Who's Afraid Of The GDPR? Data Issues For Legacy Officers

GDPR: What it is and when will it happen?

On 25 May 2018, the EU General Data Protection Regulation ('GDPR') will come into force across all EU member states, including the United Kingdom. This new Regulation replaces the current UK Data Protection Act ('DPA') and represents the most significant change to UK data protection law in 20 years.

Headlines have been dominated by the large penalties that the GDPR introduces for the most serious breaches of the law. This is up to €20million or 4% of an organisation's global turnover (whichever is the higher).

Many charities and their legacy teams are therefore asking questions about what the GDPR will mean for them. For example a legacy officer could be impacted if, say, an executor told him or her about the personal circumstances or health condition of an estranged child of the legator and recorded that information on file. The child could contact the charity and request a copy of the data that the charity holds about them (see the information below about subject access).

GDPR: how does it apply?

If your organisation collects or stores any 'personal data' on computer or a filing system, it will almost certainly be processing that personal data and be subject to the data protection law under the DPR and the GDPR.

The GDPR reforms and updates current data protection law in the UK. However, many of the DPA's existing fundamental concepts will remain the same and if your organisation is already complying with the DPA's data protection principles then it should be well on its way to being 'GDPR compliant'.

The GDPR regulates the processing of personal data. 'Personal data' means any data that relates to a living individual who can be directly or indirectly identified from that data and any other data that the organisation may hold about them, in particular by reference to an identifier such as a name, contact details or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. [Note: the reference to a 'living individual' in the definition of 'personal data' means that information relating to a deceased person would not technically be personal data although it may be mixed on file with information about other living family members or carers which is personal data about them. Also, where medical information is sought, other laws like the Access to Health Records Act 1990, could still permit a personal representative (PR) to access a deceased's health records.

In summary, how does the GDPR apply to my organisation?

Like the DPA, the GDPR effectively has two main aspects:

Organisational Obligations: Legal responsibilities that organisations (called 'data controllers' or 'controllers' under GDPR) must follow when they collect and process any personal data. These are referred to as the 'Data Protection Principles' in the UK. There are 8 of these at present (eg the first data protection principle that data must be processed on a 'fair and lawful' basis). The 8 Principles remain largely the same, but with the addition if a new 'Accountability Principle', meaning that your organisation needs to demonstrate that it is complying with the Principles; and Individual Rights: Gives the individual whose data is being handled (called the 'data subject') certain rights regarding their personal data (and how it is used). This includes a right to object, to request correction of inaccurate or erasure of obsolete data (called the 'right to be forgotten').

Issues for Legacy Officers

Some coverage of the GDPR has perhaps overstated as to how far the law is changing. While there are some new features, the new law does not completely re-write the DPA but rather builds on the rules.

However what is true is, that with the stakes for non-compliance becoming much higher, data protection should no longer be seen as an obscure regulatory issue that perhaps only the legal or IT team needs to be concerned with to an issue that all parts of your organisation, including...