This website uses cookies for anonymised analytics and for account authentication. See our privacy and cookies policies for more information.

Third Force News

TFN

The voice of Scotland's vibrant voluntary sector
Get updates
Third Force News
Get TFN updates
Sign in Sign up
The voice of Scotland’s vibrant voluntary sector

Published by Scottish Council for Voluntary Organisations

TFN is published by the Scottish Council for Voluntary Organisations, Mansfield Traquair Centre, 15 Mansfield Place, Edinburgh, EH3 6BB. The Scottish Council for Voluntary Organisations (SCVO) is a Scottish Charitable Incorporated Organisation. Registration number SC003558.

Third Force News
OPINION

​New data protection regulation means even more stringent rules

This opinion piece is over 7 years old
 

The first step is to visit to the Information Commissioner’s Office website to self-assess whether your organisation needs to be registered or not says Val Surgenor

Data controllers will find themselves subject to more stringent rules under the new EU General Data Protection Regulation (GDPR), which is due to come into force in May 2018.

To remind ourselves, the term “data controller” is used to describe any entity that determines the purposes and manner of data processing. This of course captures a huge number of organisations and companies operating in the United Kingdom – including many organisations operating in the third sector, in fact most businesses will be data controllers because of the client/donor and employee personal data they hold and collect!

Most data controllers should be registered with the Information Commissioner’s Office (ICO) so if on reading the above you have some concerns, can I suggest a quick visit to the ICO website and use their very useful online tool to self-assess whether your organisation needs to be registered or not.

Val Surgenor
Val Surgenor

Current law, dictates data controllers bear the brunt of data protection compliance and have to evidence their compliance with the legal requirements (for example, making sure those third party fundraising organisations you utilise maintain adequate organisational security measures and this is recorded) and the position under the GDPR sees no relaxation of this and indeed you as a data controller will find that your organisation is subject to more stringent rules under the new regime.

Most noteworthy include:

· a general requirement for greater transparency towards data subjects all the way from the content of privacy notices to the manner of processing itself, such as being more forthcoming about the rights of data subjects;

· increased requirements for consent to data processing, particularly in relation to sensitive data;

· being more mindful of the data subject’s age and potentially obtaining consent to the processing of a child’s data from an adult;

· tighter timelines to respond to data subject access requests;

· carrying out privacy impact assessments and appointing data protection officers;

· notifying data breaches to the ICO and also to individuals in the case of severe breaches;

· complying with the new rights that individuals have under the GDPR, including the right to be forgotten, the right to restricted processing, the right to data portability and the right to object to automated decision-making and profiling;

· the obligation to pseudonymise or encrypt personal data as an additional security measure in certain circumstances; and

· maintaining records of data processing activities, such as the purposes of the processing and details of third parties to whom the data has been or will be disclosed (although, thankfully for data controllers, the requirement to register their data processing activities with the ICO will disappear).

What should be flagged up, though, is the requirement to implement a data protection policy, where this is proportionate to the controller’s data processing activities. This is part of the overarching requirement to ensure that the data controller’s technical and organisational measures are on par with the extent and risks of the relevant data processing activities as well as the rights and freedoms of individuals. For example, where data processing activities are extensive, a data protection policy should be put in place (and of course enforced) to ensure the processing will be considered lawful under GDPR.

A data protection policy helps to ensure that your employees are aware of the requirements you are faced with as a data controller and will provide practical tips (such as dos and don’ts) when it comes to their daily tasks. A data protection policy can also be incorporated into your agreements with data processors to ensure they are required to comply with the same standards that apply within your organisation.

Val Surgenor is a partner at MacRoberts LLP.

Go to comments
 
Can charities become blind to abuses because they have an aura of moral goodness?
NEWS
5 Apr 2024
5 Apr 2024
 
Housing association apologises after publishing residents' personal information
NEWS
19 Apr 2024
19 Apr 2024
 
Common good funds lose charitable status
NEWS
28 Feb 2024
28 Feb 2024
Latest news
 
Chaos at Holyrood: Scotland's charities speak out
NEWS
26 Apr 2024
26 Apr 2024
Popular posts
"Bluntly - I'm angry" Holyrood hears sector fury over funding TFN magazine's April edition is out now - read it all here! Housing association apologises after publishing residents' personal informationI never thought that it would happen to me  Scotland’s charities cannot afford to overlook employment law changes
TFN Guide to Running a Charity or Social Enterprise 2024

This year’s Guide takes a look at how the sector is progressing in inclusion, diversity, equality and environmentalism - what more can be done to further these aims, featuring a wealth of expert opinion, advice and reflection.

Read it here
 

Sign up for our twice-weekly bulletins, to get the latest news delivered to your inbox

Third Force News

Comments

Commenting is now closed on this post
 
LATEST NEWSLATEST FEATURESLATEST LISTSLATEST OPINIONLATEST POLLSPREMIUM