GDPR – what’s been happening since 25 May?

It’s still too early to see what impact the new regulation is having on any sector, least of all the not-for-profit sector which is still seen as being high up on the ICO's list. Due to the number of questions received from the not-for-profit sector in particular, the ICO has provided some sector specific guidance and toolkits for charities which you can read here:

In advance of the 25 May enforcement date, the ICO seemed to be taking a slightly softer stance in relation to organisations being fully compliant. They recognised that there were still a significant number of organisations that were actively working towards compliance and announced that, as long as any organisation could provide evidence work was underway, then the 25 May was not deemed to be a ‘hard deadline’. It was very important, however, that any organisation that wasn’t ready by 25 May was able to provide this evidence to satisfy the accountability and transparency principles of the GDPR.

So as professional advisors, what are we seeing now, some four months later?

There’s still a significant number of charities continuing to work towards full compliance, but very quickly we’re seeing a shift from ‘getting ready for GDPR’ to focusing on how to satisfy the accountability requirement – that is, how you’ll ensure your charity continues to comply with the regulation in future.

Article 5 of GDPR talks about the accountability principle. This is the part of the regulation all charities need to ensure they’re on top of and able to evidence, at least annually, going forward.

The responsibility of satisfying the accountability principle falls upon the assigned Data Protection Officer or, if one is not deemed necessary, the individual that has been allocated the responsibility of data protection within an organisation.

Charities need to consider whether all policies, procedures and systems that have been introduced or amended are being adhered to and whether these are working effectively to ensure that your charity continues to operate within the expectations of the regulation.

This means introducing a GDPR compliance project plan that incorporates appropriate testing and verification techniques, so, at the end of the year, management and trustees are able to assess what’s working well and what needs further improvement.

Need help with your compliance?
We’ve launched an outsourced service offering the Data Protection or Data Compliance Officer function, which includes the management and running of the ongoing GDPR compliance monitoring plan, but moreover enables you to pass more of the responsibility of data protection to us as an outsourced provider. If your charity doesn’t require this full outsourced service, we can provide ongoing GDPR compliance monitoring services on a standalone basis.

If you require further information on how we can help you continue to comply with GDPR regulation, please contact our Head of Privacy, Chris Beveridge.

Leave a comment

 Security code