blog banner

What does GDPR mean for your charity?


Good afternoon and welcome to
this NCVO webinar on the GDPR, what does it mean
for your charity? My name is Gary Shipsey. I’m going to be running the main
content of the session today. Later on, I’ll be joined by
my colleague, John Moger, who will be involved in the
question and answer session. We’re going to be having 30
minutes of content from myself and then 15 minutes of
questions and answers. Please do submit your questions
as we’re going through this. We’ve got many people who’ve
already submitted questions beforehand. We will try and get
through as many as possible after the 30-minute
presentation. Without further ado,
let’s have a look about some of
these key questions that people are
asking about the GDPR. And I think there’s
a risk at the moment that we’re kind of got
to a strange place. It’s as if we’re pregnant. We’re waiting for this big
day to arrive next year. We’re waiting for
the 25th of May and everyone has been focused
on that date for so long. Any of the parents I
level think, actually we know what really happens. The big build-up happens,
the child arrives, and then we get home. And then there’s
this quiet period when everyone leaves and the
baby’s sleeping there quietly and you think, ah, now
the fun really begins. What do we do for the next
20 years, the next 30 years, as this child
develops and evolves. And really that’s where
we are with the GDPR. But this is not a Y2K situation
where we hit a certain date, we realize it
didn’t quite explode as we thought it was going to,
and then we go back to normal. This is a continuation
of data protection law that’s been around since 1984. It’s the first major update
in 20 years, that is true. But it’s not about an
arbitrary date next year. It’s about how we’re going to
continue to handle and manage personal information next
July, next August, 2019, 2020. So really it’s about trying to
prepare for that in the best way possible, and the
only way to really do that is to look at
where you are now. Many of the principles– many of the key aspects
of the future law– are exactly the
same as what we’ve got now in the current law. So for example, it is
this principle-based. It is not rule-based. It does not tell you
literally what to do. That’s the situation now. That will be the same next May. What it does mean
is that you have to understand the principles,
and interpret them for your setting. For the level of personal
data that you handle. For the sensitivity
of that information. For the level of risk that your
organization is, or is not, willing to take. Also the same is the fact that
there are guiding principles, and actually, they
are staying the same. They are already
a pre-assigned way of managing personal
information. To have appropriate security,
to be fair, to be transparent, to have accurate and
up-to-date information– those core principles
are staying the same under the GDPR. The same can be said
of the definition. Some of the key definitions
are staying the same. About what is
personal information? What is sensitive personal data? Some of them might get slightly
re-branded or re-worded by what they’re called,
but essentially, some of the key definitions
are not changing. The biggest area of change
is about transparency and accountability. Can you really demonstrate
that you understand how you are collecting,
handling, using, justifying, your personal information? To be genuinely
transparent, you have to know why you are
collecting information. On what lawful basis? How long are you going
to retain it for? Who needs to have access to it? Who do you share it with? And the GDPR is very
strong about you having to tell individuals
that sort of level of detail. The same can be said
for accountability. The need to not just say,
well, we will comply. The need to actually show
how are we delivering that within the organization? Which roles are taking on
which element of accountability to manage, day-in-day-out,
the risks and benefits around collecting and using
personal information? And one of the areas that gets
a lot of press in the moment, is the increase in
the levels of fines that the regulator
may be able to issue. So yes, at the
moment, the maximum on fine for serious breach
is half a million pounds. That is going up to 17
million or 4% of turnover. But the Information
Commissioner herself has said that’s not
their preferred approach. They are not there to wield
a big stick all the time. They’re not going to suddenly
start issuing substantial fines for the most tiny breach. The issue is more about
being able to demonstrate transparency and accountability. To manage reputation
and instill, and continue to
instill trust in anyone whose information you handle. Whether they’re donors,
whether they’re service users, whether they’re your volunteers,
or whether they’re your staff. That can be seen in one of
the key articles of the GDPR. Article V, where it
says that, as now, you are responsible for
complying with the principles. Every organization
will say they will comply with the
Data Protection Act, comply with the principles. The difficulty now,
as has always been, how do you demonstrate that? Can you prove it? How did you judge that that’s
as an appropriate level of security? Why do you think that collection
or use of information is fair? And the GDPR says well,
actually, we really should know that. So, not just being
responsible for compliance, we are responsible for being
able to demonstrate compliance at any point. And that’s the
significant change. Those five words make
all the difference of that level of transparency
and accountability that the GDPR expects from
all organizations who are handling personal information. So gone are the
days soon when you can take the eight principles,
scrub off someone else’s logo, put your name at the top,
and say our policies comply with the eight principles,
and tick a box and move on. The days where
that is sufficient are changing next May. So we’ve got our first pole. Please do have a look
at the question that’s coming your way. We’d like to get a sense of how
engaged is your organization when it comes to GDPR? And at what level has it
formally been discussed? Is it just the
staff and the teams that are clearly
going to be affected? Have senior management
also had clear discussions and formal meetings about it? Has it got out to
the trustees at all? Whether their awareness
has been raised? Or actually are you still
talking to yourself and anyone else who might listen? But it actually
it hasn’t formally been on anyone’s radar– it’s not actually progressing. So please do let us have
your thoughts on that. The results should come
through any moment, and we’ll get an
indication of where organizations are when it comes
to formally taking this on. Hopefully, data protection
is on most standard agendas at some level within
the organization. It’s a key risk. It’s critical to what you’re
doing as an organization. Hopefully, it’s already
been consistently discussed. We’ll see what the
final results say. The actual results should be
coming through to you now. And we’ll see what
figures we get. So for most organizations,
it has been well discussed which is fantastic. Nearly half have said
that actually it’s been discussed both at the front
line, at senior management, and at trustee-level,
which excellent. And that’s as you
would hope, given the importance of
handling information and the changes that are coming. Because there are many new
aspects of data protection management that are coming. One key area, just to flag up,
is mandatory breach reporting. So at the moment, you are
not required, by the Data Protection Act, to
tell the Information Commissioner or
the individuals if, and when, you have a breach. You are encouraged to. It’s a best practice. The regulator will
treat you better. And it shows that you’re
engaging with them and not brushing it
under the carpet. But you don’t have to. Well next May, you
are required by law to report breaches, if certain
criteria are met, to the ICO– within three days– and,
in certain circumstances, to the individuals
who’ve been affected. So this will shine
a very strong light onto many sectors, who,
historically, have not reported breaches in
any way, shape, or form. What it does mean,
internally, is those in doubt want awareness-raising,
to start to know what a breach looks like. It has a clear policy on
how you handle breaches when they are reported,
when they are escalated. That’s going to be critical,
so you can actually cover that and
manage it, and know who is going to make a
decision to escalate this to the regulator. Or potentially
tell a whole bunch of donors, a whole
bunch of service users, that you may have a breach. Another area that is
quite different under GDPR is data protection by
design and by default. So this is saying that the days
of dragging in the compliance person a week before a new
project is about to go live has got to change. We’ve got to have the data
protection person in the room at the start of any
project on process, so they can start
talking about the data protection issues, the
privacy issues, that might be critical to the project. So data protection by design
is about saying, well actually, by law, you should have
that discussion early in the process. When you’re thinking
about project change. When you’re looking
at project team. When you’re looking for
a spec of the new CRM, those data protection
issues need to be thought on and brought
into that discussion early on. And as I mentioned
it a bit earlier, one other key area
that’s changing is the ability of organizations
to claim compensation, if there is a loss of privacy. So at the moment, it’s
quite difficult for owners and individuals to do that. They have to
demonstrate, really, that they’ve suffered
financially, as well as a breach, and loss
of their privacy. The GDPR removes
that financial issue and says you can just
claim for loss of privacy. And this is demonstrated if we
look at the Dean Street Clinic breach a few years ago. This was where they
did accidentally expose the email
addresses of the people on their distribution list. This is because they
were distributing their monthly newsletter. They would cut and paste
780 email addresses into the line carbon
copy box, press send and distribute the newsletter. One month they made a mistake
and put it in the “To” box, which meant the recipients
could see everyone else’s email address, and in further,
their HIV status. It’s an HIV clinic. So in a small
geographical area– Chelsea and Westminster–
in the day and age when you can google
an email address. And people maybe
haven’t been so careful with the settings–
the privacy settings on their Facebook, their
Instagram, their Twitter, their social media in any way. They essentially outed
730 people’s HIV status. Senior management from
out of the time and say that they’re really sorry. It was a human error. Person who did it
feels terrible. But actually, it
wasn’t human error. This was an
organizational failing. Could they’ve taken
technical measures to reduce the risk
of this happening? Yes. They could have used MailChimp
or some other system, to mean they’re not
manually cutting and pasting all the emails every month. Even if they couldn’t afford
the technical solution, the organizational approach
they could’ve taken was somebody looks over someone’s shoulder
and double-checks before they press send– something to try
and reduce the risk. The reputational hit for
Dean Street was next day. If you googled the
clinic, you got the ambulance-chasing
lawyers paid-for-advert as the first search
result. So would you trust that charity to provide
a safe, secure service to you? Would you donate your time,
and money, and effort? You still might do. But you might have
second thoughts or doubts if that’s the first
thing you see when you search for the organization. And when the ICO investigated,
for exposing 731 email addresses, they were
fined 180,000 pounds. That’s just the email
addresses, but it’s the context in which it was held. And that’s under the current
Data Protection Act– before the fines go
up, before individuals are very likely to get
a claimed compensation for the loss of privacy. This is really about
taking this seriously within the
organization and really making it work in your setting. That poses the question, is GDPR
a revolution or a evolution? And it does depend. It really does depend. A good way of looking
at that is the poll that we’re going to
put up in a moment. About how currently you
take data protection. How up-to-date is your
data protection policy? When was it last updated? Is it something that
is always looked at and every year there’s a
review and it’s kept fresh? Staff are kept aware of it. Do you not have a policy that
you could really point to and say, this is our approach
to managing data protection? Is when you last
got some pro bono legal support a few years ago? Or actually is it
really quite old? And we’ve seen some of
these, with the people we work with, that they still
mention floppy disks and fax. And actually they’ve not be
looked at for a long time. And essentially, they’re
not really delivering. And policy is one
of those things, that yes it can sit on a
shelf when it doesn’t achieve. But it gives you a sense that
the organization understands it needs to establish how it’s
going to manage this risk. Needs to understand
which roles are taking which accountability. And then, who needs to know
what at the front line? And the policy
often reflects that. Is it well understood, well
structured, accessible, and the right people
know about it? Or is it just sat there, and
it’s not really doing a job? So we’ll see results
any time soon, and see what sort of
policies and approaches you feel you have out there. Certainly, with people we
work with, we see a mixture. We see some that
are very up-to-date and they are kept fresh. They are adapted when
new guidance comes along, when internal changes are made. And some that are pretty tired
and haven’t been looked at. So 2/3 of you are saying it’s
updated within the last year, which is fantastic. It shows that you’re actually
taking seriously and taking it on board. And therefore, GDPR is more
likely to be an evolution, as it should be– a continuation of the
management of information. So GDPR is in
those systems where you are in handling
personal information. And if you’re already up to
speed with the current law, if you already take it
seriously at the right levels, then it will be an evolution. There will be tweaks
and changes that you’ll need to undertake to prepare
and be ready for the new levels and expectations
the GDPR brings. So if you already
consider personal data to be a broad definition. That it does cover an
awful lot of information that you’re handling. If you already recognize
the processing of data. covers not just the active
things that you do with it– not just the collection and
the storage and the updating. If you recognize that
it does cover data when it’s sat on shelf,
when it’s on a back-up tape, then you’ll then you’ll be fine. And if you already see
consent as a clear, positive indication that someone
has agreed to what you want to do with their information,
rather than it being an opt-out or an implied consent or
something other than just clearly someone agreeing– unambiguously, they
clearly have indicated that they’re happy for you to do
things with their information– then GDPR will not
be a revolution. It’ll be a continuation of
what you’re already doing. But it does very much depend. An understanding about
consent is a good example of where you might be on this. If you understand
that consent is one of the six ways
of justifying what you’re doing with information. And if you have clarity on
precisely what you do collect and use information for– what
purposes you use information for– then GDPR will not be the scary
thing that often people try and portray it to be. If you have clarity and
understand that consent is one of the six ways
of justifying things, and actually it’s the
most difficult one. The obviously over-quote
from the ICO about consent should be the
last thing you look for. If you can justify your use of
data on one of the other five, it’s far more
straightforward to do that and far more
beneficial to do that. So is it because you
have a legal obligation to comply with– you
have to collect and use the information the
law mandates it. Is it because you’re
fulfilling a public function to large chunks of
the public sector? But others may
perform public tasks that need information to be
collected and used and shared and stored. Might it be because
of a contract that you have with
the individual? You’ve established that to
provide a service, to work for you, you need to collect
a new certain information, and you’ve told them
that in the contract and they have signed up? Is this a life or
death situation? Rather common sense
kicks in that you have to use information to
help protect someone’s life. Or is it the sixth one in the
middle– legitimate interests. Where you are
balancing your needs and you’re clear what your
needs are as an organization. You’ve considered
the individuals on whether what you want
to do with the information will cause harm to their
rights and interest. You’ve assessed that and you’ve
concluded it’s in your favor. You need to use the
information for your interests. So understanding lawful
basis is critical. It’s critical because when
it comes to the individual’s rights, you’re going
to need to know that to be able to
manage the questions and queries and the
handling of the information. Enhanced rights, individuals
will have under the GDPR. Some of these rights are very
similar to what we’ve got now. Some are enhanced. We said about compensation
being enhanced. The breach notification
being enhanced– having to tell
individuals that you’ve lost or breached their privacy
or lost their information. But this is again, as I said,
not just waiting for a date next year. This is about how it
works day in, day out. So when these sort of
questions and queries happen– when someone says,
can I delete my data? It’s going to depend on why
you are collecting and using the information. What purposes are
you fulfilling? What justifies your collection
and use of that information? Because how you
respond to people requesting things
and trying to do things with their
information will depend. So if someone wants to withdraw
their consent, as I say, delete all the data
that you hold on them. If they object to you
relying on your interest to collect and use
their information. If they say I object
to direct marketing, stop sending it to me. If they say, well I
want my information. I want you to give me a
copy of it within a month. These all legitimate
questions and queries that might come in now, but will
certainly but will next May. And the understanding
you’re going to need to have internally
of the personal information you’re handling and using
is going to be critical. How efficiently and effectively
you can deal with these, or how much of an administrative
burden it’s going to be? So if someone says I
withdraw my consent, well, what does consent apply to? What are you relying on? What activities rely on
consent and what don’t? When they say delete my
data it’s not absolutely. Some data you will need to
retain for some legal reasons. Other data, yes, you would
get rid of on request. What are your relying legitimate
interest to undertake? Which activities
does that apply to? What direct marketing do you do? And what isn’t direct marketing? What is administrative? What is service delivery? Being clear on this is
going to be important. And the same with
subject access– where is the information? On what systems? What issues might there
be about third party privacy and exemptions? Again, the processes
and understanding where information
is, and managing that is going to be important. So for the last five
minutes of the presentation we’re just going to look at
the roles and responsibilities when it comes to GDPR. And specifically, this term,
Data Protection Officer. Very many people have fulfilled
that role over the years. I personally have been a
Data Protection Officer in my past working life. The difference with GDPR
is that at the moment that term has no legal basis. Under GDPR it will. It will mean a certain thing,
as defined by the general data protection regulation. And certain sectors and
certain organizations will have to appoint a legally
defined Data Protection Officer. So public authorities will
have to appoint Data Protection Officers. Those organizations
where their core activity is the large-scale, systematic
monitoring of individuals. So the Googles and
Facebooks of this world will have to appoint formal
Data Protection Officers. And organizations where
their core activity is the large-scale handling
of sensitive information and criminal conviction
data would also have to appoint a Data
Protection Officer. Now there’s still some
debate and a lack of guidance around what large-scale
means in practice. Though, if automatic,
it’s not clear quite whether certain
charities, will fall into the third category there. For now, it’s about
analyzing where we are with the
guidance we’ve got, and documenting your internal
decision at the moment. About whether you feel
you have to appoint a DPO. Whether you are choosing
to appoint a DPO. And being conscious, if you
do, the full requirements of the GDPR will apply. And if you’re if required
to, and you’re not formally appointing one, then
call them something else to make that
distinction– to make sure there’s no
confusion over the role that you are allocating
responsibility to lead on, as to make compliance happen. Because if you
appoint a DPO there are particular issues
for the employer. You are committing
that individual will have the resources required
to meet their obligations. That they can act independently. That they will report to the
highest level of management within the organization. So it’s quite an undertaking
to appoint a Data Protection Officer. And there’s also potential
for conflict of interest. The law is clear that it
can be an existing employee, if there’s no
conflict of interest. So it cannot be a head
of IT, a head of HR. Because they will
be, at some point, marking their own homework. So for now, it is
about saying, well OK, who needs to be in the room
when we’re looking at GDPR? All these areas will be involved
in compliance and handling data in some way. Who is going to lead in
pulling this together? And our final poll question
is looking at that. Which best describes
your current approach? What resources
have you allocated to managing this, Both now,
and beyond May next year? Is it currently you
and is it something you are doing on top your day job? Someone’s had some
training but, hopefully, that training will enable them
to take it forward and manage it. Are you bringing in
some temporary resource, or you’re planning
to bring a consultant in for a period of time? Or actually have you
got a project team? You’re pulling in from the right
areas within your organization. And there are clear roles
and responsibilities, throughout your organization,
to not just deal with it between now and May,
but to embed it and make it work beyond the next May. And there are there are
various ways of doing this. There is no right answer
to particularly how you’re going to manage
this on a longer-run basis. But it does need to have someone
senior pulling it together. It does need to have some
resource to make it happen. And like I said at
the start, I think there’s a risk that we see
it as a one-offs thing, a bit like Y2K. We’re waiting for this
date, and actually, there is a project to do,
but it is actually how we’re going to make
it work beyond that? How are we going to embed
this within the organization? So I’ll just give it a second
for as many of you as possible to participate in the poll. And we’ll see what
the results are. This will be interesting to see. So, as I might have thought,
it’s half the people out there have said it’s you. And it’s in addition
to your day job, in some way, shape, or form. That’s understandable. It’s about resource and how
much effort and resource we’ve got out there. The issue is have you got the
real time to commit to this, and the expertise to
make it work in reality? And that’s where the judgment
is within the organization. So to finish off,
we’re just going to quickly look at what we
think some key actions you can look now, to try
and take this forward. And, the first one, if
it’s not already raised is the awareness and leadership
within the organization. Getting senior
management on board. Getting the trustees to engage– to recognize that
there are reputational risks if this is not
managed properly. There are resource implications
if suddenly 20%, 40%, 50% of your service
users or donors said I want to see my information. How are you going
to manage that? Who’s accountable, whether it’s
DPO or a data protection lead? And not just saying
someone’s going to do it. Are the resources there
and the support there to help them and
make it a reality? And what you said, it to
recognize that it’s not a tick the box exercise–
that is just saying, we’ve a policy on our
shelf, with job done. This is about how you
as an organization value and manage this
very key asset, which is personal information. We also need to get
to know ourselves. Understand who are the
key teams or individuals within the organization? What activities
do they undertake? What services are
they delivering? Who are the data subjects? What categories of
individuals are you with? Where does information
enter your organization? When does it exit and go
to other either partners, suppliers? What are those flows and
where are the key risks? And then looking
at the purposes. If you can document the purposes
that you use information for, get some clarity
on the lawful basis that justifies your collection
and use of that information. And relate it to
your organization– the teams, and the
activities you undertake. If possible, get on and
address the quick wins. Role out key processes and
standards and procedures if you’ve not
already gotten there. Some you should have,
like subject access. Others are newer,
like breach reporting. You’re going to have to think
about raising awareness. The internal
processes that you are going to follow to make sure
that there is clarity on who will make the final decision,
and who will escalate it to the Information Commissioner
and the individuals affected, if needs be. What are the key security risks? And for us it seems to be
the sharing of information via email. The speed with which
you can do it is great. But actually looking at the
sensitivity and the volume and making sure there
are appropriate ways of sharing the most
sensitive information. And the thing with
remote working– bring your own device,
working outside the office– great flexibility. The GDPRs are saying, have
you really thought about is the level of
security sufficient? And which roles are doing
what jobs outside the office? What data are they handling
when they’re on the move? And looking at the privacy
notices and policy– the points where data comes
into your organization. What are people
told when they are handing over their
personal information? Transparency is critical again. And then finally, it’s
about having a plan, to embed those changes and
manage it beyond next May. I think the Information
Commissioner herself is a pretty
aware that lots of people are going to struggle to be
fully compliant by next May. What they will look for
is for those organizations who understand the key
issues, who’ve got a plan, while working through it. Who know where the
key risks are and are doing the practical
to reduce those risks, and have a clear plan in place. The Information Commissioner
has prepared a 12-step guide. The NCVO has done a
very accessible version of that, which is
on their website and that is a good
place to start as well. The Information Commissioner
has, over the last few days, said they’re going to
update that document to give greater clarity on the
key things you should look at. So I hope that’s been useful,
quick overview of some of the key issues that
we see when it comes to preparing for the GDPR. Thank you for
participating in the polls. And we have a
number of questions, as you might imagine,
given the short time we’ve had to talk about this topic. So I’m going to have my
colleague, John, to read out some of the questions. We, obviously, can do as many as
we can within the 10-15 minutes that we’ve got. So, good John, I’ll just
please have a look at some of these questions here. [INAUDIBLE] Yes, one from
[? Petra, ?] looking at what’s the level of detail
are we asking for with consent? It’s literally just
looking at whether we can contact individuals
via email, phone, and post? Or should they be
asking for permission to contact them about
fund raising, research support, events? And doing it, to
clarify even further, if someone’s interested
in fund raising, to ask if they’re interested
in community events, challenge events, and oversea
treks as well? And this is the same problem. This is a very common question
at the moment about, basically, the level of regularity
you do or don’t need when you are collecting
consent from individuals. So, with the GDPR,
it’s clear that you need separate consents for
separate processing operations. The question is, how
separate is separate, how different is different? Now the fund raising
regulators guide says well think about how you
operate, as an organization. Yes, it’s fine to break
it down by channel. That’s a given. But do you want to
bundle all the things that you do into one
generic, overarching purpose? When, actually, some of those
things are quite different. Is research different to raising
income to play in the lottery, to campaign and to change
law, to running events? I think there’s
a strong argument to say those activities
are different and people may, or may not,
want to participate in one, or some, or all of them. This is about
saying, well do you want to give them that choice? And if you don’t, are you
confident enough why you’re not giving them that choice? So, as always, the
data protection has no right or wrong answer. It’s about you thinking
about, as an organization, what’s our approach? We do need to recognize that, if
you do bundle it all together, that you’re giving
people all or nothing. So actually then
[INAUDIBLE] their consent, they are withdrawing
their consent for all of that activity. Rather than saying,
well, actually I don’t want to now hear
about one item and topic, but I do still want
to hear about another. So, yes, there is definitely
the separation for the channels, but granularity of purpose
is a question for yourselves as an organization. So looking at online forms,
Gary, to gain consent, do we need electronic signature
or is a tick box sufficient, without a signature? Actually we do, under GDPR,
need records of consent. We need to show they’ve made
an unambiguous indication. So the question about whether
an air-tight signature, actually someone signing to commit
that they have agreed, or whether they tick a box or
press a button or take action is sufficient. The issue there about the
sensitivity of information. So the ICO’s guidance,
at the moment, says if it’s sensitive
personal data, then you’re going to need
clear, explicit agreement. If you’re collecting and
using their medical data, you’re going to need them
to definitely agree and put in writing. If we’re looking at fund
raising or other activities where it’s not as
sensitive, then you just need an unambiguous
indication by clear action. So that could be a tick box. It could be pressing
a button, and it could be returning an email. The ICO says there’s lots
of potential ways of getting GDPR standing consent, when
it comes to non-sensitive personal information. Fantastic. So the next’s one
from Sue, saying, do we need to get our clients
and volunteers to opt-in to receive invitations
about our events? The events are such as
activities– lunch clubs, coffee mornings,
and cinema events. So this is really looking
at what information do volunteers need
to receive to be a volunteer for
your organization. And which information
might you send to clients, or anyone
else, about what you do as an organization? And to me they’re
two different things. You might still want to send the
same invites to coffee mornings and similar events,
whether they’re a client or a volunteer,
and a client or volunteer should have a choice
about whether they receive that information. But quite rightly, volunteers,
to fulfill that role within your as part
of the organization, will need to receive
some information. Whether it’s about the latest
health and safety update. Whether it’s about the
work you’re doing and what they can participate in. So it’s understanding
internally, what messages need to
be given to volunteers, and where might a
volunteer have choice about receiving other material. And that might be that you
say, well it is separately how we are treating
that volunteer, like anybody over here that
sees an interest in what we’re doing. And we’re telling
them about our events and how they might
raise income for us. So understanding what we want
to use the information for and what messages you’re trying
to get across is critical. So we have another one here. Let’s have a look, John. There’s one from Shona, and
reporting about the DPO. Should they report
directly to trustees or the senior management team? She’s read conflicting advice. So the DPO role, it’s
clear in the GDPR that you have to report
to the senior management within the organization. Now, I think for charities,
that is trustee-level. They are the ultimate arbiters. They are the ultimate
accountable body. They need to know. They need to be told
what is happening with regards to handling
of personal information in the organization. And if there is an issue
that the DPO finds, it has to be reported to
that most senior of levels. Practically how that
happens, or how often it’s reported and escalated– I can see that it might need
to go to the management team first, to be reported
on a structured basis to the trustees. I think ultimately it needs to
get through to the trustees. They need to understand. They need to be told. Because ultimately they’re the
ones that can make decisions on allocating budget and
resource in looking at how, ultimately,
information is handled within the organization. OK, I think we’ve got time
for one or two more questions. Let’s have a look, John. What do we got there? There’s one from a
[? Pepkin, ?] saying, can you go over the
processing keys? The term processing
is often misunderstood because it sounds
like an active thing– the doing of something
with information, processing it,
undertaking activities. And yes, it does cover
all the activities that you might do
with information. So, from the moment
it’s collected until the moment it’s
securely destroyed, that is processing the data. What’s often overlooked
is it does include data when it’s just sat there. When it’s sat in
the system, when it’s on a back-up tape, when
it’s stuck in a paper archive off-site, you are still
processing that that data when it comes to both the
current law and the GDPR. What it does mean it’s
not enough just to say, well we’re going to
archive that record, whether it’s in the
database or in a paper form. You are still
responsible for securely handling that information. Now it’s true that archiving
it may restrict the amount of access, and that is useful. But it’s not the same
as saying, well we’ve stopped handling
that data and we don’t have to try and
comply with the requirements of the Data Protection
Act or the GDPR. Let’s have a look
at another question. We’ve got one more
left, I think? Yes, that was a good one there. Andy would like
to know what would be considered compliant
evidence or consent verbally? So, received over the phone. The GDPR is clear that you
can obtain consent verbally. The guidance from the
Information Commissioner so far, which hasn’t
been finalized yet, is clear it’s about being
able to demonstrate back to someone if they questioned,
why are you sending me this. You say I’ve agreed. Well what did I agree to? Being able to evidence
it and demonstrate it is the key thing. So if it is verbal, is
there a set statement that is read, that you know
was in force at the time? So you have on file,
set statement A was read and the person agreed. And we know what that text said. That ability to
understand yes, this is what the person
agreed to verbally. Whether it was
part of the script, it was what was
what was read out, it was what was understood. Having that clarity on
record is what’s critical. I think you can see for the more
sensitive information, if you were going to get verbal
consent to undertake medical research, where
actually in the future you may be taken to
court and there may be some real serious implications
for that confirmation that someone gave verbally,
you might need a recording. Because you might need
to fall back on that. So I think it does come
down to the sensitivity of the information. Now we’ll wait to see whether
the Information Commissioner says, well no, if it’s verbal it
has to be the higher standard. It has to be absolute proof. To me, it’s about risk and it’s
about being able to demonstrate back to someone. So you can have that discussion,
why you think they’ve agreed. So verbal consent
is definitely a way of getting consent under GDPR. I think it’s about the
sensitivity of the information your getting consent for. Thank you very much. We’ve got lots
and lots question, though I’m sorry we could
only get around to a few them. I hope that session
has been, useful. There will be a short survey
feedback coming your way. There will be a
copy of the slides, and the recording will
be available online, after the event. Hopefully that
should be tomorrow, all things going well. So I hope that’s
been a useful session and thank you very much.

Leave a Reply

Your email address will not be published. Required fields are marked *