Protection Law Implications for Fundraisers Lawrence Simanowitz - - PowerPoint PPT Presentation

protection law
SMART_READER_LITE
LIVE PREVIEW

Protection Law Implications for Fundraisers Lawrence Simanowitz - - PowerPoint PPT Presentation

Mar 21, 2023 385 likes •532 views

The New EU Data Protection Law Implications for Fundraisers Lawrence Simanowitz Partner Bates Wells Braithwaite 25 April 2016 Data Protection Law whats it all about? Doesnt protect data, protects individuals Balancing

slide-1
SLIDE 1

The New EU Data Protection Law – Implications for Fundraisers

Lawrence Simanowitz Partner Bates Wells Braithwaite 25 April 2016

slide-2
SLIDE 2

Data Protection Law – what’s it all about?

  • Doesn’t protect data, protects individuals
  • Balancing act between rights of individuals and needs of
  • rganisations
  • EU perspective since 1995
  • Data Protection Act 1998 – will be repealed
  • Privacy and Electronic Communications Regulations 2003 – likely to

remain

  • European General Data Protection Regulation – in effect from 2018
slide-3
SLIDE 3

General Data Protection Regulation (GDPR)

  • 260 pages long (nearly three times the length of the DPA 1998)
  • Four years in the pipeline
  • Subject of much negotiation and rumour
  • Principles remain the same:-
slide-4
SLIDE 4

Data Protection Principles (unchanged)

1. Processing must be fair and lawful 2. Data needs to be used for specified and compatible purposes 3. Use must be limited to what is necessary and relevant 4. Keep data accurate and up to date 5. Keep data no longer than necessary 6. Process data in accordance with rights of individuals 7. Process data securely 8. Restrictions on exports outside of the European Economic Area

slide-5
SLIDE 5

Key areas of change for charities

  • Data processors now covered by some aspects of the regulations
  • Wider application to non-EU data controllers
  • Notification of some types of security breach now mandatory
  • New rights for individuals including the right to be forgotten and to
  • bject to processing
  • Removal of requirement to register (aka “notify”) with the ICO
  • Changes to how consent can be obtained
  • Higher fines
  • Some organisations must have a nominated Data Protection Officer
  • Potential new permitted ways of exporting data outside of the

European Economic Area

slide-6
SLIDE 6

New types of organisation caught by the Act

  • Currently the DPA only applies to data controllers which are

established in the UK or which use equipment in the UK to process data

  • Under GDPR:

 overseas based organisations caught if offer goods or services (even if free) to individuals in the EU or if monitor their behaviour  data processors must implement security measures; notify data controller of breaches without undue delay; appoint a DPO (where threshold is reached); seek approval to appoint sub-processors and transfer data outside of the EEA; allow the data controller to audit and inspect

  • Data Controller must include those obligations in contracts with Data

Processors

  • DPs and DCs must keep records of processing activities (Article 30)
slide-7
SLIDE 7

Notification of security breaches

  • Security breach is when data is lost or accidentally damaged or

destroyed, or accessed without authority

  • Currently not mandatory (but recommend if serious – i.e. major impact

– quantitatively or qualitatively)

  • Under GDPR must notify ICO within 72 hours if there is likely to be

risk to the rights of individuals (Article 33)

  • Must notify the individuals if there is likely to be a high risk to the

rights of individuals (Article 34)

slide-8
SLIDE 8

New rights for individuals

  • Currently limited grounds to prevent processing (except if causing

damage/distress or when processing is for direct marketing purposes)

  • GDPR gives right to object to processing for legitimate or public interest
  • Controller can refuse to cease processing if it has demonstrable compelling

legitimate grounds which override the individuals rights and legitimate interest

  • r to establish or defend legal claims (Article 21)
  • New “right to be forgotten” i.e. erasure of data, then applies, and also in

certain other limited circumstances e.g. children’s data used to supply services (Article 18)

  • Data Controllers who have made the personal data “public” must then take

reasonable steps to infirm other data controllers

  • Subject access request deadline reduced to one month and no fee. If Data

Controller processes a large quantity of data about the individual, can ask for the request to be narrowed down (Article 15 &recital (57))

slide-9
SLIDE 9

Consent (1)

  • Currently consent must be freely given, specific and informed and the

ICO guidance says an “active communication” is required

  • GDPR adds that:
  • the consent must be unambiguous and must be given by means of a

statement or clear affirmation action (Article 4(11))

  • consent may be indicated by ticking a box on a website or by a statement

which clearly indicates an individual’s acceptance, including a pre- formulated statement (recitals 30 & 39)

slide-10
SLIDE 10

Consent (2)

  • The individual must have free choice and be able to withdraw consent

without detriment. Consent not freely given if mandatory to give consent in order to obtain performance of a contract when the consent relates to something else (recital 40)

  • Separate consent must be given for different processing
  • perations/activities (e.g. fundraising, policy campaigns or sharing,

updating, entering into database etc?)

  • Children cannot consent if under 13, can consent with parental

approval up to 16 (unless law says otherwise), fresh consent needed

  • nce reach 16
  • Pre-ticked boxes (or silence/inactivity) does not constitute consent
  • Controller must be able to demonstrate that the individual has

consented (Article 7)

slide-11
SLIDE 11

Other changes

  • Fines now up to the higher of 2% of worldwide turnover or £10m for

less serious breaches and 4% or £20m for more serious breaches (Article 83)

  • Organisations must appoint a suitably qualified data protection officer

if they undertake largescale monitoring of individuals or process large amounts of sensitive personal data

  • Export of data outside of the EEA is subject to the same restrictions

but there are possibilities in the future of exporting in line with approved codes of conduct, certification by an experienced independent certification body or under contract clauses approved by the ICO

  • Additional categories are now treated as sensitive (genetic, biometric,

sexual orientation)

slide-12
SLIDE 12

Related developments

  • Indications from the ICO that consent is only valid for 2 years
  • Safe harbor no longer acceptable for data experts. New “privacy

shield” unlikely to help

  • IOF Code of Conduct requires consent for all telephone marketing (on

first contact) even if not registered with the TPS

  • ICO requiring in guidance, separate consent for separate

communication channels

slide-13
SLIDE 13

Lawrence Simanowitz Partner Bates Wells Braithwaite

Tel: 020 7551 7796 l.simanowitz@bwbllp.com