As of May 2018, any type of personal data held by charities will be affected by the new GDPR legislation. As such, all charities will need to rethink their current procedures and practices. The personal data in question could be anything from employee and volunteer records, donors’ personal or financial information, or simply data held on users and members. The fundraising data itself could potentially prove problematic for charities, as explicit consent will be required to retain current records. Because of this, third sector organisations might initially see a reduction in the number of donors which they have access to. However, in some cases this could lead to a better quality database going forward – the remaining data is likely to be made up of donors who are generally more engaged, therefore more willing to support the charity.
There are a variety of ways in which the third sector can prepare for this significant regulation change. Below is an overview of the five key actions you may wish to consider in preparation:
Although a data audit is not specifically required under the GDPR, it is essential that you have a comprehensive understanding of the data your charity already holds. Audits are a great way of outlining whether or not your existing data will be compliant under the new GDPR legislation. By auditing your existing practices you will gain a clear picture of the areas you may need to look into and improve.
It is essential to establish the key people or employees within your charity and their direct responsibilities around GDPR. Who will be responsible for implementing the GDPR policy? Who is required to follow those policies as part of their job? Are your trustees on board? You may need a designated Data Protection Officer, or a GDPR consultant. As part of the accountability requirement you will also need to make sure that everyone across the organisation is aware of what they need to do.
It is essential that all employees and regular volunteers have knowledge of GDPR. Depending on the individual roles within your organisation, formal training may also be required. As well as understanding GDPR, your staff will also need to be knowledgeable of how your charities specific internal processes will be effected by the forthcoming changes.
This is one of the biggest elements of GDPR. You must now have what is known as a lawful basis for collecting and processing an individual’s data. The full details of what constitutes lawful basis can be found in official EU guidelines but, for example, includes regulation around complying with other laws – they include things like it being a necessity to comply with other laws, it being a necessity to carry out the service requested by the individual, or that you have their explicit consent. As a result, you will now need to consider whether your charity has a legal basis for collecting the information that you currently do currently requested. This will need to be established this in a policy going forward.
A major aspect of lawfully processing data is consent. It is critical that your charity has a comprehensive policy and procedure in place, for both gaining consent in the first place and storing a record of it afterwards. It is expected that the majority of GDPR fines will first be directed at organisations which fail to gain consent for their information processing activities, so planning ahead now in anticipation of the GDPR should be of utmost importance. It is also important to note that children are covered by the GDPR. As they cannot legally give their own consent to having their data collected or processed themselves, charities must receive consent from their parent or guardian instead. However, charities set up to protect children, such as Childline for example, can avoid having to request this consent – as they have been set up exclusively to protect and counsel children.
Virtual College has a range of free GDPR resources including a downloadable infographic and an interactive game, as well as our free overview course designed to give an introduction to GDPR and to help you gain a basic understanding. We also offer a fully comprehensive GDPR course Sign up to our free overview.