6th December 2017
Charities and tech companies gathered at the GDPR and Data Protection meet-up on 5 December, organised by Tech for Good Bath, part of the wider international TechSoup and Net2 initiatives bringing together non-profits, activists, tech leaders and funders interested in using technology for social change. Graeme Fearon, intellectual property partner at Thrings solicitors, tackled what they should be doing to stay ahead in the face of the new rules.
The GDPR introduces new obligations and rights as well as increased enforcement powers. “Whatever the type of organisation, if you hold personal data of any kind, including about employees, then the GDPR will apply to you”, warned Graeme.
Compared to the Data Protection Act (DPA), the GDPR means enhanced protection of data and an increased number of rights for those people whose data is held.
Of paramount importance is the need to have a legal basis for processing personal data, whether in the form of a contract with the person, a legal obligation imposed on a business, or consent. Accountability is another key factor which Graeme highlighted at the meet-up, with internal policies and processes needing to be implemented, applied and constantly reviewed.
“There is no denying that the GDPR means an overhaul of data processing and storage for organisations. That comes at a cost in terms of time and resources – but it needn’t be massive, and where there are challenges there are also opportunities” said Graeme, adding: “It’s an opportunity to spring clean your data and relationships and strengthen trust in your organisation. If you grasp the opportunity to modernise your processes, you could also become more efficient and effective – what organisation doesn’t want that?”
Annie Legge, Tech for Good Bath organiser and co-founder of The Dot Project said: “This was a thoroughly informative evening for our network, bringing together the legal knowledge from Thrings through to St John’s Foundation sharing their own journey to embedding GDPR into their culture and values.
“We have to make the subject of data protection accessible and not overwhelming for non-profit organisations, to see their legal responsibility as an opportunity to build trust. As Graham stated, "If you are dealing with people, you are dealing with data protection. This is about the human rights of the individual."
Although sanctions for non-compliance include monetary penalties of up to 4% of worldwide annual turnover or €20,000,000, enforcement is more likely to involve investigative, corrective and advisory actions for any organisation that can demonstrate it has been acting in a reasonable and responsible manner.
The new European regulation comes into force on 25 May 2018, with the UK Data Protection Bill implementing it into UK domestic law after Brexit.
More information on the new rules can be found in Thrings’ “A no nonsense guide to GDPR”, downloadable here.