GDPR: what's new?
The GDPR builds on the existing Data Protection Act of 1998, retaining many of its existing features. However the rights of individuals are strengthened significantly (i.e. your right to know what data is held about you, and your ability to control what happens to that data) and the possible fines for non-compliance are significantly higher: up to 20 million Euros or 4% of group worldwide turnover (whichever is greater) against both data controllers and data processors for the most serious breaches.
Your first port of call: the Information Commissioners Office (ICO)
Whilst the GDPR applies throughout the EU, each member state has its own “supervisory authority” to ensure compliance in that particular state. In the UK our supervisory authority is the ICO. One of the ICO’s key roles is to publish guidance on how to implement GDPR. At the time of writing in late 2017, some areas of guidance are still in development, so it's worth checking with the ICO for new and/or updated guidance that may affect your business practices.
Key links on the ICO website:
Guide to the General Data Protection Regulation (GDPR)
Getting ready for GDPR: self assessment for organisations
Preparing for the GDPR: 12 steps to take now
In addition, organisations with fewer than 250 staff can call the ICO on 0303 123 1113 for advice on preparing for GDPR.
Guidance for the voluntary sector:
National Council of Voluntary Organisations (NCVO):
Information and guidance on Data Protection
Guardian Voluntary Sector Network:
GDPR: how charities should prepare for data protection changes
Guidance for the arts sector:
Voluntary Arts:
Briefing no 173, GDPR: Data Protection
ArtsProfessional
Burden and opportunity – an article about preparing for GDPR by Live Music Now
GDPR and fundraising – everything you need to know
GDPR: How to get the job done