For so many charities and social businesses, 25 May 2018 was a date etched into people's minds as 'GDPR day'. As the clock ticked down, that Friday in May loomed like a cliff-edge for anyone trying to ensure that their organisation would be GDPR-compliant in time.
Of course, when the big day arrived it came and went just like any other and we're all still here to tell the tale.
It's no admission of defeat to acknowledge that there's still work to do. Even one month on, very few organisations are 100% compliant with all aspects of GDPR and it would be unwise to see data protection as a stand-alone project that can be finished and signed-off.
Data protection compliance is an ongoing task and charities can't afford to let it become side-lined in favour of the next big project. Organisations that stop paying attention to data protection run the risk of receiving complaints from members of the public, being investigated by the Information Commissioner's Office (ICO), suffering serious reputational damage, and even being issued with a penalty fine.
In our experience, charities have rightly prioritised reviewing the personal information that they collect and use, updating their privacy notices and data protection policies, and analysing their fundraising and marketing practices. But these are all things that need to be kept under regular review – a change of supplier, a new fundraising initiative, or a partnership with another charity will all affect data protection policies and practices.
It's also key to ensure that staff, volunteers and trustees keep data protection in mind as they go about their day-to-day work. They must be able to recognise when something might be amiss and know what to do – it's now compulsory to report certain personal data breaches to the ICO within 72 hours of becoming aware of them.
Charities, just like any other organisation that process personal data, will need to learn and adapt as the ICO publishes further guidance and updates existing codes of practice in light of the new legislation. In time, we will also see the first enforcement action being taken under the new regime as well as case law emerging as challenges are brought in the courts.
There's no doubt that charity activities will continue to be subject to scrutiny. Just this month, we've seen the ICO fine The British and Foreign Bible Society £100,000 for a cyber-attack that exposed insufficient security measures in the charity's IT network and BT being fined £77,000 for promoting three charity initiatives to its customers without their consent in breach of the Privacy and Electronic Communications Regulations (PECR).
While charities should certainly be congratulated for all their hard work in the run up to 25 May 2018, the work doesn't stop here and our data protection lawyers will continue to be on hand to support charities as they navigate the new legal landscape.