The General Data Protection Regulation (GDPR) represents a major shift in the way organisations are allowed to process personal data. There has been a huge amount of press on the burden on small businesses to comply with the regulation but the impact on the charitable sector is often forgotten. Any organisation that deals with personal data relating to EU citizens is affected and there is no “charitable” exemption from GDPR compliance. From the impact on sending marketing and fundraising information to existing and potential donors, to how you hold personal data about your beneficiaries, volunteers, trustees and employees, the regulations have far-reaching implications.
Although most charities are likely to have heard about GDPR, there is a significant amount of confusion about what organisations need to do to comply. Trustees are understandably concerned about their position if their charity is found to be breaching the regulation.
And there is a lot at stake. Any charity found not to be complying could suffer fines and damage to their reputation which will make fundraising in an already difficult climate, even harder. The Charity Commission is likely to take an interest in those charities that consistently fall significantly below the GDPR standard of compliance.
The regulation became enforceable from 25 May 2018 but it is important not to panic if your charity has not yet completed your GDPR compliance program. The Information Commissioner’s Office (ICO) has recently stated that GDPR compliance should be seen as an ongoing journey rather then a race ending on the 25 May. It has made it clear that those who are self-reporting, who engage with the ICO to resolve issues and can demonstrate effective accountability arrangements, can expect this to be taken into consideration when they look at any regulatory action. While this offers some comfort to those who have not yet completed their journey to compliance, it is important not to lose the impetus to move forward with GDPR now the 25th May has passed.
Roadmap to GDPR compliance
For most organisations GDPR compliance will take some time to achieve, there is no quick fix. As a general roadmap charities should consider taking the following steps:
- Conduct a data mapping exercise – identify what you hold, where it sits, how it is used, etc
- Obtain consents where they are needed and lacking
- Review agreements with third parties who have access to data (such as marketing companies, email hosting companies, payroll providers etc), re-negotiate these or find another supplier if appropriate
- Ensure your client-facing agreements, employment contracts, policies etc are updated and are compliant
- Consider deleting data that cannot be cleansed to make it compliant
- Pay particular attention to special sensitive categories of personal data (such as health information about both employees, volunteers and beneficiaries). This should be a particular concern for those charities whose charitable purpose involves handling sensitive personal data about their beneficiaries on a day-to-day basis. GDPR applies a much higher standard to sensitive personal data
- Ensure staff, volunteers and trustees are trained
- Ensure that you have a breach policy (breaches need to be reported to the ICO within 72 hours). It is essential that the charity fosters a culture where people feel comfortable disclosing the breaches
- Have a central point of contact within the organisation that understands data protection and can deal with queries as they arrive. Be prepared to receive subject access requests and have a policy in place to handle such requests
- Ensure that all new projects (including software, new fundraising campaigns, use of third party suppliers, etc) are built with “privacy by design”. This needs to be documented in the same way that you would conduct a health and safety assessment
It is important to remember that GDPR compliance is not another box-ticking exercise and that a GDPR compliance program needs to be embedded into an organisation if it is to be successful.