General Data Protection Regulation - Article 29 of the EU
John Bennett, Pinxton, Nottingham [SEE PROFILE BELOW]
‘In May this year, Europe’s data protection rules will undergo their biggest changes in two decades. Since they were created in the 90s, the amount of digital information we create, capture, and store has vastly increased . . . the old regime was no longer fit for purpose’.1
Whilst many might see this as media exaggeration, and many Christians may think it irrelevant as far as their spiritual activity is concerned, those engaged in business will have some appreciation of the amount of time, energy, and expense that organizations are investing in the matter. Is this all hype? Can we ignore it?
The European General Data Protection Regulation (GDPR), which will come into force on 25th May 2018, will change how businesses and public sector organizations can handle the information of customers. Whether we like it or not, local churches are regarded as ‘public sector or charitable organizations’ and are included in the scope of this new regulation. Equally, if, like Precious Seed, you have a database of subscribers to whom you mail out literature, or run a Christian youth camp that collects data on children’s medical and dietary requirements, or just simply hold data that enables an individual to be identified2 for other than household usage, your activity could come under scrutiny. It should be noted, too, that, ‘The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria’.3
A summary of the six basic principles is that data should be:
- 'processed lawfully, fairly and in a transparent manner in relation to individuals’;4
- collected only for legitimate purposes and those purposes should be specified, and stated explicitly to the person from whom it is collected. No processing beyond this specified purpose should be undertaken;
- adequate, relevant and limited – do not collect more than you legitimately intend to use;
- accurate and kept up-to-date. The regulation specifies that ‘every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay’;5
- kept for no longer than is necessary for the purposes for which the personal data are processed, although the archiving of data may be allowed provided the appropriate technical and organizational measures of security required by the GDPR are applied; and
- processed in a manner that ensures that personal data is secured ‘against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures’.6
Whilst some, or all of these principles may be familiar to those who have worked with the Data Protection Act 1998, it is the last of these that will be applied with greater rigour and penalty for infringement in the future, particularly when the data may involve young or vulnerable people. Another area of significant change is in the area of ‘consent’.7
The person whose data you hold must have consented to you holding it. That you have positively sought that consent – asking the individual to opt-in – and have expressed the way in which you intend to use their data, is essential. The clarity of the language at this stage is vitally important. Records of that consent should be kept and the individual must be clear that they have the right to withdraw consent as well as to check and, if necessary, amend any data that you hold. No charge can be made if an information request is made, and you have one month in which to comply with that request.
It should be appreciated that a single page article cannot cover all the issues that this far-reaching piece of legislation will affect. The purpose is to highlight its impending application and to point the reader to areas where appropriate and up-to-date advice can be obtained.
The Information Commissioner’s Office website contains an in-depth treatment of the regulation. It can be accessed at https://ico.org.uk
The section dealing specifically with charities is here: https://ico.org.uk/for-organisations/charity
What are called ‘the twelve steps’ in preparation for the GDPR can be accessed here:
A complete data protection self-assessment section is available here:
This is particularly helpful in determining what you may need to do to make your organization or activity compliant.
Finally, there is a phone service aimed at providing guidance to people running charities. Known as the ICO helpline, it can be accessed from within the UK by dialling 0303 123 1113 and selecting option 4. The line is staffed by those who can offer appropriate support on preparing for the General Data Protection Regulation, current data protection rules and other legislation regulated by the ICO, including electronic marketing and Freedom of Information.
2 This is the regulation’s definition of ‘personal data’. See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/