The new General Data Protection Regulation (GDPR) became law on 25th May 2018, replacing the Data Protection Act (DPA). It aims to increase privacy rights for individuals while at the same time increasing the responsibility of organisations handling personal data belonging to UK and other EU citizens.
This has weighty implications for charities, since personal data is a business-critical asset in terms of supporters and fund-raising groups, service users, staff and volunteers.
Charities now need to ensure that they are fully GDPR compliant to avoid the wrath of the Information Commissioner’s Office (ICO).
Unfortunately, charities often fall foul of data protection regulations and enforcement action incurs financial and reputational losses.
The worst case scenario for a serious data breach under the GDPR is a £17 million fine or four per cent of global turnover, whichever is greater. And there’s no exemption for charities handling personal data. What’s more, charities can also be sued by individuals for mishandling their personal data.
Information Commissioner Elizabeth Denham, responsible for upholding information rights for UK citizens, said: “No charity wants to alienate their donors. And we acknowledge the role charities play in the fabric of British society. But charities must follow the law.”
A major concern for charities handling personal data is that consent is frequently their legal ground for data processing, particularly when it comes to fundraiser communications. The ICO slots these communications into the direct marketing bracket, as they promote the aims and objectives of the charity. Under the GDPR, rules are much stricter for obtaining and maintaining valid consent. For example, it’s no longer enough to display pre-ticked boxes for assumed consent or email inactive users from your database.
Instead, consent will have to be freely given and be specific to each data processing activity. For example, you can’t assume that because someone has consented to emails about an event, it means you can then send them your newsletter or email them about future projects. Charities handling personal data will have to be explicit and unambiguous about how they plan to use personal data. And they’ll have to make it easy for people to revoke consent as easily as they gave it.
To demonstrate GDPR compliance, charities will have to produce a GDPR data protection policy. This is a high-level document that sets principles, rather than details, of how, what and when things should be done.
A data protection policy must be capable of implementation and enforcement, it must be concise and easy to understand, and allow for balance between protection and productivity.
A charity’s data protection policy should include, for example, instructions for staff involved in collecting personal data, specifying that that they only collect the minimal amount required.
Charities are also responsible for making sure any third-party data processors – such as a direct marketing agency, database provider or payroll company – are also GDPR compliant in their handling of personal data under the new data protection regime.
So, in order to be compliant under the GDPR, charities will need to review their third-party contracts and make sure they reflect the new data protection regulation. For example, they’ll need to include clauses such as a duty of confidentiality on staff and no sub-contracting without the charity’s consent.
The GDPR also introduces new rules for charities that experience a data breach or data loss. From the 25th May 2018, charities must report a data breach to the ICO within 72 hours, if there is a likely risk to individuals. Where this risk is deemed high, charities must also report the breach to the affected individuals. They’ll need to advise them of their proposed steps to handle the situation and mitigate further risk.
At worst, failure to report a data breach can result in a fine of €10 million or two per cent of global turnover.
The ‘right to be forgotten’ principle is also extended under the GDPR, allowing people to ask charities to delete the personal data they hold on them. This could happen, for example, when there is no longer a need for a charity to hold their data, if they object to it, or if it’s unlawful.
Charities will no longer be able to charge for Subject Access Requests, which could lead to a rise in requests. Further, they must respond to SARs within one month, which will put systems and processes under pressure. We advise charities to carry out Data Protection Impact Assessments (DPIAs) to make sure they can cope with SARs or deletion requests.
Me Learning’s dedicated charities team offers free course materials and exceptional discounts on our flexible, online GDPR e-training. This includes free GDPR training for three Board members and a discounted family of offers for everyone across the business, from executives to retail managers to fundraisers.
To find out more click here.
Do you have a question?
Whether it’s a technical question or a sales enquiry, our helpdesk and sales teams will be happy to help.