It is important that researchers understand what the General Data Protection Regulation (GDPR) means for them and the personal data that is processed during their research. Compiled with the support of the Information Commissioner’s Office, the UKRI have provided a GDPR overview for researchers, which sets out guidance and signposts to further sources of information.
Tagged / GDPR
You will no doubt have received the emails yourself: don’t forget to opt in, click here to stay in touch, we don’t want to lose you. The General Data Protection Regulation, or GDPR, comes into force on May 25, and organisations and businesses large and small are racing to ensure the way they collect, store and use the personal data of their customers and clients meets the new, higher standards of this new European Union privacy law.
Compliance with GDPR can be costly, requiring organisations to analyse the way they work, the data they use, how it is handled and secured. Documenting how personal data is held and processed is tedious and time consuming, as is developing procedures for dealing with individuals’ requests to see the data held on them, security breaches that involve loss of data, or assessing the privacy impact of some new product or service.
To data protection authorities across the European Union, such as the UK Information Commissioner’s Office (ICO), this is just good practice – the cost of doing business in a free and open market. But what if yours is a non-profit organisation? Several UK charities have been fined for breaking existing data protection laws. Many others are acutely aware that a single penalty for non-compliance could put them out of business.
The ICO has produced guidance for charities, and reading it you might think that the challenges charities face are the same as those facing any small business. Both have limited resources, time and money to spend on ensuring compliance. Losing or misusing personal data leads to the erosion of trust, irrespective of whether those affected are paying customers or charity donors. But scratch beneath the surface and you can see how GDPR causes unique problems for small charities, particularly those that work to help society’s most vulnerable.
Duty of care
The new privacy regulations require that personal data is “processed in a manner that ensures appropriate security of the personal data”. Any security expert will tell you that perfect security is impossible, so businesses can meet this requirement by investing in security considered “good enough” to meet the duty of care to their clients and customers.
But for charities, the duty of care they have for both their vulnerable client base and their donors is so strong that a culture of cost-cutting has formed. Because charities lack the expertise to understand the risks they face, they may wrongly believe they are avoiding risks, or accept risks without understanding the implications. Ultimately, this works against charities investing in the security they actually need. A report commissioned by the UK Department for Culture Media and Sport in 2017 found this culture even led to some charities intentionally relying on out-of-date or low technology solutions. In one case, a charity was even prepared to accept the risk of damaging data losses, in the hope that their donors would be sympathetic and appreciate that, to them, cybersecurity is a luxury they cannot afford.
The new privacy regulations are built around fair treatment, but this also fails to appreciate the ethical tensions faced by charities. Under GDPR, organisations can only collect data from individuals when they have a legal basis for doing so, for example that the individual has given their consent (such as signing up for an email newsletter), or that the organisation must do so in order to comply with a legal obligation (such as banking information required to meet money laundering regulations). However, complications arise because while an individual may give consent, they may also withdraw it.
Imagine, for example, that Bob suffers from a drug addiction. In a moment of clarity, he checks into a rehab centre for help, and gives consent for the centre to collect what personal data they require. But Bob later relapses, and – to keep this information from his family – withdraws his consent and exercises his right to be forgotten, demanding that the rehab centre deletes the data on him that it holds.
The GDPR provides some discretion for processing personal data in matters of life and death, but not if Bob is capable of giving consent. And so the rehab centre faces a dilemma: it can assert Bob isn’t capable, exposing themselves to the risk of a fine should he report them to the ICO. Alternatively, they can comply and expose Bob to future risks that may threaten his health or life, and reduce or remove the information they know that might one day help save his life.
ICO guidance for not-for-profits should answer the sorts of questions regularly raised by charities. But instead it treats small charities like any other small business. The ICO claims the is information that charities want, but it is not the information they need. If guidance fails to acknowledge the risks to small charities, what incentive do charities have to invest time and money following it?
What charities need are less platitudes on what they should be doing – they already know this – and more advice on how to do it, given the very particular challenges they face. In a speech given to the charities attending the Funding and Regulatory Compliance conference last year, the information commissioner said that getting privacy right can be done, that it should be done, and she would say how it can be done. Yet as the deadline looms, charities are still waiting to hear about the “how”.
In November 2017, we were awarded funding through RKEO’s Charity Impact Acceleration fund to work help a local charity — StreetScene — prepare them for the new General Data Protection Regulation (GDPR). At the time, many charities were well aware of what GDPR was and the penalties for non-compliance. However, the guidance made available to them by the ICO was general and costly to implement in terms of time and resources. Our thoughts summarising the dilemmas faced by charities facing GDPR were recently covered by The Conversation.
Using work from her doctoral research, Jane Henriksen-Bulmer has devised a customised Data Protection Impact Assessment (DPIA) process for charities, which she is now putting into practice at StreetScene. This helps them evaluate how privacy impacts their business workflows, and the privacy risks they face.
To help other charities benefit from this work, we will be running a free GDPR for Charities workshop on June 11th at the EBC. The workshop will share the results of this work with around 50 participants who work for or with local charities, and provide hands-on training on the process and complementary design techniques and software tools that charities can put into immediate practice. We’ll also be running a panel with invited speakers to discuss the challenges that small charities face with GDPR.
Although this work is helping local charities, we hope our work leads to more debate on how everyone (and not just big business) can ‘build in’ sustainable security and privacy.
Research Professional have interviewed Sarah Dickson, Head of the Medical Research Council Regulatory Support Centre, on what researchers need to know about the GDPR (General Data Protection Regulation), which comes into force on 25th May.
Click on the RP article to find out about who is affected, what data we’re talking about, how GDPR affects you as a researcher, consent, fairness and transparency, and who you should talk to.
BU information on the GDPR can be found here.