We have been pleased to see the innovation and support that is going on amongst the Visionary membership in response to changes in the law on data protection. However, we realise that there is still a lot of uncertainty around proposed changes and how best to respond in order to remain compliant and promote best practice when it comes to managing people’s data. We want to tell you how Visionary plans to support local organisations to address these changes and provide you with some direction and resources to get you started.
What we are doing at Visionary
The Income Development team at Visionary is taking the lead on the area of data protection and it sits within our ‘Outcome and Impact Measurement’ stream of work.
Our work on Outcome and Impact Measurement is divided into five areas of support:
- Data Collection (Monitoring)
- Data Analysis (Evaluation)
- Strategic Frameworks (Theory of Change, Inspiring Impact, Monitoring and Evaluation Frameworks, Logic Models)
- Databases and CRM systems
- Data Protection
As a result of a number of inquiries from members regarding changes to data protection rules (General Data Protection Regulation – GDPR), fundraising regulations and e-privacy, Visionary has applied for a grant from the ICO’s (Information Commissioner’s Office) new grant programme to deliver a one year project which aims to address queries and concerns around compliance in these areas. A bid for £51,400 was submitted to the ICO at the end of July this year. If successful, the project will develop:
- An Accessible Toolkit to improve organisational compliance with the support of a legal expert.
- An Advocacy Guide for members to support their service users to advocate their data protection rights in all areas of life.
This will take place over 12 months and commence in November 2017.
If unsuccessful, we will explore alternative solutions to support our members to improve compliance and understanding and have already set aside a contingency budget for bringing in additional capacity and expertise in this area, with a particular focus on legal expertise.
In the interim we are collating and developing resources for our Knowledge Hub. Knowledge Hub documents are a combination of those developed by Visionary staff members; the Visionary membership where organisations have volunteered to share their work with us and third parties with expertise in the various streams of work. If you have any documents you wish to contribute for the benefit of the network, please email firstname.lastname@example.org
We have scheduled a workshop on preparing for the GDPR at Visionary’s Annual Conference which will be led by an expert in the field. This workshop will take place on Wednesday 1st November 2017 during Session One from 11:20am to 12:40pm. To book onto this year’s conference, please click here to go to the booking form: https://www.tfaforms.com/4627463
If you have any questions or suggestions about how to address data protection, please contact the team by emailing email@example.com
What our membership is doing
As well as Visionary’s own team working hard on this, we have been hearing about some fantastic innovation and collaboration going on amongst the membership to address data protection issues. Here is what some of our members are doing:
- Some of our members have chosen to work with external consultants to help them develop an action plan to keep compliant when new regulations come into place.
- Others have chosen individuals within their organisation to take on responsibility for keeping up to date with data protection changes in addition to their existing responsibilities to develop the expertise within the organisation.
- Some organisations are using the regional group structure to exchange information such as presentations, links to resources and information about what they are doing to share learning and support each other. This has been both through the mailing lists that the regional representative holds or on the agenda at regional meetings.
Where to start
There are several key pieces of current and proposed legislation that concern data protection.
Data Protection Act 1998
General Data Protection Regulation (coming into force 25th May 2018):
Data Protection Bill
Do you need to register with the ICO?
The Data Protection Act 1998 requires every data controller (e.g. organisation, sole trader) who is processing personal information to register with the ICO, unless they are exempt. More than 400,000 organisations are currently registered, although there are many exemptions which may mean you do not need to. The ICO provide a short self-assessment to help you answer this question: https://ico.org.uk/for-organisations/register/self-assessment/
Are you ready for the GDPR in May 2018?
The ICO provide a self-assessment toolkit to help you evaluate how ready you are for the new regulations coming into force in May 2018:
How compliant are you with current legislation and regulations?
As well as GDPR preparation, the ICO provides self-assessment toolkits in several areas of data protection from direct marketing to data sharing. Evaluate how well you are currently doing in these areas: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment-toolkit/
Some of our favourite resources
NCVO have produced a 12 point basic overview on ‘How to prepare for GDPR and data protection reform’:
There is a whole website that has been set up dedicated to helping educate the public on the GDPR: http://www.eugdpr.org/ It helpfully summarises the key changes here: http://www.eugdpr.org/key-changes.html
But the GDPR is EU legislation and we’re leaving the EU!
This doesn’t change the need to prepare for the new legislation.
- We are currently a member of the EU. The earliest we will leave the EU is 2019. The GDPR comes into force in May 2018, so it will still apply to us as an EU member state.
- The GDPR still applies if either the data subject (person whose information you have) or the data controller/processor (organisation with the data) is in the EU. This includes if your server is in the EU.
- Even if we leave the EU, and even if you only operate outside the EU (UK) and only control/process data of non-EU people, the law will still apply! The UK government has committed to introducing a Data Protection Bill which will implement the EU GDPR in full in UK law and the Bill will go further still with regulatory requirements to ensure the UK is a world leader in data protection. Read more on the government’s statement of intent here: https://www.gov.uk/government/news/government-to-strengthen-uk-data-protection-law
Need specialist advice now?
Speak to the ICO directly for any queries or concerns. You can call the ICO helpline which is open from 9am to 5pm Monday to Friday on 0303 123 1113. Press option 4 to speak to someone directly. Alternatively you can email them your query: firstname.lastname@example.org