A top lawyer has urged Bath’s not-for-profit organisations to embrace the new General Data Protection Regulation (GDPR) as an opportunity to strengthen existing relationships and improve the way they are run.
Graeme Fearon, intellectual property partner at West law firm Thrings – which has an office in Bath – believes while the new rules are challenging they also offer opportunities. 
He outlined his views at a gathering of charities and tech companies in Bath on GDPR and Data Protection organised by Tech for Good Bath.
The GDPR introduces new obligations and rights as well as increased enforcement powers. “Whatever the type of organisation, if you hold personal data of any kind, including about employees, then the GDPR will apply to you,” warned Graeme, pictured.
“There is no denying that the GDPR means an overhaul of data processing and storage for organisations, he said.
“That comes at a cost in terms of time and resources – but it needn’t be massive, and where there are challenges there are also opportunities.
“It’s an opportunity to spring clean your data and relationships and strengthen trust in your organisation. If you grasp the opportunity to modernise your processes, you could also become more efficient and effective – what organisation doesn’t want that?”
Compared to the Data Protection Act (DPA), the GDPR means enhanced protection of data and an increased number of rights for those people whose data is held.
Of paramount importance is the need to have a legal basis for processing personal data, whether in the form of a contract with the person, a legal obligation imposed on a business, or consent.
Accountability is another key factor which Graeme highlighted at the meet-up, with internal policies and processes needing to be implemented, applied and constantly reviewed.
Also presenting at the event was St John’s Foundation, the Bath independent living charity.
Tech for Good Bath organiser Annie Legge, who is also co-founder of The Dot Project – which supports organisations to achieve social impact through the use of technology – said: “This was a thoroughly informative evening for our network, bringing together the legal knowledge from Thrings through to St John’s Foundation sharing their own journey to embedding GDPR into their culture and values.
“We have to make the subject of data protection accessible and not overwhelming for non-profit organisations, to see their legal responsibility as an opportunity to build trust. As Graham stated, ‘If you are dealing with people, you are dealing with data protection. This is about the human rights of the individual’.
Although sanctions for non-compliance include monetary penalties of up to 4% of worldwide annual turnover or €20m, enforcement is more likely to involve investigative, corrective and advisory actions for any organisation that can demonstrate it has been acting in a reasonable and responsible manner.
The new European regulation comes into force on May 25 next year with the UK Data Protection Bill implementing it into UK domestic law after Brexit.
Tech for Good is part of the wider international TechSoup and Net2 initiatives that bring together non-profits, activists, tech leaders and funders interested in using technology for social change.
More information on the new rules can be found in Thrings’ A No Nonsense Guide To GDPR, downloadable here.
