GDPR – General Data Protection Regulation

The new General Data Protection Regulation comes in to effect on 25th May 2018.

Currently the UK relies on the Data Protection Act 1998, but this will be superseded by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU. Despite the UK leaving the EU, the GDPR will still apply to all charities and organisations in the UK.

What are the Key Changes?

The EU has substantially expanded the definition of personal data under the GDPR. To reflect the types of data organisations now collect about people, online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information. Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is. Anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR.

Once the legislation comes into effect, organisations must ensure personal data is collected for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted. You should ensure that personal data shall be:

  • Processed lawfully, fairly and in a transparent manner.
  • Collected for specified, explicit and legitimate purposes, and not processed in a manner contradictory to those purposes.
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed.
  • Accurate and where necessary kept up to date.
  • Every reasonable step should be taken to ensure that personal data that are inaccurate, are erased or rectified without delay.
  • Kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the personal data is processed.
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised processing, accidental loss, destruction or damage.

Practice has arisen in many industries whereby consent is implied by the actions or inactions of the individual. Under the GDPR this practice will no longer be accepted. Consent must be freely-given, specific, informed and unambiguous. It should be given in an easily accessible form with the purpose for data processing attached to that consent, and it must be as easy to withdraw consent as it is to give it.

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual person, or data concerning their health, sex life or sexual orientation shall be prohibited unless:

  •  Explicit consent has been obtained.
  • Processing is necessary for carrying out obligations under employment, social security, or social protection law.
  • Processing is necessary to protect the vital interests of an individual when they are physically or legally incapable of giving consent.

The new regulation gives people more say over what companies can do with their data:

  • Right of access – People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. Organisations should provide this information within one month free of charge and can no longer impose a fee for this provision.
  • Right to be forgotten (Erasure) – Individuals also have the right to demand that their data is deleted if it’s no longer necessary to the purpose for which it was collected. Under this rule, they can also demand that their data is erased if they’ve withdrawn their consent for their data to be collected, or object to the way it is being processed. If you have disclosed the personal data in question to others, you must contact each recipient and inform them of the erasure of the personal data.
  • Right to portability – Organisations must now store people’s information in commonly used formats, so that they can move a person’s data to another organisation (free of charge) if the person requests it. Organisations must do this within one month.
  • Right to rectification – Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. You must respond within one month, or this can be extended by two months where the request for rectification is complex. If you have disclosed the personal data in question to others, you must contact each recipient and inform them of the rectification also.
  • Right to restrict processing – You will be required to restrict the processing of personal data in the following circumstances:
    • Where an individual contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data.
    • Where an individual has objected to the processing, and you are considering whether your organisation’s legitimate grounds override those of the individual.
    • When processing is unlawful and the individual opposes erasure and requests restriction instead.
    • If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
    • NB: You may need to review procedures to ensure you are able to determine where you may be required to restrict the processing of personal data.
  • Right to object – Individuals have the right to object to processing based on legitimate interests, processing for direct marketing, and processing for purposes of scientific/historical research and statistics. You must inform individuals of their right to object at the point of first communication and in your privacy notice.
  • Rights in relation to automated decision making & profiling – Profiling is a form of automated processing of personal data used to analyse or predict matters relating to an individual. For example analysing an individual’s performance at work, financial status, health, interests or location. Automated decision making is the ability to make decisions without human involvement. Profiling and automated decision making can be used in three ways:
    • General profiling – where individuals are segmented into different groups, based on data analysis.
    • Decision-making based on profiling – where a human makes a decision based on profiling.
    • Solely automated decision making – where an algorithm makes a decision, with no human intervention.

Under the GDPR, decisions based solely on automated decision making which produces legal effects or similarly significantly affects an individual are prohibited unless it is necessary for the performance of or entering into a contract; it is authorised by law; or it is based on the data subject’s explicit consent. Automated decision making that involves special categories of personal data, such as information about health, sexuality, and religious beliefs, is only permitted where it is carried out on the basis of explicit consent or where it is necessary for reasons of substantial public interest, such as fraud prevention.

Under current legislation, legal obligations rest with data controllers* who are responsible for the actions of their data processors. Under the GDPR both data controllers and data processors can be responsible for data protection compliance. This means not only the owners of personal data will be responsible for meeting the requirements of the GDPR, but those holding or using that data (such as external marketing or IT suppliers) will also have new responsibilities.

Organisations will be obliged under the GDPR to adopt an approach that promotes privacy and data protection compliance throughout their organisation from the outset.

A properly equipped Data Protection Officer (DPO) can prove invaluable to an organisation dealing with vast amounts of data. The GDPR makes it a requirement that organisations appoint a data protection officer (DPO) in some circumstances. The GDPR also contains provisions about the tasks a DPO should carry out and the duties of the employer in respect of the DPO. Under the GDPR, you must appoint a DPO if you:

  • are a public authority (except for courts acting in their judicial capacity);
  • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

It is your organisation’s responsibility to inform your data protection authority of any data breach that risks people’s rights and freedoms within 72 hours of your organisation becoming aware of it. The UK authority is the Information Commissioner’s Office (ICO). The deadline is tight enough to mean that you probably won’t know every detail of a breach after discovering it. However, your initial contact with your data protection authority should outline the nature of the data that’s affected, roughly how many people are impacted, what the consequences could mean for them, and what measures you’ve already actioned or plan to action in response.

The GDPR introduces stronger enforcement action where there is a breach of the data protection rules, including not following the basic principles for processing data, not having a legal basis for processing, or ignoring individual rights over their data. Under the new regulations, penalties can include fines of up to 4% of an organisation’s turnover.

Guidance for organisations who are processing children’s personal data under the GDPR is currently out for consultation, closing on the 28th February 2018. You can view the consultation document on the ICO website.

*Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed. A Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

12 Steps to Take Now

  1. Awareness – make sure that key people in your organisation are aware that the law is changing to the GDPR.
  2. Data held – You should document what personal data you hold, where it came from and who you share it with.
  3. Privacy Information – You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  4. Individual rights – You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
  5. Access Requests – You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
  6. Lawful basis for processing – You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
  7. Consent – You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
  8. Children – You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
  9. Breaches – You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
  10. Data Protection by Design – You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
  11. Data Protection Officers – You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
  12. International – If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.


There are lots of organisations offering training and advice about GDPR, but sadly at often very high rates. There is however also a range of training that is equally beneficial but provided for free. We will advertise on our training page any free or low cost events that are happening locally.

Further Guidance

 The Fundraising Regulator and the Institute of Fundraising have published free guidance for fundraisers on the General Data Protection Regulation. The guidance, which consists of the following six short guides, has been collated based on questions that charities have asked about GDPR:

  1. GDPR and Charitable Fundraising – an Introduction
  2. GDPR Spotlight on Fundraising
  3. GDPR Spotlight on Community Fundraising
  4. GDPR Spotlight on Corporate Fundraising
  5. GDPR Spotlight on Legacies
  6. GDPR Spotlight on Trusts

Each of the guides have been reviewed by the Information Commissioner’s Office, which will police the new regulations.

Useful links & Resources

The ICO provides a living document that explains the provisions of the GDPR. It is updated regularly and it is advisable to keep abreast of updates on their ‘What’s New’ web page.

The ICO has produced a package of tools aimed at small and micro organisations, including charities:

Manifesto have produced a downloadable guide with recommended actions to help you begin your journey to GDPR readiness.

Rollits Solicitors publish regular updates on GDPR in their newsletter and also hold regular free events about GDPR in Hull. Download their briefing note.

NAVCA have produced a factsheet of the General Data Protection Regulation (GDPR). Download their factsheet here

Upcoming GDPR Events

Helen Grimwood
Helen GrimwoodDeputy Chief Officer

Contact us:

Hull CVS
The Strand
75 Beverley Road

01482 324474