If your charity has directors, workers, grantors, contributors, or a marketing strategy, you are most likely subject to start complying with GDPR. GDPR compliance is critical not just for respecting the rights of data subjects and avoiding fines of up to €20 million or 4% of an organisation's annual revenue but also for maintaining the trust of funders, stakeholders, and those to whom you provide a service.
GDPR has significant implications for charities, especially regarding data on your clients, donors, and employees or volunteers. Each group has its own set of privacy concerns, which must be addressed in your data handling procedures and security measures.
Table of Contents
- What is GDPR?
- Understanding the people's rights under the UK GDPR
- What 7 principles of GDPR are important to keep in mind?
- Understanding the basics of GDPR for charities
- Who are data processors and controllers in charities?
- Third Parties: Data Protection Officers
- How does the GDPR affect your charity?
- Protecting Personal Data under GDPR for Charities
- What is Legitimate Interest?
- Three-part test of legitimate interest
- What happens if a charity is not GDPR Compliant?
- GDPR Special considerations for charities
- Conclusion
What is GDPR?
The GDPR took effect on the 25th of May, 2018, across all of the European Union. It regulates how any organisation, including charities, should handle data and is at the core of Europe's digital privacy legislation.
Although it began as a European Union law, it was incorporated into the UK’s data protection law after the completion of the Brexit transition period. It is essentially legislation that protects EU and UK citizens' personal data while also affecting charities that deal with such data. These laws will apply if your charity requests, receives, or stores personal data from EU and UK residents.
GDPR is not just a legal requirement. Instead, it also gives charities the opportunity to gain people's trust and confidence, become more resilient as an organisation, and leverage more value from their data. If you want to learn more about the impact of UK GDPR on small businesses in general, check out our complete guide on UK GDPR for small businesses.
While the ICO (Information Commissioner's Office) is the GDPR's regulator in the UK, charities are treated the same as any other organisation since, while not collecting personal data for profit, they are still prone to data breaches and privacy violations.
Understanding the people's rights under the UK GDPR
Under the UK GDPR, data subjects have the right to inquire about how their personal data is being used, processed, and stored by public bodies and other private organisations such as your charity.
These rights include their ability to:
- Receive information on how their personal data is being used
- Access their personal data
- Update any incorrect or inaccurate personal data
- Request erasure of any data you have on them
- Stop or restrict the processing of their personal data
- Allow them to receive or transmit their data
- Object to how you may process their data
They also have right to object if you use their data for any of the following purposes:
- Automated decision-making (without human involvement)
- Profiling that can be used to forecast their behaviour or interests.
What seven principles of GDPR are important to keep in mind?
The GDPR is centred around seven principles and is designed to give individuals control over their personal data.
- Lawfulness, Fairness, and Transparency:
- All organisations must be open and honest with individuals about how they collect and process personal data.
- Purpose Limitation:
- Personal data can only be used for certain purposes that are explicitly defined.
- Integrity and Confidentiality:
- Organisations are accountable for the protection of personal data. Illegal processing, loss, or destruction/damage of data are all threats that must be looked into carefully.
- Data Minimisation:
- Organisations should gather as little data as possible, keeping just the data that is absolutely essential for their operations. All data collected and kept should be sufficient, relevant, and confined to a single purpose.
- Storage Limitation:
- Data is beneficial to charities for a number of reasons, but only if it is relevant and of good quality. Personal data should not be stored for longer than you need it.
- Data Accuracy:
- Organisations should take all reasonable steps to ensure that people's personal data is accurate and should not hesitate to remove or correct data if it is inaccurate.
- Accountability:
- GDPR compliance is the responsibility of organisations, and they must be able to clearly evidence their compliance with applicable requirements.
Understanding the basics of GDPR for Charities
Although the GDPR may appear overwhelming at first, particularly for smaller charities without a DPO (data protection officer), it can be easy to comply with if you prepare the right policies and procedures. Keep reading for some examples of how to work towards making your charity GDPR-compliant:
- Get consent:
- Give people a clear choice of what data they are giving you, and provide an easy way for them to withdraw their consent. Be transparent and concise, as it can go a long way to improving trust in charities.
- Communicate purpose:
- Make it clear why you are gathering information. Be completely transparent about how your company manages data, whether for operational or marketing purposes.
- Keep data secure:
- Personal data should only be accessible to those who need it for a valid reason. Protect important data sets and documents by using strong passwords and secure processes such as encryption protection.
- Document records:
- Every step taken to comply with GDPR should be documented and updated on a regular basis. These documents will show that your data protection policies and processes are compliant with current regulations in the case of a breach.
- Every step taken to comply with GDPR should be documented and updated on a regular basis. These documents will show that your data protection policies and processes are compliant with current regulations in the case of a breach.
Who are data processors and controllers in charities?
Any organisation that processes data and is responsible for establishing how and why that data will be processed is referred to as a data controller. A data processor is an organisation tasked with processing data on behalf of a data controller.
GDPR applies to you if you process personal data, even if you are a charity or non-profit organisation. Personal data about your workers, clients, suppliers, or people who donate to you may all be found in your database. GDPR makes it your legal responsibility to respect and secure the data you process.
The charity could either process some or all of this data internally, making it both a controller and a processor, or it may engage a third party to do so.
The data controller remains responsible for GDPR compliance in any case and must be satisfied that third parties have sufficient data protection measures in place.
The data controller and processor should agree on how data is going to be processed and safeguarded in writing. Should a third party experience a breach as a result of a violation of one of these conditions, this contract will outline the next steps and notification responsibilities.
Third Parties: Data Protection Officers
A DPO is an independent specialist who is in charge of supervising an organisation's data protection practises.
If you are a public authority or organisation that regularly and systematically monitors data subjects, or if you process special categories of personal data on a large scale, you must designate one.
Many experts suggest appointing a DPO because of the various advantages it may bring, such as the capacity to interact efficiently and compliantly with data subjects and supervisory authorities.
You have the option of hiring an internal or external DPO. DataGuard can assist you in achieving GDPR compliance by acting as your external DPO.
How does the GDPR affect your Charity?
All organisations that might be classified as data controllers and processors are subject to the law; this includes charities and not-for-profit organisations.
GDPR will apply to any personal data you collect and store on your users, donors, employees, and volunteers. We recommend that any organisation, not just nonprofits, start their GDPR compliance journey by knowing the personal data they process.
If you store someone's data, you will need to provide reasons as to why you do so. For example, if you have someone's full name and address, can you explain why you have it? Though you may have enough reason for needing to store their full name, you may have to state further in detail as to why you would want their residential address. You must state your lawful basis for processing data under GDPR.
Protecting Personal Data under GDPR for Charities
After you have identified the current state of the personal data you process, you may need to consider the steps you will take to achieve GDPR compliance. To ensure that you are processing personal data legally, you would need to implement a number of different processes and rules.
You will also need to make sure that the personal data you're working with is secure. If you choose to keep an individual's personal data, you accept responsibility for it and must protect it. You must take steps to safeguard and secure the data you process.
What is Legitimate Interest?
The concept of 'legitimate interest' in data processing is essential to GDPR. According to the ICO, charities and other organisations have a legal obligation to handle personal data in a lawful, fair, and transparent manner.
The ICO points out that 'legitimate interest' is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
Three-part test of Legitimate Interest
Legitimate interest includes a three-part test to make sure that organisations such as charities are processing data in accordance with the law.
When determining the validity of data processing, the ICO suggests asking the following three questions:
-
Is there a reason to process the data in the first place?
-
Is data processing required for that purpose?
-
Is the legitimate interest at odds with the individual's interests, rights, or freedoms?
Charities must provide evidence that they have a clear and specific benefit or result in mind when documenting their 'legitimate interest' in processing personal data. Charities should define their unique goal, such as having a genuine interest in marketing their brand or running a fundraising initiative.
GDPR applies to all organisations, no matter how big or small they are or what industry they operate in. If you work for a charity that generates funds and accepts donations from the general public, it can be beneficial to know the answers to the following questions:
- What are my obligations when it comes to managing donors' personal data?
- What is the best way to contact donors, and when should I do so?
- Is it necessary for me to get consent for every communication?
- What policies and procedures do we need to implement?
What happens if a charity is not GDPR compliant?
If an organisation, even a charity or a nonprofit, is found to be in violation of the GDPR, they may face harsh penalties. Organisations found to be non-compliant with the GDPR risk fines of up to 4% of their annual global sales or €4 Million, whichever is larger.
If you have a data breach that has a negative impact on a data subject, you may be required to notify the ICO within 72 hours of becoming aware of the incident.
GDPR special considerations for Charities
Despite the fact that charities are subject to the same GDPR regulations as any other organisation, some special considerations may apply.
One example is the processing of personal data on minors. According to the regulation, organisations cannot lawfully get consent from children under a certain age and must instead seek the consent of a person with "parental responsibility."
This rule, however, does not generally apply to counselling services provided directly to a minor. This includes any type of charity that aids minors' mental or physical well-being.
Organisations with less than 250 employees may also be excluded from some paperwork obligations under the GDPR. If your charity meets this set of criteria, you only need to document processing activities that:
- Are not just a one-time occurrence or something you rarely do;
- Are likely to place data subjects' rights and freedoms in danger or
- Particular kinds of personal data, as well as criminal conviction and offence data, are involved.
Depending on the sort of data that charities process, there are a number of different exemptions that may apply to them. The ICO's website has a complete list of them.
Conclusion
DataGuard assists businesses with subjects such as privacy by design and default, data transfers with third-party service providers, and erasure principles for all tools.
With the proper legal assistance on data protection for your charity, you can avoid not just financial fines but also reputational damage. Get in touch with one of our experts.
Overview of mandatory documents for UK GDPR
Are you feeling overwhelmed with the GDPR compliance for your charity? Take a look at our comprehensive but simple checklist of crucial documents required for UK GDPR compliance. Get your copy now and concentrate on what you do best - making a difference!
Get you free guide!