John Simcock: Why the EU General Data Protection Regulation will change charities' relationships with IT suppliers

What you're going to need to organise with your IT supplier by 2018

John Simcock
John Simcock

Unless you’ve been living under a rock, you can’t really have missed the arrival of the new EU General Data Protection Regulation, which tightens up the rules on privacy and consent. Indeed, much has already been written on the new regulation and how it will affect charities – especially in terms of how it might negatively affect fundraising activity.

There’s also the impact on IT to consider. The existing consensus is that in-house IT departments are facing a huge task auditing legacy data to find out where it all is and what will need to be done to make sure they can use it.

This is well known – at least, it should be. However, what’s so far been less well documented is how the new regulation will affect your relationships with IT suppliers. It’s an important area to explore because, right now, do you really know who is going to be most responsible for complying with the new regulation? You? Your supplier? Both?

As a supplier ourselves, this is something we’ve been thinking about a lot at Eduserv over recent months. And believe me there’s more to this than first meets the eye. To help you manage your relationships with your own suppliers, and to assess how those relationships are going to need to change, we thought it would be worth sharing our conclusions on some of the key points so far.

Working out lines of responsibility

The first consideration you need to be aware of is that by enhancing the rights of data subjects, the GDPR not only increases the responsibilities for data "controllers" (ie you, the charity), but also does so for data processors (ie your IT service provider).

Before the GDPR, a service provider was required to process data in accordance only with the customer’s requirements. That means your service provider didn’t need to know about the characteristics of the data involved. Under the GDPR, however, both controllers and processors are under a similar duty to ensure that the regulations are properly implemented.

So what does this mean for how you manage your suppliers and contracts? Will you end up getting more help and support in your data-protection efforts, or is there a danger that responsibilities will fall between two stools if arrangements aren’t managed correctly? There’s no one clear answer to this, because it will depend on the nature of the relationship you already have with your supplier. But one thing’s for sure – it’s something you need to start thinking about and nailing down sooner rather than later.

Managing consents

The issue of consent is perhaps the most talked-about element of the GDPR in charity circles. The regulation stipulates that data subjects must give their explicit and "informed" consent for their data to be processed ("informed" means the subject is made aware of how their information is protected, what it’s used for and what the risks are).

Expect the Information Commissioner to be more involved in charities

This is big change for fundraising, but it will also affect the way you work with an IT provider. In this new world, for example, you will need to notify all IT suppliers that all consents have been obtained, even for legacy data. Suppliers, on the other hand, will need to tell you about the operational measures they implement to protect privacy, so you can indeed make sure consent is fully informed. In other words, you’re going to need to create a new and workable consents process between you and your suppliers. Ultimately, this process will need to become business-as-usual.

Privacy, deadlines and contracts

There are several operational aspects to consider and iron out. Privacy impact assessments, for example, will need to be done as a norm for all services. That information will then need to be shared with your suppliers. At Eduserv we’re acutely aware that we don’t get enough visibility of assessments that are conducted by our customers, so this is another process that’s going to need to be added and built in to business as usual.

The GDPR also introduces more rigorous monitoring and reporting regimes, including strict time limits for reporting any significant security incidents to the Information Commissioner’s Office. In practice, this obligation falls primarily on the processor, so you will need to make sure you’re comfortable with your supplier’s proposed ways of dealing with it.

In addition, contracts will need to be reviewed and changes will probably need to be made so that both parties comply with the regulations. If you haven’t thought about doing this already, it might be worth bringing it forward before serious work is undertaken without either party knowing what their true responsibilities are.

All in all, this restructuring of your relationship – which we’ve only started to touch upon in the space allowed here – is going to require a lot of work. And although 2018 might seem a while off right now, it is a short deadline that doesn’t leave much time to address all the things you need to think about. My recommendation is that you start talking to your suppliers and start planning for the change now.

John Simcock is director of charities and third sector at Eduserv, a not-for-profit provider of IT, digital and web development services

Before commenting please read our rules for commenting on articles.

If you see a comment you find offensive, you can flag it as inappropriate. In the top right-hand corner of an individual comment, you will see 'flag as inappropriate'. Clicking this prompts us to review the comment. For further information see our rules for commenting on articles.

comments powered by Disqus