Data Protection Breaches and how to prepare for the General Data Protection Regulations

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. All charities will be required to comply with them. In light of this, if you have not already done so it is important for you to put a Data Protection Policy in place to assure donors, employees, and volunteers steps have been taken to ensure the security of data held.

Data Controller and Data Processors

Within the context of GDPR, as you will be making decisions on how personal data is handled, your charity will be regarded as a data controller. A data processor is anyone who processes data on behalf of the data controller. This includes your staff and volunteers. Both data controllers and data processors will have obligations under the GDPR when a personal data breach occurs.

Personal Data Breaches

A personal data breach is a security breach which leads to the destruction, loss, alteration, and an unauthorised disclosure of or access to personal data. As a charity, you hold a range of personal data which includes:

1. Details of Trustees;
2. Volunteers details;
3. Personal information of donors;
4. Payroll information; and
5. Details of service users.

You will need to assess whether a security breach has occurred on a case by case basis and consider whether or not it is likely to result in a risk “to the rights & freedoms of individuals”. If there is a possibility the breach could cause damage to reputation or lead to financial loss, then there will be a likelihood a security breach has occurred and the data controller will need to report this to the Information Commissions Office (ICO). If your computer system has been hacked and this has led to a leak of donors’ personal information this will also need to be reported. On the other hand, sending an email shot in error to individuals who have opted out of receiving them is unlikely to require mandatory reporting.

Breaches

• Failure to report a breach could result in a fine AND a fine for the breach itself.
• Failure to notify a breach to the ICO can result in a fine up to 2 Million EUR or in the case of an undertaking up to 2% of the total worldwide turnover.
• Individuals affected by the breach may issue court proceedings if their rights have been unduly infringed.

Notification of breaches

1. Data processors must report breaches to data controllers.
2. Data controllers will be required to report a security breach to the ICO within 72 Hours. Since the deadline for reporting is short, you may wish to submit a brief summary and inform the ICO a more detailed report will follow shortly.
3. Relevant individuals must be notified as soon as possible of the breach.

A breach notification

The ICO must be provided with details including:

1. The nature of the personal data:
2. A description and number of individuals affected; and
3. Categories and number of personal data records concerned.
4. Name and contact details of the Data Protection Officer;
5. A description of likely consequences of a Personal Data breach; and
6. A description of measures taken/proposed to be taken to mitigate risk.

Consent and Data:  What can you do now?

1. Existing data

Compile a record of:

• what personal data you hold and the legitimate grounds for its retention;
• where the personal data came from and why it was obtained;
• how the data was recorded and who it was shared with;
• how securely the data is stored;
• whether there is any risk of a breach occurring; and
• whether the data is encrypted

2. Audits and Data Protection Impact Assessments

You may want to organise an information audit, speak to a data expert or carry out a data protection impact assessment to consider the likelihood and severity of the risk of a data breach occurring, particularly if you have large amounts of data.

3. Consent

• As a data controller, you will need to be able to demonstrate consent was given. Ensure you have explicit permission to contact existing and potential donors and that requests not to be contacted or removed are honoured. Keep a record of how consent was given.
• Individuals have a right to have their data permanently deleted. This is applicable to third parties and does not require a formal withdrawal of consent.

4. Responding to Queries

• Prepare how to respond to queries regarding personal data.
• Individuals whose data is held may request to see their information and are entitled to know:
  • when, why and where their information was processed;
  • how long their information has been stored; and
  • who has access to it.

Checklist

• Compile a list of existing data held of employees, donors, trustees
• Consider how you will obtain and record consent and implement policies
• Carry out information audit if required
• Create a Data Protection Policy and consider whether other policies are affected by it
• Designate and train a Data Protection Officer
• Train all staff on Data Protection
• Put a Breach Reporting Procedure in place to detect, investigate and report a breach
• Create a response plan to deal with breaches
• Work with an IT consultant/in-house IT team to ensure that data is unintelligible or encrypted in case of hacking or unauthorised access
• Review your insurance policy to assess the extent of its cover in the event of breaches/ subscribe to a new cover if required
• Review contracts to update them to include suitable provisions relating to data breaches

If you would like any advice on how you can prepare for the implementation of the GDPR, please contact our charity law team on [email protected]