GDPR for Charities: A Beginner’s Guide
For charities, rules and regulations are already of the utmost importance. But that’s not to say the introduction of GDPR is an easy adjustment.
With the need to be extra careful with people’s data, it’s vital that charities take their data protection measures seriously.
From this, comes a lot of research and responsibility. If you’re not sure where to start with GDPR for charities, this blog will outline everything you need to know when safeguarding sensitive information.
But first - let’s look at GDPR as a whole.
What is GDPR?
GDPR (General Data Protection Regulation) is a legislation that was enforced in May 2018. It is part of a wider data protection landscape. Within this, includes the Data Protection Act 2018. GDPR sets out a list of conditions that organisations must follow when handling personal data.
The legislation covers a number of actions. Including:
The governing of how personal data is processed
The need for organisations to comply with the seven key principles
The ability for people to request to see the personal data held on them
The requirement for every organisation to have a written policy and procedure in place stating how they handle personal data
The legislation also states that if an organisation keeps records, it must register with the Information Commissioner. This incurs a fee, however charities are exempt from this list as it falls under the not-for-profit category.
What Does GDPR Mean for Charities?
From what we know so far, all organisations, including charities, must follow the GDPR guidelines.
GDPR is intended to give people control over their private data, and is based on seven key principles. These are as follows:
1. Lawfulness, Fairness and Transparency
This means all organisations must be transparent with people about how they’re collecting data.
There must always be a clear reason for this. The regulation establishes six reasons, whereby at least one must apply to an organisation. These are known as the ‘lawful bases’, covering:
Consent: where the person has given clear consent for you to process their personal data
Contract: where the processing is necessary for a contract between the person and the organisation to take place
Legal obligation: where the processing is needed to comply with the law
Vital interests: where the processing is required to protect someone’s life
Public task: where the processing contributes to performing a task on behalf of the public interest
Legitimate interests: the processing is necessary for the legitimate interest of the organisation or a third party, unless there is a viable reason to protect the person’s personal data
2. Purpose Limitation
It is essential that personal data is collected only for specified, explicit and legitimate reasons.
For this, charities must clearly define what their purposes for processing information are. Your best opportunity to outline these is in your privacy information. This way, the information is available to be perused, and you are still abiding by the legislation.
3. Integrity and Confidentiality
From GDPR, charities and organisations alike are responsible for the security of people’s personal data. This makes it vital for charities to implement robust security measures. By doing this, you can protect against unlawful processing, accidental loss, or destruction/damage.
4. Data Minimisation
Charities should aim to collect as little data as possible, retaining only what is strictly necessary.
To follow this, you must ensure that the personal data you are collecting is:
Adequate e.g. sufficient to properly fulfil your stated purpose
Relevant e.g. has a logical link to that purpose
Limited e.g. only gathering what is needed
5. Storage Limitation
Personal data should only be held for the timespan required to meet its purpose. It is recommended that reviews are done regularly to assess and delete data that has become redundant.
The only time you will ever need to keep personal data for longer is if you are using it for public interest archiving, scientific or historical research, or statistical purposes.
6. Data Accuracy
Charities should be willing to take every step necessary to ensure the data they hold is correct.
If this isn’t the case and you discover an inaccuracy in the personal data, you should either correct it, or erase it entirely.
This requires charities to take responsibility for what they do with personal data and how they comply with the other principles.
In order to fulfil this, you must have measures and records readily available to demonstrate this compliance.
Writing a Data Protection Policy
Once you get your head around GDPR, you will then be ready to write your charity’s Data Protection Policy. This is a statement that sets out how your charity protects personal data.
Essentially, it informs people of your principles, rules and guidelines, to assure your ongoing compliance with the latest law.
Writing a policy of this nature takes time. It will require thorough research and attention to detail. Plus, you want to ensure it matches your charity’s tone of voice and is sincere.
To help you map out a structure, we recommend that your policy covers your commitment to:
The seven principles
The people’s rights in relation to your data
Ensuring that lawful processing is always carried out
Minimising data collection
Making sure that staff are trained regularly
How often you’ll review the legislation and that you’ll amend if/when necessary
If you’re working with a lot of sensitive data, you will have additional formal obligations that your policy must cover. If this is the case, we advise you consult a specialist.
There are a number of other helpful resources charities can refer to:
Charity Finance Group’s General Data Protection Regulation is great for trustees, charity finance officers and data protection officers. It provides an explanation of the impacts of data protection for activities including fundraising. It also offers advice on how charities can ensure full compliance.
The ICO’s GDPR FAQs for charities is good if you have a specific question in mind. It covers everything from how to obtain data collection consent, to how to structure a data privacy notice.
At S3 Solutions, we have expertise in supporting charities with research, funding, evaluation, business planning and governance and we work collaboratively with others to provide effective support in areas such as GDPR compliance.