Need to talk?
General Data Protection Regulation (GDPR)
St Nicholas Hospice Care’s commitment to GDPR
Your privacy is a top priority for UK businesses, organisations and charities which are preparing for new law changes in May 2018. In the media, more often we’re hearing phrases such as GDPR, data protection, opt-in consent, cookies and the right to be forgotten, but what does it all mean?
This rapid development of new ideas and terms brought on by our digital world can be confusing but you should be assured GDPR is a positive thing. It’s the new law that protects your personal information.
It is the most important data protection regulation change in 20 years and it will become law on Friday, 25 May, 2018.
It is St Nicholas Hospice Care’s responsibility to ensure that we use the personal data you have given us is kept safe and only used in the correct way.
We have an obligation to only ever communicate with you in ways you have told us is ok and that we only talk with you about things you have said you want to hear about.
We update our records regularly to ensure our supporters that want to are getting the latest Hospice news, as well as information about our events and supporters.
What are the changes?
One of the biggest changes is around obtaining consent to use personal data. The new requirement will impact on how the Hospice attains and renews consent but the GDPR also introduces the need to record the details for auditing purposes.
This may mean that we will be asking you questions about if you would like to keep receiving information from us in the future. This information could be anything from information about fundraising events, details about challenges and activities you have signed up to or the Hospice’s magazine for supporters St Nic’s.
Other changes include:
•A wider definition of personal data
• New categories of sensitive personal data
• Increased rights for data subjects
• Some organisations will need to appoint a Data Protection Officer must be appointed – the Hospice will be appointing a Data Protection Officer in due course.
What is personal data?
Personal data is about living people and could be:
• their name
• medical details
• banking details
The GDPR applies to all personal data which it defines as:
“Personal data means any information relating to an identified or identifiable natural person.”
• It applies to both automated personal data and to manual filing systems
• Personal data that has been anonymised
• It also applies to sensitive personal data. This includes information like: racial or ethnic origin, political opinions, religion, or information about their health.
When does the Hospice use personal data?
At the Hospice we use personal data when we process any donations given to us to make sure we are accurately recording our supporters fundraising.
We sometimes use your data to let you know about fundraising events that might be of interest to you as well as any appeals we may run. At any time people can tell us if they do not want us to do this.
We also need to record information about those who receive our Hospice’s care and support. Even if we visit you in the community and you do not come into the Hospice, it is still likely we will need to record information/data about yourself.
For example, you may attend one of our Open House sessions, be visited by one of our staff or volunteers in your home, or come along to one of our support groups.
The GDPR does not change the duty we have to protect the personal and medical information you share with us. This will always remain a priority for St Nicholas Hospice Care.
The GDPR does create some new rights for individuals as well as strengthening some of the rights currently covered by the Data Protection Act.
What data do we record about you?
As an organisation we only ask for the information we need. This could be information to process donations or keep people informed about events and activities they have signed up to. We also record when people have fundraised for us, donated to a shop or supported us in another way.
As a general rule we will record your name, address and any contact information that you choose to give us. There may be occasions when further details are needed, but this will always be explained and you can always choose what to tell us.
We also never sell your information on to anyone – and there are no exceptions to this.
Sometimes we might share your information with companies that work on our behalf, for example when we use a mailing house to print and post some of our larger mailings, but all details are sent in a secure, encrypted form and are never kept by them.
We have also have contracts with them to ensure they treat your data as carefully as we do.
How do we contact people?
You decide how and when we contact you and you can change this at anytime. You can also tell us not to contact you at all. We are very careful to keep our communication relevant and think about what we send to you.
If you would like to make changes to the way you receive information from St Nicholas Hospice Care please telephoning 01284 766133 or emailing firstname.lastname@example.org.
GDPR and consent
The GDPR’s definition of consent is similar to the 1998 Data Protection Act (DPA)’s, but adds detail about how it should be given.
The DPA’s definition is:
“Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”
Whereas, the GDPR definition is:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
Unlike the DPA’s definition, the GDPR makes it clear that the indication must be unambiguous, this means the request for consent needs to be obvious and involve a clear action. The GDPR places a greater emphasis on individuals having clear choices upfront and ongoing control over their consent.
This means that instead of a one off action, like including a pre-box ticked, we will need to:
Use very specific opt in methods
Be clear about our consent policy
Maintain good records of consent
Make it easy to access ways for people to withdraw consent should they want to
Be open and honest about the way we record consent and where it is stored
Have privacy notices around the hospice and in our shops about consent
Further background to the GDPR
The GDPR was proposed by the European Commission in 2012 and agreed by the European Parliament and Council in December 2015.
It was formally adopted and published in the Official Journal of the EU in May 2016, with the publication including a two year lead time for full implementation.
Despite the vote to leave the European Union, the Government has confirmed that they will adopt it.
The main aim of GDPR is to harmonise data protection law across Europe, and to bring it up to date with technological advancements.
GDPR will mean that the Information Commissioner’s Office (ICO) will have greater enforcement powers, including the ability to issue fines for a much wider range of breaches of the regulation.
The maximum available fine will be increasing significantly from the current level of £500,000 to €20 million or 4% of annual global turnover, whichever is higher.
More information on GDPR can be found on the ICO’s website here