The GDPR and the charity sector
What is the GDPR?
You may have heard this acronym being bandied about. It means the General Data Protection Regulation and is intended as a legal framework for data protection within the EU. It will actively apply to the UK as of May 2018 and will legally impact all organisations who hold data as part of their operation. This includes charities, fundraising agencies and databases. So the legislation will have a significant impact on the charity and not-for-profit sector.
Luckily, we’ve provided an overview of the GDPR and how it will affect the charity sector. You can also find further reading if you need to know more.
What does this mean for data protection? Our charity already complies with all regulations.
In many ways, the point of the GDPR is to ensure data “controllers and processors” (you may not feel this is what you are if you operate or use a donor database, but it is exactly what you are according to the GDPR) do more than just comply. It is a significant regulatory document, not just a checklist. It is intended to protect the rights and freedoms of the individuals whose information you hold.
Any existing UK regulation will be replaced by the new GDPR policy. It is quite extensive but will be fully expected to be adopted by charities.
The key concepts:
- Increased Scope: The GDPR will apply to all organisations who hold and process personal data in the EU: “regardless of whether the processing takes place in the EU or not.” This removes previous loopholes and ensures compliance.
- Harsher Penalties: The maximum fine for violation of the policy can be up to 4% of annual turnover.
- Strengthened consent requirements: Clear and concise terms and conditions must be presented to the “data subject” the purpose of an organisation’s use of data must also be explained.
Increased rights for the “data subject.”
- Breach notification: The relevant authorities must be notified of a data breach within 72 hours.
- Access rights: Individuals whose data is held can request to see that information and is entitled to be informed why their information is processed and where it is done.
- Right to be forgotten: An individual has the right to have their data permanently erased. This will also apply to third parties and does not require a formal withdrawal of consent.
- Data portability: An individual has the right to see any data held about them. However, this must be presented in clear and readable terms.
- Privacy: “Privacy by design” requires that data protection is considered as part of a system’s core design rather than being added on.
- Data protection officer: Larger multinational organisations must appoint a data protection officer who will have significant knowledge of data protection issues and maintain internal records.
A good way to think about all this is to consider the GDPR as continually urging you to examine the justification as to why you hold personal data and also what you do with it. If an organisation cannot clearly answer these questions, they will need to consider removing the data they hold. Being asked to remove irrelevant data can and will apply to the charity sector.
How will the GDPR impact the charity sector?
Fundraising professionals and those working with or supporting fundraisers will need to ensure all donor information complies with GDPR regulations. The GDPR is applied to (its own wording) all “controllers and processors” so any charity which holds or organises data, will need to ensure that all employees and volunteers are aware of and trained to deal with data protection. It be will your obligation to protect the personal information of your donors.
Charities need to be aware that no significant exemptions will apply to them. Regardless of how we feel about this, it does means that no additional legal protections will apply to those who fail in their data protection duties. This may have positive and negative impacts, though it may curb breaches. Recently, there have been high profile failings from charities to store data securely. Other notable cases have included the non-consensual sharing of data and seeming harassment of those on certain donor databases.
What the charity sector needs to do is ensure that individuals are always informed when their data is shared, told where and why. If you do share information, then keep in mind that consent to share data must be explicitly gained. Furthermore, when asked, a charity must be prepared to justify any actions they perform with donor data and remove it if necessary.
Will it apply after Brexit?
Yes! All legislation included in the GDPR will be translated into UK law. All data-holdings organisations in the UK will need to comply with these regulations regardless of the brexit outcome. So it is good idea to begin preparations now. The potential consequences of non-compliance will not be relaxed for charitable organisations. The possibility of losing data permanently exists for anyone. The ramifications of this for donor databases and other such services could be potentially devastating. So do prepare, but don’t be too concerned, if you are open, transparent and consensual about your data use already then there won’t be too much work to do.
The Institute of Fundraising have released a guide covering GDPR essentials for fundraising organisations. Which may be useful for charities concerned as to how this will affect their practice.
If you’re a real data-protection buff, then have a look at the official page for further information. Additionally the ICO have produced as series of blogs about charities and the GDPR. You can also ask questions about the GDPR on CharityConnect.