Charities have been assured that the General Data Protection Regulation (GDPR) will not be overly prescriptive.
According to the Direct Marketing Association (DMA), the incoming legislation does not offer fully comprehensive guidance covering every possible scenario.
Instead, it said the GDPR – which is due to be implemented in May 2018 – is a “principles-based regulation.”
John Mitchison, Head of Preference Services, Compliance and Legal at the DMA, commented: “If you’re a glass-half-empty person, you might take this to mean you’re never going to have all the answers. If you’re more of a glass-half-full person, you’ll see this as giving you flexibility: you make the judgements yourself on how to do it and the way you do it is through the process of accountability.”
Mr Mitchison said this means charities will have to make their own decisions about how best to comply with the new legislation.
Indeed, he argued there are “just too many variations” on what people do to implement a prescriptive rule on how to act in every situation.
He went on to state that simply complying with the GDPR is not the only requirement, as charities must also be able to demonstrate their compliance.
Mr Mitchison said this means they need to implement technical and organisational measures to ensure they have evidence they can present.
This, he stated, could be supported by training programmes, policies and audits, so everyone knows what to do if they are asked to show how they are complying with the new law.
Mr Mitchison said there are ultimately “no definitive answers” on how they can comply, as they have make to choices and ensure they have an accountability process in place.
However, he assured charities that if they can do this, “the chances are you’re going to be doing all right.”
No definitive way to deal with the GDPR says Direct Marketing Association, Third Sector
