Make an enquiry

    Enquiry Form









    Contact

      Enquiry Form






      Supporting Document


      We are welcoming clients back to our offices Find Out More
      FJG Solicitors in Essex, Colchester, Chelmsford, London – Fisher Jones Greenwood
      • 0845 543 5700
      • [email protected]
      • Make an enquiry
      • Online Payment
      • Home
      • Services
        • Services for you
          • Advocacy
          • Civil & Commercial Disputes
          • Clinical and Medical Negligence
          • Conveyancing
          • Employment Law
          • Family Law
          • Children Law
          • Immigration & Visas
          • Notary Services
          • Personal Injury
          • Wills, Life Planning & Probate
        • Services for business
          • Academies Portal
          • Agricultural and Rural
          • Business Immigration
          • Commercial Dispute Resolution
          • Commercial Litigation
          • Professional Negligence
          • Commercial Property
          • Construction Law
          • Planning Consultancy
          • Corporate and Commercial
          • Education Services
          • Employment Law
          • Healthcare Services
          • International Services
          • Landlord & Tenant Services
        • Services by sector
          • Agriculture & Estates
          • Care Homes
          • Charities & Social Enterprise
          • Construction
          • Education Law
          • Energy
          • Family Owned Business
          • Healthcare & Dentistry
      • Our people
      • About us
        • CSR
        • Awards
        • Our Vision
        • Accessibility
        • Careers
        • Work Experience
        • Equality & Diversity
        • FLOCC
        • FJG Foundation
        • SAFE Forum
      • News, Events & Insights
      • Blog
      • Podcasts
      • Contact us
        • Colchester
        • Chelmsford
        • Clacton-on-Sea
        • Billericay
        • Braintree
        • Frinton-on-Sea
        • Holland-on-Sea
        • London

      Data Protection Breaches and how to prepare for the General Data Protection Regulations

      7 November 2017 by Marketing Team

      FJG Marketing
      Charity Law

      The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. All charities will be required to comply with them. In light of this, if you have not already done so it is important for you to put a Data Protection Policy in place to assure donors, employees, and volunteers steps have been taken to ensure the security of data held.

      Data Controller and Data Processors

      Within the context of GDPR, as you will be making decisions on how personal data is handled, your charity will be regarded as a data controller. A data processor is anyone who processes data on behalf of the data controller. This includes your staff and volunteers. Both data controllers and data processors will have obligations under the GDPR when a personal data breach occurs.

      Personal Data Breaches

      A personal data breach is a security breach which leads to the destruction, loss, alteration, and an unauthorised disclosure of or access to personal data. As a charity, you hold a range of personal data which includes:

      1. Details of Trustees;
      2. Volunteers details;
      3. Personal information of donors;
      4. Payroll information; and
      5. Details of service users.

      You will need to assess whether a security breach has occurred on a case by case basis and consider whether or not it is likely to result in a risk “to the rights & freedoms of individuals”. If there is a possibility the breach could cause damage to reputation or lead to financial loss, then there will be a likelihood a security breach has occurred and the data controller will need to report this to the Information Commissions Office (ICO). If your computer system has been hacked and this has led to a leak of donors’ personal information this will also need to be reported. On the other hand, sending an email shot in error to individuals who have opted out of receiving them is unlikely to require mandatory reporting.

      Breaches

      • Failure to report a breach could result in a fine AND a fine for the breach itself.
      • Failure to notify a breach to the ICO can result in a fine up to 2 Million EUR or in the case of an undertaking up to 2% of the total worldwide turnover.
      • Individuals affected by the breach may issue court proceedings if their rights have been unduly infringed.

      Notification of breaches

      1. Data processors must report breaches to data controllers.
      2. Data controllers will be required to report a security breach to the ICO within 72 Hours. Since the deadline for reporting is short, you may wish to submit a brief summary and inform the ICO a more detailed report will follow shortly.
      3. Relevant individuals must be notified as soon as possible of the breach.

      A breach notification

      The ICO must be provided with details including:

      1. The nature of the personal data:
      2. A description and number of individuals affected; and
      3. Categories and number of personal data records concerned.
      4. Name and contact details of the Data Protection Officer;
      5. A description of likely consequences of a Personal Data breach; and
      6. A description of measures taken/proposed to be taken to mitigate risk.

      Consent and Data:  What can you do now?

      1. Existing data

      Compile a record of:

      • what personal data you hold and the legitimate grounds for its retention;
      • where the personal data came from and why it was obtained;
      • how the data was recorded and who it was shared with;
      • how securely the data is stored;
      • whether there is any risk of a breach occurring; and
      • whether the data is encrypted
      1. Audits and Data Protection Impact Assessments

      You may want to organise an information audit, speak to a data expert or carry out a data protection impact assessment to consider the likelihood and severity of the risk of a data breach occurring, particularly if you have large amounts of data.

      1. Consent
      • As a data controller, you will need to be able to demonstrate consent was given. Ensure you have explicit permission to contact existing and potential donors and that requests not to be contacted or removed are honoured. Keep a record of how consent was given.
      • Individuals have a right to have their data permanently deleted. This is applicable to third parties and does not require a formal withdrawal of consent.
      1. Responding to Queries
      • Prepare how to respond to queries regarding personal data.
      • Individuals whose data is held may request to see their information and are entitled to know:
        • when, why and where their information was processed;
        • how long their information has been stored; and
        • who has access to it.

      Checklist

      • Compile a list of existing data held of employees, donors, trustees
      • Consider how you will obtain and record consent and implement policies
      • Carry out information audit if required
      • Create a Data Protection Policy and consider whether other policies are affected by it
      • Designate and train a Data Protection Officer
      • Train all staff on Data Protection
      • Put a Breach Reporting Procedure in place to detect, investigate and report a breach
      • Create a response plan to deal with breaches
      • Work with an IT consultant/in-house IT team to ensure that data is unintelligible or encrypted in case of hacking or unauthorised access
      • Review your insurance policy to assess the extent of its cover in the event of breaches/ subscribe to a new cover if required
      • Review contracts to update them to include suitable provisions relating to data breaches

      If you would like any advice on how you can prepare for the implementation of the GDPR, please contact our charity law team on [email protected]

      Authors
      Archives
      Subscribe to RSS feed

      Recent Posts

      • Worth the wait
      • What is a section 37 report?
      • What is a section 7 report?
      @FJGSolicitors

      We've had a 5* review from Zoe: Moving home https://t.co/4lbJehtq0g

      7 hours

      RT @MistleyCC: How good did the new T20 kit look on Thursday?! 🔥 A massive thanks to @FJGSolicitors for sponsoring our kit this year! https…

      22 hours

      We've had a 5* review from Nicholas: EXCELLENT ADVICE AND VERY EFFICIENT https://t.co/4lbJehtq0g

      1 day
      Billericay 01277 623132
      Braintree 01376 552828
      Chelmsford 01245 890110
      Colchester 01206 835300
      Clacton 01255 323103
      Frinton 01255 514100
      Holland-on-Sea 01255 818900
      London 08455 435700
      Sudbury 01787 373387
      • Disclaimer
      • Accessibility
      • Terms & Conditions
      • Privacy Policy
      • Cookies
      • Price & Service
      • Signup to our Newsletter
      • COVID-19 Risk Assessment

      Fisher Jones Greenwood is the trading name of Fisher Jones Greenwood LLP, a Limited Liability Partnership authorised and regulated by the Solicitors Regulation Authority and registered in England ( Number: OC305854 ). A list of members is available for inspection at the registered office at Charter Court, Newcomen Way, Colchester Business Park, Colchester, Essex CO4 9YA

      This website uses cookies & data collection

      Our website uses cookies, which are small text files that are placed on your computer by websites that you visit to distinguish you from other users. They are widely used in order to help website owners like us provide you with the best user experience possible. They also provide us with information that can help us improve our websites and marketing activities. By clicking an item or link on this website, you agree to the use of cookies and other data collection.

      Find out more

      We are welcoming clients back to our offices

      Differing tiers and three lockdowns later, Fisher Jones Greenwood Solicitors are now pleased to be able to welcome clients safely back to our offices.

      Remote working and the digitalisation of the way we work, have been key to keeping FJG and the rest of the country going.

      • We are now able to offer, pre-booked face-to-face appointments. Although, we are still able to offer remote appointments if preferred.
      • You can continue to visit our offices at any time to post any correspondence and documents through letterboxes.

      If you are visiting an FJG office, covid-19 safety rules of social distancing, hand sanitization, and the wearing of masks will still apply.

      • Please be aware you will also need to have your temperature taken on arrival.
      • There will also be protective screens in place to protect you and our staff.

      Please do not hesitate to contact your legal adviser by email or by telephone should you have any worries or concerns. Alternatively, please call our main switchboard number (01206 835300), and a message to return your call will be relayed to the relevant person.

      Best wishes
      Paula Cameron
      Managing Partner