GDPR and charities: What you and your NGO need to know - by Grant Robertson

(Image credit: Convert GDPR) The 25th May might be long gone but GDPR and your charity still exist. Therefore, so does your need to be compliant. Compliance isn’t going to be a straightforward process and burying your head in the sand isn’t going to solve it. Read on to see the 12 key elements that you should be focusing on now to move forward.

Image credit: Convert GDPR

The 25th May might be long gone but GDPR and your charity still exist. Therefore, so does your need to be compliant. Compliance isn’t going to be a straightforward process and burying your head in the sand isn’t going to solve it. Read on to see the 12 key elements that you should be focusing on now to move forward.

Awareness – What do you need to know about GDPR and charities?

As a charity you need to be aware of how you use data, how you store data and what data you hold.

The days of being able to hold onto any information you obtain are gone. It doesn’t matter how you obtain the data or when you obtained it, all personal data that you hold on anybody is now subject to these new laws.

The impact of GDPR will be noticeable in your everyday working but shouldn’t adversely affect your models and processes, as long as you put the important safety checks, procedures and discussions in place.

Information Audit - Documenting the data that you hold

Holding onto a data trail and ensuring clarity should be one of your key priorities. In order to do this, you need to think about what data you hold as a charity. This data can be found in places you might not immediately think of, therefore being thorough is important.

You should create an information audit spreadsheet and note all the various data that you hold in order to create a database including what you hold and where it is held. If a new type of data is obtained it should be routinely added to this audit.

The reason you do this is so that in the event of a security breach the data trail can be quickly assessed and analysed.

Conducting Privacy Impact Assessments

Privacy impact assessments should be carried out whenever data is going to be used in a new project. Think of it like a risk assessment for data use. A very helpful document is the ICO’s (Information Commissioner’s Office) document outlining the code of practice. This is a length document which will take some reading but gives an in depth understanding of the requirements needed when carrying out a privacy impact assessment (PIA).

A PIA could be carried out to assess how you, as an organisation, can ensure you comply with your data protection policies. Not every organisation may need to carry out a PIA but understanding the process should be part of your practice. Any newly completed PIA should be stored in a central GDPR file.

Privacy Policy - Informing everyone of your processes

An important part of the GDPR is to enable clarity of your procedures and data handling. In order to keep your position clear and manageable a privacy policy should be put in place, or at least updated to include GDPR guidance. This ensures that when you deal with data you follow a particular method. This is both to protect you, as a charitable organisation, and the supporters that you work with.

The policy itself should include;

• Your intended use of the data collected

• Your lawful basis for keeping people’s data

• How long you retain the data for

• How an individual might be able to complain to the ICO

This policy should be made available both in house and on your website. It must always be available to anyone who requests to see it.

Rights - Individual’s data rights within your charities and GDPR

The GDPR includes the following rights for individuals regarding their data;

• the right to be informed;

• the right of access;

• the right to rectification;

• the right to erasure;

• the right to restrict processing;

• the right to data portability;

• the right to object; and

• the right not to be subject to automated decision-making including profiling.

These rights, more or less, exist already through the Data Protection Act but are now significantly enhanced.

In order to comply with these newer, more powerful rights you need to have certain questions answered.

How do you react if someone wants their data deleted?

Do your systems support you to find data quickly to enable full deletion?

Who makes the deletion decisions?

In theory you electronic and database records should allow the majority of these questions to be answered quickly. The ultimate decision for data requests and deletion lies with the Data Protection Lead or Officer. It may not be appropriate to appoint an official Data Protection Officer as this title comes with legal responsibilities. Seek ICO guidance if you are unsure.

Subject Access Requests - When someone requests data

The key changes since GDPR are that now your organisation;

• cannot charge for data requests

• now have 1 month to comply

• can possibly refuse excessive or manifestly unfounded requests

• can refuse requests but that individual has the right to know why and you must inform them of their right to complain to the supervisory authority (ICO). This must happen within 1 month.

Lawful Basis for Processing Personal Data - Practical Implications

Now that the GDPR is in place individuals’ rights have increased as mentioned in the previous section.

Your organisation must have a lawful basis to process people’s data. The ICO has provided explanations of what different legal bases there are and how they can apply. We strongly suggest that you read through their guidance and consider your organisations legal basis. People still have the right to know why and how you use their data, as referenced in the last section. Once you have settled on your legal bases then they should be documented and kept in a central file.

Consent - The rules of being able to keep people’s data.

Consent has been clarified with the GDPR. It must be;

• Explicit

• Clear

• Prominent

• Specific

• Opt-in

• Properly documented

• Easily withdrawn

This means you cannot accept a person’s silence as consent.

There cannot be any tick boxes already ticked and wording must allow the individual to opt-in rather than opt-out. For example;

Please untick this box if you do not wish to receive further communication from us.


Tick this box if you do not want to receive information in the future from us.

These two examples are no longer lawful as they are considered ambiguous, easily missed or misinterpreted and are both opt-out rather than opt-in.

Data Breaches - In the event of a security breach

The GDPR outlines a very strict code of practice that must be adhered to in the event of a security breach where it is suspected that personal data could have been compromised. In your GDPR central file there should be included a model data breach form. This should then be used in every instance and immediately submitted to the Data Protection Lead.

It is a legal requirement to notify the ICO (Information Commissioner’s Office) of any breach no matter if data was compromised or not. This should not be taken lightly as it will lead to investigation of practice and data. Furthermore, the data subjects (people) concerned must legally be notified of this breach, no matter how many are involved.

Fines can be imposed for both the breach itself, as well as any failures regarding reporting to those affected.

Data Protection Officer

The Data Protection Officer is the lead member of an organisation responsible for ensuring data protection compliance. As mentioned previously, not all organisations will need to appoint a data protection officer. To see if you should appoint an officer or a lead read the guidance posted by the ICO.

GDPR and charities – Don’t bury your head in the sand

It might seem like a lot to take in, and that’s because it is. Just remember that the very worst thing you can do is to bury your head in the sand and hope that it all just blows over. Now, even if you haven’t carried out any changes yet, is the right time to consider your position and move forward.

This article was written by Grant Robertson of Shake & Speare. For more information or support on GDPR or for copywriting/content services, do drop him a line.