27th May 2016New data protection laws turn up the heat on charities

Data protection sits at the centre of many of these issues, and is proving to be a sticking point for a number of voluntary sector organisations. The challenge is understandable: charities are likely to hold a great deal of sensitive information which legally requires careful handling, but data protection can be an expensive and complicated business.

EU Data Protection Regulation

Given that charities are often short on time, funds and staff, complying with data protection regulations is not necessarily a straight-forward undertaking. But a new EU Data Protection Regulation finalised last year is moving through the last stages of administrative procedure – it will be enshrined in law by around May of this year, and will come into force in 2018.

…regulators will get tougher, and organisations that fail to comply will find themselves in the spotlight.

The new standards will be risk-based, and will make more stringent demands of organisations that collect confidential information. The procedure for getting consent from individual parties will be considerably more rigorous, appointing data protection officers will often be compulsory for charities, and data breach reports will no longer be optional – it will be mandatory to declare most losses.

Properly handled data is also more valuable data – if charities are familiar with the data they have in their possession and understand how it works, they can put it to better use.

Now that data protection has been firmly identified as a serious problem, regulators will get tougher, and organisations that fail to comply will find themselves in the spotlight. It’s in every charity’s reputational interest to keep up to date, or they will risk falling foul of the Charity Commission’s justifiably exacting standards.

Properly handled data is also more valuable data – if charities are familiar with the data they have in their possession and understand how it works, they can put it to better use.

So how can the voluntary sector pave an easy and effective path to compliance? 2018 might seem a long way off, but two years will slip by very quickly and it is a bad idea to risk a last minute scramble.

Top tips for easy compliance:

• To begin with, ensure you are in line with the existing legislation. That will put you in a strong position to adapt to the new laws;
• Keep in touch with the Information Commissioner’s (ICO) latest guidance. From now on it will be influenced by the new regulation;
• Take a risk-based approach. Assess the potential pitfalls, and identify the weak spots in your system. Regulators are less likely to pick you up on detail than they are to examine the major risks in your structure;
• Get the basics right. Make sure your internet and IT systems are up to date – the trick is to anticipate what might go wrong.

For the moment, we have a good sense of what data protection standards will look like in the future, but it remains to be seen how regulators will impose those rules. There is plenty of scope for the voluntary sector to do itself more reputational damage, but if charities grasp the administrative nettle they may well find themselves better placed to capitalise on the data they have at their disposal.

Tim Halstead, Independent Data Protection Consultant working with HW Fisher & Company
T 07813 064 521
E tim@athalstead.co.uk