By Laura Colebrook, Solicitor
The current Data Protection Directive (95/46/EC) is set to receive an overhaul of the sort which would leave Santa and his elves with a whole mountain of paperwork and internal administration to deal with before he could even think about jumping into his sleigh.
The Directive was introduced in 1995, and implemented into UK law in 1998, hence it predates the current technology and communication methods which have subsequently developed over this 16 year period.
The European Commission first proposed to unify the law in this area in 2012. The purpose of the new rules will be to ensure that the use of personal data are consistent across EU member states. A new single-law General Data Protection Regulation (GDPR) has now been adopted by European Parliament and is expected to come into force between March and September next year.
But how will this affect charities?
Under the new law, any organisation (including a charity) with more than 250 employees will have to appoint a Data Protection Officer. Their role will be to ensure that data protection rules are being enforced appropriately. At present, no guidance has been provided on how to comply with such standard, aside from involving a “suitably qualified” person with an understanding of data protection laws.
The application of this rule appears to be particularly arbitrary to charities, considering the new law does not take into account the often significant amount of personal information a large charity will have under its control.
Other changes that will impact charities include:
So what do charities need to do?
These proposals mean charities will have to drastically alter their internal date systems to adapt to the new law.
If charities get the law wrong, they will be subject to further scrutiny. Fines of up to €1m (£780,000) or 2 per cent of annual worldwide turnover could be imposed. A duty to notify of any data breaches will also be implemented, giving charities 24 hours to contact the authorities and the individuals whose personal data was affected.
Charities are therefore urged to prepare now for the changes rather than wait and risk falling foul of the law.