The data protection landscape has seen significant change and more is expected. What does that mean for charities specifically? On our 8 July, 2021 webinar Shoosmiths’ Partner, Sarah Tedstone, identified areas with significant change already and where action will be needed in the next few weeks and months to stay compliant.
What does the new UK data protection regime look like?
The UK GDPR:
- Applies to:
- Controllers or processors based in the UK regardless of where processing takes place
- Controllers or processors based outside the UK, but their processing activities relate to individuals in the UK. UK representative is needed.
- ICO will be the supervisory authority
The EU GDPR:
- Applies to:
- Controllers or processors based in the EEA regardless of where processing takes place
- Controllers or processors based outside the EEA, but their processing activities relate to individuals in the EEA. EU representative needed
- EEA supervisory authority/ies
Data flows between the EEA and the UK can flow freely and are safeguarded. The decision will last for up to 4 years and will be reviewed.
International data transferrers - Safeguards: New SCCS
Safeguards may be needed for international personal data transfers depending on the locations involved. List of countries deemed already adequate by the EU and UK and not needing safeguards: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, UK and Uruguay.
Main safeguards include:
- BCRs – the gold standard
- SCCs – EU-approved template terms which ensure GDPR standards are met provided the terms are respected. New modular EU SCCs contain new obligations and require significant work by 27 September. New UK SCCs are awaited
What about marketing and emarketing?
- Which regime(s) applies?
- ICO and other supervisory authority guidance
- Code of Fundraising Practice
- ILM guidance
- Draft Direct Marketing Code of Practice
- In the UK PECR rules cover eMarketing, cookies and electronic communications. They derive from EU law but are set out in UK law. They continue to apply in the UK
- The EU is replacing the current e-privacy law with a new e-privacy Regulation (it remains to be seen if and how it will be applied in the UK). The territoriality provisions are likely to mean that the UK will still need to comply
- Examples of complexity: cookies and consent:
- A website or company based in one location targeting individuals in another location, may have to comply with both regimes. The status of guidance from regulators globally will depend on the locations involved
- Significant guidance from Europe indicates that user consent is needed for any non-essential cookies and separately for direct marketing and sharing of the information for marketing by other group organisations
Charities marketing: Legitimate interests or consent?
Communications and data processing
- Where PECR is involved, if PECR requires consent it must be obtained and used as a lawful basis under the GDPR.
- Where PECR does not require consent, you can use another lawful basis under GDPR e.g. legitimate interest
- If legitimate interests is being relied on as the lawful basis for processing, a Legitimate Interests Assessment should be undertaken and recorded balancing the interests of the charity v rights of the individual
When does PECR require consent for marketing individuals?
- Recorded calls
- You can comply with specific requests from the individual;
- Post – still need to comply with data protection laws and show legitimate reason for holding information of individual e.g. name and address;
- Live calls – check telephone preference service;
- Researching prospect/legacy profiling and bought in lists - still need a lawful basis for using public information and to be fair, lawful and transparent;
- Individual v corporate contact details - use caution;
- Marketing v service and other admin messages - be aware of the difference;
- Encouraging professionally written legacies in wills v encouraging professionals to include legacies in wills;
- Testator v prospective testator- keep in mind changing status and different messages;
- Sharing with other charities and fighting fraud;
- The more sensitive the information the more justification needed.
What do you do now?
- Understand what regime applies to you by data mapping your flow
- Prioritise key flows
- Need to distinguish between UK, EEA and rest of the world processing
- Appoint EU and UK representatives where needed – this is mandatory
- Assess your appropriate lead supervisory authority
- Update your BCRs and apply for UK BCRs as needed
- Keep track of privacy law changes – existing EU SCCs, new EU SCCs and UK SCCs
- Review your privacy notices, DPAs, contracts and other documentation to update reference to EU law UK-EU transfers and your UK and/or EU representative
- Ensure your DPO will be easily accessible from an UK and EEA establishments and has expertise in all regimes.
Between EEA and the UK – data is likely to be free flow.
Between rest of the world and EEA and UK:
For medium to large charities the options are:
BCRs controller and processor which address processing internally with others;
Hybrid DTA; and
SCC+ - Shoosmiths’ model including a Transfer Risk Assessment
For smaller charities the options are:
Hybrid DTA; and
and SCC+ - Shoosmiths’ model including a Transfer Risk Assessment
What else is new?
- Data Sharing Code: where organisations both use personal data for their own different purposes agreements should include details of the agreements about data sharing
- Children's Code: from September 2021 new rules about websites and online services that may be used by children with 15 new standards
- Updated Criminal Conviction Guidance: wider than previously thought
- Updated Data Subject Access Rights Guidance
- Updated controllers and processors guidance: contracts with third parties may need a review.