Trustees have particular responsibilities for data protection and trustees’ responsibilities are set to increase later this year, with the anticipated launch of a Fundraising Preference Service, following the establishment of the new Fundraising Regulator. Next year, from May 2018, there will be further new regulations, including changes to the way charities and other organisations have to obtain consent for holding personal data from visitors, donors and others they work with.
The following article is particularly relevant to larger organisations with a wide-range of fundraising methods and data-handling responsibilities. AIM will publish additional guidance for smaller organisations later this year, focusing on the elements of changes likely to be most relevant to the relatively simple data-handling processes of most museums.
Jackie Gray, a partner, and Emma Dewar, a solicitor, who specialise in data protection issues at Bond Dickinson LLP, have kindly written the following article for AIM members on ‘Data Protection and Charities: The new General Data Protection Regulation’. You can find out more about the lawyers at Bond Dickinson LLP who can provide assistance to museums by visiting their website at Bond Dickinson LLP
Compliance with data protection law has long been an area with which charities have struggled. All charities must comply with the Data Protection Act 1998 (DPA), including eight core data protection principles, when dealing with any personal information about individuals. Trustees must therefore make sure that they have put in place sufficient and suitable internal practices and controls to address the considerable risks that non-compliance creates. This includes enforcement action by the regulator, the Information Commissioner, who has the power to fine organisations up to £500,000 for serious breaches. The recent fines and public castigation of the practices at the RSPCA and British Heart Foundation by the Information Commissioner’s Office (ICO) in December 2016, are examples of the financial and reputational risks faced by charity trustees who do not ensure that their charity is fully compliant with all aspects of data protection law.
The new Fundraising Regulator
Indeed, it is the non-compliance with aspects of data protection law by some high profile charities which resulted in the fundraising scandals which engulfed the charity sector over the last two years. As a result, we have seen the creation of a new Fundraising Regulator, the creation of new laws and we are anticipating the launch of a Fundraising Preference Service in late spring/summer of 2017. The Fundraising Preference Service will be a system which enables people to stop receiving fundraising material from charities and will work alongside the existing Telephone Preference Service and the Mail Preference Service.
The ICO updated its guidance for charities on Direct Marketing in May 2016 (Guidance), which provides a useful overview of the specific rules which apply to the use of personal information for marketing purposes. The ICO has also produced a helpful sector-specific webinar for charities, together with a list of “Top five data protection Tips” for small and medium sized charities, which explains how charities can comply with the data protection principles, including only collecting personal information that your charity needs for specific purposes, which are explained to individuals in privacy notices. The Guidance also highlights that personal information needs to be accurate and up to date, securely held, and retained only for as long as is necessary.
Changes to Data Protection Law from May 2018
Before the Brexit vote, the EU General Data Protection Regulation (Regulation) was expected to become law in the UK (as it will across the EU) on 25 May 2018, replacing the DPA. As it now appears unlikely that the UK will leave the EU before 2019 at the earliest, the Regulation is expected to come into force as planned. In addition, the Regulation is expected to remain (broadly) in force once the UK leaves the EU, not least so as to ensure that personal data can continue to flow between organisations in the UK and the EU. This is also the view of the ICO, who explained following the Brexit vote, that:
“…if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018. With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens.”
The ICO has also recently made clear that, if Parliament begins to debate making amendments to the Regulation in the years following Brexit, the ICO will be “at the centre of any conversations around this, and will be banging our drum for continued protection and rights for consumers and clear laws for organisations”.
Steps to take to comply with the Regulation
Therefore, museums should ensure they are taking steps, or continuing to take steps to prepare for the Regulation becoming law in May 2018, as planned. In particular, the Regulation will introduce a number of changes to the current law on data protection which charity trustees need to be aware of. We have set out an overview of some of the key changes below that are likely to be relevant to museums.
1: Accountability and increased fines for non-compliance
Under the Regulation, organisations will no longer be required to register with the ICO. Instead, museums will need to keep their own detailed records of their processing activities, including what personal data they process, about whom, for what purposes, the legal basis for the processing, with whom they share personal data, how long they keep personal data, security measures in place to protect personal data and, if they transfer personal data outside of the EEA, on what legal basis. There is also a new accountability principle which will require organisations to demonstrate that they comply with the Regulation. The new Regulation will therefore significantly raise the compliance bar and fines for non-compliance will increase dramatically from the current maximum level of £500,000 to up to a maximum of 4% of annual worldwide turnover or €20,000,000 (whichever is the higher).
A new definition of “consent” will require consent to be informed, specific, freely given, unambiguous and capable of being withdrawn at any time. Museums will therefore need to consider where they currently rely on consent to justify the processing of personal data and consider whether this is an appropriate basis or if another legal basis is more appropriate. If a museum’s trustees decide that consent is retained as a basis for processing personal data, the museum will need to ensure that the consent will meet the new requirements, keep records which evidence the consent provided and be prepared to deal with situations where consent is not given or withdrawn.
3: Privacy Notices
The new Regulation will require very specific information to be given to individuals about how an organisation processes personal data in Privacy Notices. There is also a new legal requirement in the Regulation to ensure that Privacy Notices are concise, transparent, intelligible, easily accessible and written in clear language. Museums are advised to put in place or review and update their Privacy Notices to explain to their trustees, employees, volunteers, customers, donors, friends, patrons and other individuals how and why they process their personal data.
4: Access to Personal Data and Rights of Individuals
An individual’s right of access to personal data will be retained but in most cases the museum’s ability to charge a fee will be abolished. In addition, the new Regulation gives individuals a number of additional rights, including the right to be ‘forgotten’ and in certain circumstances the right to restrict processing of personal data. These rights may impact on how museums collect, use, hold and/or retain personal data, and museums will need to ensure they are aware of what individuals are (and are not) entitled to.
5: Personal Data Breaches
Currently, if there is a data security breach, there is no legal requirement on a museum to report this to the ICO although, if the breach is serious, this is recommended good practice. Under the new Regulation it will be a requirement for personal data breaches which are likely to result in risks to individuals, to be reported to the ICO without undue delay and, where feasible, within 72 hours. Where there is a high risk to individuals as a result of the breach, there may also be a requirement to notify the breach to individuals. Museums are advised to consider the adoption of a Security Breach Management Policy which will go some way towards assisting museums meet these requirements.
6: Data Processing Contracts
Where a museum appoints a third party to process personal data on its behalf, such as by outsourcing its IT support or HR and payroll systems, currently it needs to ensure that it has a written contract in place which contains certain provisions to comply with the DPA. Under the new Regulation data processing contracts will need to contain a number of additional provisions and the museum and the data processor will have certain additional responsibilities in relation to the data processing. Museums will therefore need to review and update their data processing contracts to ensure they can meet these new requirements.
How should trustees of museums prepare?
By the time the Regulation comes into force in May 2018, museums will be expected to have carried out staff training and have records, policies and procedures in place which deal with many of the key compliance matters outlined above, including:
*updated written data processing contracts;
*processes for dealing with data breaches and assessing when and how to notify; and
*ensuring that any activities involving the processing of personal data reflect and embody the principles of data protection, both “by design” and “by default”.
Given the breadth and depth of the changes to data protection law that are afoot, we recommend that trustees consider whether they need to seek advice in relation to the new Regulation.
Jackie Gray, a partner, and Emma Dewar, a solicitor, who specialise in data protection issues at Bond Dickinson LLP would be more than happy to discuss the ways in which they can help your museum to make and implement the necessary changes to your existing policies and procedures ahead of the Regulation coming into force. If you would like to contact Jackie Gray, please email her at Jackie.Gray@bonddickinson.com