What is GDPR?

The General Data Protection Regulation (GDPR) is a set of EU regulations that will be enforceable from 25th May 2018. It supersedes the Data Protection Act, which is a law that will be reissued this year as the DPA 2018.

It is designed to both strengthen and harmonise data protection across EU member states, and is directly applicable to all organisations ‘established’ in the EU, irrespective of whether the actual data processing takes place in the EU or not. Even if not established in an EU country, certain organisations with substantial activities in the EU will need to comply with GDPR. Please refer to Blackbaud’s infographic Could You Be Subject to GDPR? for further guidance on whether or not GDPR may apply to your organisation.

Such organisations that are subject to GDPR and collect, store or process personal data must comply with GDPR’s Data Protection Principles and other conditions of processing. New obligations on data controllers include expanded data subject rights, mandatory data breach notification, an enhanced focus on accountability and the appointment of Data Protection Officers. Personal data must still be processed fairly and lawfully, justified by one of six legal bases that have remained substantially similar between the Data Protection Act and GDPR, including with the data subject’s consent.

Arguably the most significant change, however, is the requirement that a data subject’s consent to process their data must now be ‘unambiguous’ and given via a ‘clear, affirmative action’. The penalties are also set to change, standing at a maximum of €20,000,000 or 4% of global revenue; whichever is higher.

Undoubtedly therefore, GDPR requires organisations processing personal data to implement significant operational reform. For a more in-depth discussion of GDPR’s operational effects, please read Blackbaud’s datasheet Important Impacts of GDPR

JustGiving is implementing these product changes to help charities in achieving this reform. We have also created a GDPR hub, where we have compiled a roundup of charity resources, webinars and events, in order to get your charity ready for GDPR. 

 

Can JustGiving sign our data protection addendum containing terms for data processors, as required by GDPR?

JustGiving actually does not act as a data processor in its relationship with our charity partners. JustGiving is a controller with respect to its users’ data and when we pass users’ information to charities via charity reporting, the charity also becomes a controller with respect to that data. In this way, each of JG and the charity are data controllers. As such, we don’t sign DPAs with processor requirements in them. You can read more about our relationship with charity partners in the “How Do Charity Partners Use My Data” section of our new privacy policy. Note that each of us is a controller; we are not joint controllers. Joint controllers decide, together, the purposes and means of processing. In our situation, each of JustGiving and the charity partner decide, for themselves, how to use the data and are responsible for their own compliance with applicable data protection laws.

Nothing in this FAQ should be construed as legal advice or a legal opinion on any specific facts or circumstances

 

Was this article helpful?
0 out of 0 found this helpful