very clearly at some point,” Oppenheim said.

“We have already started looking through the code at where it refers to data protection, even in the most general sense,” he said. “We’ve found 50 to 60 places where the code needs to change, even where it’s just a wording change or something as simple as that.”

Latest headlines

He said the regulator was waiting for the Information Commissioner’s Office to issue its final guidance on the GDPR after it ran a consultation on draft guidance throughout March.

“We’re still waiting for that consultation document to be turned into further guidance from the ICO,” Oppenheim said. “That will obviously affect how we change the code.”

He said he did not expect to be ready to reveal the code changes to the sector until later in the summer.

During the same session, Daniel Fluskey, head of policy and research at the IoF, said the umbrella body would not be releasing guidance telling charities whether or not to change their policies on communication to opt-in only.

Each charity would have to make the decision for itself based on its individual circumstances, he said.

Source link