Our checklist will help you to review where you are and identify what needs to happen before the deadline.
- Get ready to work differently with suppliers who are processing personal data on your behalf (i.e. data processors) for instance payroll providers, professional fundraisers and software providers. Agreements with these companies will need to have been reviewed to make sure they are “GDPR ready”.
- Where you rely on consent for any reason – whether to process a member’s details or to send email fundraising – check that it meets the new higher threshold set out under the GDPR. Existing consents obtained under the Data Protection Act will need to be brought to a GDPR standard in time for 25 May 2018.
- Put in place mechanisms to ensure that you can record and comply with any withdrawal of consent by individuals.
- Review your privacy statements. These will need to be much more comprehensive and detailed under the GDPR.
- Introduce policies and train staff on the new rights that individuals will have under the GDPR, so that you are ready to comply with requests as soon as they come in. These will include the complex “right to be forgotten”.
- Determine whether you will need to employ a Data Protection Officer under the GDPR. This will depend on whether you are a “public authority” and on the type of processing that you are carrying out.
- After May 2018 you will no longer be required to maintain an annual registration with the ICO. Instead you will need to prepare templates for keeping new internal records of processing. You will also need to prepare to carry out “Privacy Impact Assessments” for any “high risk” profiling.
- Update your data security policies and train staff on the new obligation to report data security breaches within 72 hours where they present a risk to individuals.
- If you are an international organisation based outside the EU, which engages with supporters or customers in the EU, you may be subject to the GDPR and need to appoint a representative in the EU.
- There will be a sharp increase in the fines which the ICO can issue for data protection breaches (up to euro20 million). This needs to be reflected in your organisation’s data protection risk assessments.
This information is necessarily of a general nature and doesn’t constitute legal advice. This is not a substitute for formal legal advice, given in the context of full information under an engagement with Bates Wells.
All content on this page is correct as of May 25, 2017.