4

Spring Charities Newsletter Data Protection proof of consent they have obtained. Data subjects will also have the right to withdraw consent at any time. • Data Protection Officer The European General Data Protection Regulation (GDPR), the most extensive overhaul of data protection regulation in over 20 years, is now in final form after a four-year process. Data protection compliance is important for third sector organisations as most will obtain and process personal data for everyday operation. The GDPR significantly enhances the responsibilities of both data controllers and processors and non-compliance will lead to hefty fines. Accordingly, it is vital that all organisations (and particularly trustees) are aware of the GDPR reforms and approach the issue proactively. The three significant changes for the third sector include: • Consent The threshold for valid consent will increase removing the option for opt-out consent and data controllers must keep Those organisations with “core activities” that consist of (1) processing operations which require regular and systematic monitoring of data, or (2) processing of sensitive data at a large-scale, will be required to designate a Data Protection Officer (DPO). The DPO will notify the organisation of their data protection obligations, monitor compliance with obligations and will act as a point of contact for the supervisory authority. A DPO can be a current staff member with data protection expertise or a third party expert. • Pseudonymisation The GDPR encourages use of pseudonymisation (a technique of processing personal data so that it can no longer be attributed to a specific person without the use of additional information which must be kept separately) when appropriate for the protection of personal information after consideration of any risk involved. For most organisations complying with the GDPR will involve a change of practice, procedure and culture in those organisations. There is a two-year grace period for compliance with the GDPR (which will become law on 25 May 2018). Third sector organisations must begin planning now to ensure they are GPDR ready for spring 2018. In particular, organisations should take advantage of what is essentially a two-year trial period for any DPO appointed now. The ICO recently issued guidance on the steps organisations can take to prepare. MacRoberts’ team of data protection specialists can provide expertise and advice to organisations wishing to adopt this proactive approach to compliance preparation. MacRoberts’ shall shortly publish a dedicated GDPR section on its website, including a series of blogs. If you wish to receive these updates please click here. Suite Of New Procurement Legislation New procurement legislation came into force on 18th April, implementing new European procurement rules and also bringing in a national (Scottish) regime. Some key points for the third sector include: • An expanded scope to reserve contracts to ‘Supported Businesses’. The definition has changed and widened FROM organisations with aims to support employment of disabled persons whose workforce comprises 50%+ disabled TO organisations with aims to support employment of d i s a b l e d or disadvantaged persons whose workforce comprises 30%+ disabled or disadvantaged. If you are in that widened territory and provide services/supplies, 4 keep an eye on developments. • From 1st June, public bodies are to consider how their procurements can involve communities, the third sector and SMEs. Those with significant spend will, from December 2016, need to publish procurement strategies. It will be important for certain charities and social enterprises to understand such strategies and the new focus on ‘sustainable procurement’. • All public sector service/supply contracts over 50,000 are to be advertised on Public Contracts Scotland (there are exceptions) so whether a charity or a social enterprise interested in ensuring no opportunities are missed, ensure you are signed up. • There are a number of important changes relevant to procurements of social, health and care contracts. Sources of further detail at this stage include statutory guidance and renewed non-statutory guidance. MacRoberts have recently run breakfast seminars to brief clients on the changes to procurement law in Scotland. Please contact us to discuss how the changes impact you or if your organisation is interested in training. www.macroberts.com