Kelly Sleight warns against charities putting their heads in the sand over changes to data protection laws

You'll no doubt have noticed a number of articles in the past year warning that the new General Data Protection Regulation (GDPR) is on the horizon. It may have seemed like something to put on the 'I'll deal with that later' column of your growing to do list, however, it's now just over a year away and the time to prepare is upon us.

Charities and third sector organisations who regularly collect and process personal data will be affected by the replacement for the Data Protection Act 1998 (DPA) when it comes into force next May.

The GDPR introduces stricter requirements than those contained in the DPA in relation to a variety of issues, including: consent for using personal data, notification of data protection breaches, and individuals' rights in relation to organisations using their personal data.

It is likely that the GDPR's new "accountability" principle, which will require data controllers to demonstrate continuous compliance with the GDPR and to provide audit trails to support this to the Information Commissioner's Office (ICO) on demand, will mean organisations need to have an internal data protection policy at the very least.

Anyone who fears that, despite the occasional refresher course, their staff and volunteers would struggle to recall the eight principles of the DPA may be dreading a new regime which moves the goalposts.

You have to start somewhere though and creating or updating your organisation's data protection policy is the place to begin. Taking positive action now can reduce the compliance burden when the changes come into force.

A data protection policy provides a valuable resource for everyone to understand the way in which data protection applies in their roles within the organisation.

So, here are 10 tips for writing your DPP

1. include a general policy statement and acknowledgement of the importance attached to data protection compliance by the organisation
2. outline the categories of personal data that the organisation handles, including staff, volunteer, athlete and supplier personal data
3. describe the key data protection concepts, such as: data controller, data processor, data subject, personal data, sensitive personal data, and processing of personal data, to facilitate understanding of the policy
4. include a brief statement as to what the organisation will do to comply, such as: putting in place adequate business compliance processes and procedures, providing staff awareness training, implementing technical and organisational data security measures, and ensuring that the organisation has an appropriate legal basis for its data processing activities
5. specify who within the organisation has overall responsibility for data protection compliance. Under the GDPR some organisations will need to appoint a data protection officer
6. acknowledge that data subjects of the personal data processed by the organisation have rights to request access to their personal and requests must be responded to within 40 calendar days under the DPA. The GDPR reduces the timescale for responding to requests within one month
7. confirm the arrangements that the organisation has in place with its third-party service providers, including its professional advisers, marketing agencies and sponsors, within written agreements setting out parties' roles and responsibilities for data protection
8. provide high-level details of the types of data security measures that the organisation has in place (providing detailed information could compromise the integrity of the measures)
9. cross-refer to other policies that apply within the organisation, which might have data protection implications, such as home / remote working
10. outline the consequences of non-compliance, including possible disciplinary action against staff and reputational loss as consequence of any negative publicity, particularly if a complaint is made to the ICO or an individual makes a claim for compensation against the organisation.

If you need assistance in reviewing or preparing a data protection policy for your organisation, please get in touch.

Kelly Sleight is a solicitor at law firm Harper Macleod, and specialises in advising third sector organisations on information law issues.