It has now been nine months since the EU General Data Protection Regulation ('GDPR') came into force to a fanfare of publicity. Charities have found their resources stretched more thinly as they try to comply.
A whole new industry of data protection 'experts' suddenly appeared to give their opinion to charities. That, and the extensive press coverage that GDPR received meant it was probably inevitable that certain myths and misinformation would also arise.
While the more cataclysmic predictions regarding GDPR have not come to pass, myths still circulate to pernicious effect. The following five are based on real life examples we have recently encountered. We are sure that there are others.
Myth 1 - We can avoid the GDPR by only using paper correspondence
Whilst it would be appealing to think that there is an easy route to by-passing data protection regulation altogether, it is doubtful that limiting your organisation to paper correspondence, aside from the obvious practical headache this creates, is a quick fix to 'get around' data protection rules.
The GDPR applies to personal data processed 'wholly' but also 'partly' by automated means, which ostensibly means it will be held electronically, even if only in part. Furthermore, personal data within paper files held in a 'structured' filing system will also be caught by GDPR.
If personal data is likely find its way onto a computer, or end up being stored in a filing system at some point during your handling of it, then it is likely to be caught by GDPR, even if you are only communicating the same information by paper.
In other words, perhaps the only way to avoid the rules is either not communicate in any form of writing at all or only ever store your paper documents and correspondence by throwing them into a random pile. We doubt that either of these prospects would be appealing to most organisations.
Myth 2 – GDPR means we should be seeking someone's consent to use their personal data
One of the most common misconceptions in the press prior to the GDPR taking effect was that the new regime somehow moved all organisations to requiring individual consent as a prerequisite to any processing or use of individual data.
To summarise, the GDPR (reflecting previous data protection rules) sets out a list of preconditions (or 'legal grounds') for the processing of personal data. There are currently six of these under the GDPR for non-sensitive personal data of which at least one or more needs to apply.
Consent is on this list but it is not the only possible grounds. Others include where the data processing is needed to comply with a contractual obligation to the individual; processing is required to comply with a legal obligation; or where your organisation or a third party has a 'legitimate interest' in processing that personal data (and the privacy or other legal rights of the individual do not override these interests). There is nothing in the GDPR that makes consent better or legally superior to any other bases for processing.
Choosing consent also has practical consequences. If you rely on consent as a sole grounds for processing, then you need to stick to it and the individual must have a right to withdraw their consent to your processing any time in the future. Consent can often be withdrawn when a disagreement arises with an individual that may have no relevance to data privacy, but where they simply want to make life difficult for the organisation.
Accordingly, consent should not be seen as a panacea but rather one option you may have to choose when none of the other grounds for processing data are readily available.
Myth 3 – If an individual asks for data we hold about them, we have to hand everything over that refers to them personally
The introduction of the GDPR has increased the number of data subject access requests or 'DSARs' that we advise on.
Many DSARs we encounter are of the 'please hand over all documents in your possession that refer to me' variety. Often an organisation's natural inclination – particularly when faced with a DSAR served by solicitors couched in threatening terms – is to simply comply without question.
However, you are not legally obliged to hand over every document you hold just because the individual or their solicitor asks for it. There are some important limitations arounds the DSAR right.
The first point to bear in mind is that just because someone is referred to in a document, does not mean that whole document is classed as their personal data. Data is 'personal' only so far as it relates to the individual and may only cover a fraction of a document or string of correspondence.
Secondly, there are some exemptions which allow you to withhold data in response to a DSAR in certain circumstances. Two important exemptions are: (1) where information is covered by the legal professional privilege ('LPP') exemption, which means the information is either privileged between your organisation and its professional legal advisors or your professional legal advisor owes you a duty of confidence and (2) if, by disclosing information about your negotiating position with the individual making the request, you are likely to be prejudiced (eg by revealing internal correspondence about how you may want to settle a financial claim with them).
There are also grounds to withhold data in situations where the request is 'manifestly unfounded or excessive', which will cover frequent, repeated requests for the same information.
A further point to bear in mind is that in many instances, personal data about individuals in correspondence or a document will be mixed up with personal or private data relating to other individuals. In these situations, you are entitled (and indeed, obliged) to balance the rights of the applicant making the DSAR against the rights of other identified individuals, particularly if those other individuals do not consent to their data being disclosed and you are entitled to take account of any legal obligation (such as a duty of confidence) owed to that individual. Whilst applying this balancing test is not always easy, it is something to consider before handing over all data in your possession.
Myth 4 - Personal data relates only to living individuals so legacy officers do not need to worry
Whilst it is true that legacy officers do not need to be concerned about the GDPR rights of a deceased legator, you will of course still be dealing with individuals who are very much alive such as family members, beneficiaries, executors or trustees. Those individuals may want enforce their data protection rights in respect of the data you hold about them, usually when they have a dispute.
This means that organisations need to take the same care in respect of personal data processed on legacy administration matters as they do in respect of fundraising and other aspects of their operations. Particular care needs to be taken with comments recorded on file about living individuals given that these often may be disclosable in response to a data subject access request or 'DSAR' (on which, see more below).
Myth 5 – We may not keep any personal data for more than two years
It is true that GDPR effectively requires organisations to more carefully consider and document their data retention and deletion policies. Specifically, the data storage limitation principle means that you should not hold personal data for any longer than is 'necessary' in the circumstances. However, there is no time limit set under data protection law.
The issue around charity fundraising and holding of supporter data for long periods received extensive press coverage in the run up to the introduction of the GDPR and many organisations adopted strict limitations on how long they retain supporter data as a result.
While holding data indefinitely on the off-chance that it might be useful for an undetermined purpose later is not recommended or legal, data retention is not a case of picking a 'one-size fits all' period for all personal data across the organisation.
Legacy teams will need to deal with potential claims. There is a clear need for them to be part of the charity's data retention policy discussion. There is also a justification for holding evidence of a donor's connection with the charity, potentially by way of retaining an archive record of their past giving or support, provided that such retention is properly managed and documented. Such a period is likely to be far longer than it would be for fundraising and other operations.
These are just five of the myths that have encountered. However, there may be more that your organisation comes up against. So, the next time are told something is needed to 'comply with GDPR' and it sounds strange, treat it with caution (and, better yet, take advice!).
To be continued…