If you like our news articles, subscribe here to receive our newsletter.

The Information Commissioner’s office has published useful guidance entitled “12 Steps to Take Now” so that organisations can start to prepare for the GDPR which is due to apply from 25 May 2018. If you are a charity trustee you need to be aware that this reform is imminent and use this checklist and the other free resources available on the ICO’s website to ensure that you have an approach in place and new procedures to deal with the GDPR’s new transparency and individuals’ rights provisions.

The GDPR places a greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. The GDPR will have more impact on some charities than others, for example provisions relating to children’s data. As a starting point charity trustees should map out which parts of the GDPR would have the greatest impact on their organisation as part of the initial planning process.

Summary of 12 Steps:

1. Awareness – make sure that the charity trustees and the senior management team are aware that the law is changing to the GDPR.

2. Information you hold – what personal data does your organisation hold, where did it come from and who do you share it with? Charity trustees should organise an information audit.

3. Communicating privacy information – review current notices and put in place any necessary changes prior to GDPR implementation in relation to privacy notices.

4. Individuals’ rights – ensure that your current procedures cover individuals’ rights, deletion of data and providing data electronically.

5. Subject access requests – update these procedures.

6. Lawful basis for processing personal data – again you will need to identify the lawful basis for processing, document it and update your privacy notice to explain it.

7. Consent – review how to record and manage consent and refresh existing consents if they do not meet GDPR standards.

8. Children – do you need to put systems in place to check individual’s ages or obtain parental or guardian consent?

9. Data breaches – have you the right procedures to detect, report and investigate a personal data breach?

10. Data protection by Design and Data Protection Impact Assessments – charity trustees should read the ICO’s Code of Practice on Privacy Impact Assessments and decide how to apply this to your organisation.

11. Data protection officers – designate someone to take responsibility for data protection compliance and ensure that they report formally to the Board of Trustees on a regular basis.

12. International – if you work in more than one EU member state you will need to identify your lead data protection supervisory authority.

If you have any queries in relation to the above please contact Claire Wilson on 02890321863 or email claire.wilson@edwardsandcompany.co.uk