Since the Data Protection Act 2018 came into force on 23rd May 2018, two days before the EU deadline for implementation of the General Data Protection Regulation (GDPR), and replaced the 1998 Act, the Information Commissioner’s Office (ICO) has been updating its processes and suite of guidance notes on data protection, the GDPR and the Act. As part of its role to ‘uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals’, the ICO assists organisations to comply with data protection legislation by providing advice and guidance to prevent poor data practices and breaches.
Our previous articles on this subject included advice on managing a GDPR-inspired data audit, how data protection is part of good governance within your charity and answers to common queries and practical tips, based on the information available at the time. What does the data protection landscape for Scottish charities look like now, nine months on?
New and Updated Guidance from the ICO
The ICO has refreshed its Guide to Data Protection which covers both the 2018 Act and the GDPR. The ICO website has a package of tools for individuals and organisations, all in a user-friendly format. It also appears that the ICO has used its experience from the last nine months to expand the guide to answer commonly asked questions. The format of the guidance is more practical, with checklists and questionnaires to help the user understand their options and get to the right answer for their data activities.
Now we have the Data Protection Act 2018, do we need to comply with the GDPR…?
The short answer is yes. The UK’s data protection regime consists of both the 2018 Act and the GDPR. The two must be read together as the GDPR is an EU Regulation which is directly effective in the UK and the 2018 Act contains (amongst other things) provisions which tailor how the GDPR applies in the UK.
What about Brexit I hear you say? The ICO has issued guidance on Brexit, which will be reactive to the current political environment. The key point is that the data protection regime in the UK is here to stay and withdrawal from the EU will not change that. The ICO has advised that the GDPR (subject to a few changes) will be grandfathered into UK law in the EU Withdrawal Act.
Why doesn’t the ICO just tell Controllers and Processors exactly what they need to do to comply…?
Why can’t Data Controllers and Data Processors just follow set guidelines and rules? Because the data protection regime is not made up of set guidelines and rules. The ICO succinctly explains this in the guidance – compliance with the GDPR and 2018 Act requires the adoption of a risk-based approach and the onus is on you to think about and justify how and why you are using the data the way you do. Obtaining valid consent is often considered the only, or gold, standard in data processing, however there is often more than one way to ensure compliance with the 2018 Act/GDPR.
The ICO is too busy going after big companies for data breaches, not charities….?
A breach of data subjects’ rights is a breach whether committed by a charity or an international organisation. The ICO recently published some figures and statistics that give a snapshot of its punitive engagement with the charity sector.
Two significant fines were imposed on charities last year under the 1998 Act, and would have been larger if under the 2018 Act: (i) the British and Foreign Bible Society was fined £100,000 as a result of a cyber-attack during which hackers weakened its IT network and accessed the personal data of 417,000 supporters, and (ii) the University of Greenwich was fined £120,000 after suffering a serious server breach affecting the data of 20,000 people.
The data protection regime has an element of self-regulation – charities are obliged under certain conditions to report breaches to the ICO. Figures reported by Civil Society reveal that the same number of data security incidents were reported by charities in the quarters April to June 2018 and July to September 2018 (137). Although a relatively small number, when compared to the 21 incidents reported during July to September 2017, it is a significant increase. The quarters in 2018 surrounded the GDPR D-Day and there is an argument that a cautious approach was adopted by data controllers when deciding when to report a breach. It is likely the number will reduce in time once the 2018 ACT/GDPR further beds in.
Of the breaches reported by charities, the majority of them were the result of the disclosure of data and the remainder related to security issues. Charities can use this information to review and target potential weaknesses in their data processing activities within their own organisations.
Is there specific ICO guidance for charities…?
While not ‘new’ guidance, the ICO’s findings from information risk reviews carried out on eight charities is an interesting read. Although carried out under the 1998 Act, the lessons and messages to take away from it are the same.
In summary, the ICO worked with eight charities to undertake risk reviews and the published report aims to highlight areas of good practice and not-so-good practice and provide advice and practical tips. The report is split into two sections:- ‘Areas of Good Practice’ and ‘Areas for Improvement’. The report can be utilised as a checklist for charities to identify any gaps in their own data processing activities.
A couple of significant areas for improvement include having key data protection policies in place (including incident reporting procedures), having clear and consistent fair processing notices and/or consent forms and actively managing retention policies.
One of the seven key principles under the GDPR is the ‘integrity and confidentiality’ principle, ie having appropriate security measure in place. Data must be processed securely under ‘appropriate technical and organisational measures’. ‘Appropriate’ – the security measures you put in place must be appropriate for your organisations and the risks involved. According to the figures published by the ICO, during the period from April to June 2018, 15 cyber incidents were reported from charities. These incidents included phishing, unauthorised access, and the use of ransomware and malware.
The National Cyber Security Centre has published a ‘Cyber Security: Small Charity Guide’. The guide provides practical advice and tips on backing up data, protecting your charity from malware, keeping devices safe, using passwords correctly, and how to avoid phishing attacks. The guide also has a handy infographic summary of techniques that can be easily adopted.
OSCR is also doing its part to assist charities put appropriate cyber security measures in place with a 10 step guide on how charities can protect themselves.
Data protection compliance was not a race to 25th May 2018, or a tick-box exercise to be dusted off annually and completed by Trustees before being filed away in the governance box. Data protection compliance should be embedded into a charity’s everyday processes and procedures.