The New EU Data Protection Law – Implications for Fundraisers Lawrence Simanowitz Partner Bates Wells Braithwaite 25 April 2016
Data Protection Law – what’s it all about? • Doesn’t protect data, protects individuals • Balancing act between rights of individuals and needs of organisations • EU perspective since 1995 • Data Protection Act 1998 – will be repealed • Privacy and Electronic Communications Regulations 2003 – likely to remain • European General Data Protection Regulation – in effect from 2018
General Data Protection Regulation (GDPR) • 260 pages long (nearly three times the length of the DPA 1998) • Four years in the pipeline • Subject of much negotiation and rumour • Principles remain the same:-
Data Protection Principles (unchanged) 1. Processing must be fair and lawful 2. Data needs to be used for specified and compatible purposes 3. Use must be limited to what is necessary and relevant 4. Keep data accurate and up to date 5. Keep data no longer than necessary 6. Process data in accordance with rights of individuals 7. Process data securely 8. Restrictions on exports outside of the European Economic Area
Key areas of change for charities • Data processors now covered by some aspects of the regulations • Wider application to non-EU data controllers • Notification of some types of security breach now mandatory • New rights for individuals including the right to be forgotten and to object to processing • Removal of requirement to register (aka “notify”) with the ICO • Changes to how consent can be obtained • Higher fines • Some organisations must have a nominated Data Protection Officer • Potential new permitted ways of exporting data outside of the European Economic Area
New types of organisation caught by the Act • Currently the DPA only applies to data controllers which are established in the UK or which use equipment in the UK to process data • Under GDPR: overseas based organisations caught if offer goods or services (even if free) to individuals in the EU or if monitor their behaviour data processors must implement security measures; notify data controller of breaches without undue delay; appoint a DPO (where threshold is reached); seek approval to appoint sub-processors and transfer data outside of the EEA; allow the data controller to audit and inspect • Data Controller must include those obligations in contracts with Data Processors • DPs and DCs must keep records of processing activities (Article 30)
Notification of security breaches • Security breach is when data is lost or accidentally damaged or destroyed, or accessed without authority • Currently not mandatory (but recommend if serious – i.e. major impact – quantitatively or qualitatively) • Under GDPR must notify ICO within 72 hours if there is likely to be risk to the rights of individuals (Article 33) • Must notify the individuals if there is likely to be a high risk to the rights of individuals (Article 34)
New rights for individuals • Currently limited grounds to prevent processing (except if causing damage/distress or when processing is for direct marketing purposes) • GDPR gives right to object to processing for legitimate or public interest • Controller can refuse to cease processing if it has demonstrable compelling legitimate grounds which override the individuals rights and legitimate interest or to establish or defend legal claims (Article 21) • New “right to be forgotten” i.e. erasure of data, then applies, and also in certain other limited circumstances e.g. children’s data used to supply services (Article 18) • Data Controllers who have made the personal data “public” must then take reasonable steps to infirm other data controllers • Subject access request deadline reduced to one month and no fee. If Data Controller processes a large quantity of data about the individual, can ask for the request to be narrowed down (Article 15 &recital (57))
Consent (1) • Currently consent must be freely given, specific and informed and the ICO guidance says an “active communication” is required • GDPR adds that: the consent must be unambiguous and must be given by means of a statement or clear affirmation action (Article 4(11)) consent may be indicated by ticking a box on a website or by a statement which clearly indicates an individual’s acceptance, including a pre - formulated statement (recitals 30 & 39)
Consent (2) • The individual must have free choice and be able to withdraw consent without detriment. Consent not freely given if mandatory to give consent in order to obtain performance of a contract when the consent relates to something else (recital 40) • Separate consent must be given for different processing operations/activities (e.g. fundraising, policy campaigns or sharing, updating, entering into database etc?) • Children cannot consent if under 13, can consent with parental approval up to 16 (unless law says otherwise), fresh consent needed once reach 16 • Pre-ticked boxes (or silence/inactivity) does not constitute consent • Controller must be able to demonstrate that the individual has consented (Article 7)
Other changes • Fines now up to the higher of 2% of worldwide turnover or £10m for less serious breaches and 4% or £20m for more serious breaches (Article 83) • Organisations must appoint a suitably qualified data protection officer if they undertake largescale monitoring of individuals or process large amounts of sensitive personal data • Export of data outside of the EEA is subject to the same restrictions but there are possibilities in the future of exporting in line with approved codes of conduct, certification by an experienced independent certification body or under contract clauses approved by the ICO • Additional categories are now treated as sensitive (genetic, biometric, sexual orientation)
Related developments • Indications from the ICO that consent is only valid for 2 years • Safe harbor no longer acceptable for data experts. New “privacy shield” unlikely to help • IOF Code of Conduct requires consent for all telephone marketing (on first contact) even if not registered with the TPS • ICO requiring in guidance, separate consent for separate communication channels
Lawrence Simanowitz Partner Bates Wells Braithwaite Tel: 020 7551 7796 l.simanowitz@bwbllp.com
Recommend
More recommend
