There has been a lot of hype in the media about the General Data Protection Regulation (GDPR) focusing on exaggerated misinterpretations of the new legislation. However, GDPR is not a revolution and 25th May 2018 is not a cliff edge. Managing Trustees do not need to worry about putting in place all the required policies, notices and records immediately nor do they need to do this by themselves. The Data Protection Working Party (“Working Party”) is putting in place the tools to assist Managing Trustees in their role as processors in time for the changes in legislation.
This article sets out to challenge some of the myths surrounding GDPR both in the wider media and amongst Managing Trustees themselves. The article also includes quotes from Elizabeth Denham, the Information Commissioner to help put Managing Trustees minds at ease.
GDPR does not mean you need consent for everything..
Yes there are now more exacting rules about obtaining valid consent, but Managing Trustees need to bear in mind that they do not need consent for everything.
“Consent is one way to comply with the GDPR, but it’s not the only way.” (Elizabeth Denham, 16 August 2017. ICO blog “Consent is not the Silver bullet for GDPR compliance”)
Step 5 of the 9 steps for Managing Trustees to take now to comply with GDPR (9 Steps) explains how Managing Trustees can base their use of personal information on one or more of a number of legal reasons (lawful bases); it is not all about “consent”. The lawful bases most likely to be of use to Managing Trustees, in addition to “consent”, include “contractual obligations” (e.g. requirements under employment contracts and licence agreements), “legal obligations” (e.g. requirements of HMRC or landlord and tenant legislation) and the “legitimate interests” of the managing trustee body (e.g. necessary use of personal information to carry out the functions of the managing trustee body such as maintaining lists of members or sorting out room bookings).
Although it does not seem that way from media reports, consent is not automatically better than any of the other legal bases and relying on consent when it is not appropriate to do so e.g. if the individual is not “free” to give their consent/ they feel compelled to do so as an employee for example, would not even be a valid legal reason.
The Working Party is developing guidance on the issue of lawful bases that will soon be available in the FAQs and Lawful Bases Flow Chart. In the meantime Managing Trustees can refer to the guidance that is available from the ICO including the ICO's blog “Consent is not the Silver bullet for GDPR compliance” and their guidance; “What is meant by “consent"”?
GDPR will not automatically lead to small charities paying huge fines..
Yes GDPR gives the ICO much greater powers to impose eye watering fines, but the ICO stresses that it is a proportionate regulator:
“..it’s scaremongering to suggest that we'll [the ICO] be making early examples of organisations for minor infringements or that maximum fines will become the norm.” Elizabeth Denham, 9 August 2017. ICO blog GDPR – Sorting the fact from the fiction
GDPR emphasises the need to fully incorporate data protection considerations into everything rather than just ticking boxes. The tool kit being produced by the Working Party and accompanying training and data championing by the Districts will help to demonstrate the Methodist Church’s commitment to data protection. Even if everything is not perfect by 25th May Managing Trustees should be able to demonstrate by having taken the 9 Steps that the main building blocks are in place and there are ongoing strategies and a commitment to comply with the new requirements.
At the end of the day, the motivation should not be avoiding penalties but better protecting your members' and others’ personal information.
Managing Trustees are not expected to draft and implement their own data protection policies from scratch..
The Working Party and the Districts as data champions are here to provide all that Managing Trustees need to meet the introduction of GDPR with confidence.
We won’t be ready for 25th May...
Managing Trustees can rest assured that the Working Party has been undertaking a great deal of work behind the scenes including the comprehensive data mapping exercise (based on a representative sample of managing trustee bodies) to ascertain exactly what data the Methodist Church collects and deals with, and what data protection issues need to be addressed.
The Working Party will use this exercise to produce carefully considered guidance and templates specific to Methodist Managing Trustees. Although it is important to start taking steps to get ready for the arrival of GDPR on 25th May 2018, there is no need to panic. In contrast there is every reason to wait for the tool kit of guidance, templates and other resources being produced by the Working Party. This comprehensive tool kit will be targeted specifically at Methodist Managing Trustees and takes on board the most up-to-date guidance coming from the Information Commissioner’s Office (ICO).
The most recent guidance being rolled out includes the 9 Steps. This is a key piece of the tool kit setting out practical steps that Managing Trustees can start taking now and highlighting some of the initial templates, policies and guidance being rolled out by the Working Party to help Managing Trustees.
Managing Trustees also need to bear in mind that data protection is in a very fluid situation. The Data Protection Bill is still going through parliament; at the date of this article it is on its third reading and the ICO is constantly updating its own guidance. There is a lot of merit in seeing how things pan out to ensure policies and templates reflect up-to-date guidance from the ICO.
“..some of the fear is rooted in scaremongering because of misconceptions or in a bid to sell ‘off the shelf’ GDPR solutions.” Elizabeth Denham, 22 December 2017. ICO blog GDPR is not Y2K
Managing Trustees may feel that companies charging large fees to draw up new policies have much to gain from rushing people into things. Many experts in the field advise their clients to wait and see.
Having said that it is however important for Managing Trustees to start working through the 9 Steps and keep an eye on the guidance, policies and templates as and when they become available to ensure the main building blocks are in place by 25th May 2018.
GDPR is not Y2k..
Managing Trustees may remember the hype surrounding Y2k? Rest assured that GDPR is not a cliff edge.
“GDPR compliance is an ongoing journey”. Elizabeth Denham, 22 December 2017. ICO blog GDPR is not Y2K
Managing Trustees need to take steps now to prepare so that they are ready for GDPR coming into force in May but it is an evolving process and the policies and procedures being rolled out will need to be constantly reviewed and upcoming data processing issues addressed.
Unlike Y2k we all know what will happen after 25th May 2018; it is not an unknown. GDPR updates and consolidates existing data protection law to bring it into the twenty first century. The guidance produced by the Working Party and the ICO mean that Managing Trustees know what to expect and what steps to take leading up to 25th May 2018 and beyond.
GDPR is not here to burden volunteers with bureaucracy and fines..
Amid all the talk of the GDPR requirements it can be easy to forget that the real beneficiary of the new laws is everybody.
“..we risk losing sight of what this new law is about – greater transparency, enhanced rights for citizens and increased accountability.” Elizabeth Denham, 9 August 2017. ICO blog GDPR – Sorting the fact from the fiction
GDPR seeks to protect everybody’s personal information (personal data), ensure those who hold it look after it, use it only for the purposes intended and respect and respond to the rights of those whose data is held (data subjects). This is of benefit to all those the Local Church, Circuit and District hold dear including church members, lay workers, third party users and members of your community involved in the Church.
The guidance, policies and template documents that will be made available to Managing Trustees by the Working Party over the next few months will help Managing Trustees to make the transition to the new rules and help us to all work together to keep our precious personal information safe. It will involve more work but everybody will benefit from doing it right. Don’t forget what this new law is about.
If you are not reading this via a link from TMCP's notification email then sign-up to receive notifications to ensure that next time new or updated data protection guidance is available you do receive notice of it. To do this Managing Trustees should look out for the “Stay updated” banner appearing at the foot of each webpage (Link: https://www.tmcp.org.uk/news-hub) insert their contact email address and confirm they would like to receive notifications when they receive a welcome email from TMCP.
If Managing Trustees have any queries then please contact TMCP (firstname.lastname@example.org) for further assistance regarding general data protection matters and the Conference Office for queries specifically relating to safeguarding or complaints and discipline matters (email@example.com).