What does the GDPR mean for my charity?
The GDPR will affect the vast majority of UK charities in one way or another. Any organisation that collects personal information from individuals – from service users to donors, beneficiaries to marketing contacts, trustees to volunteers – will need to review its data protection practices and procedures in light of the new law.
What will change?
A lot of what’s in the GDPR mirrors current law under the Data Protection Act 1998 and guidance published by the Information Commissioner’s Office (ICO). However, it also introduces some new rights and obligations and makes changes to some existing concepts.
Many of the new ideas in the GDPR are designed to promote better transparency and accountability. For example, the ICO’s updated privacy notices code explains how and when information must be made available to individuals to explain why their data is being collected and what it will be used for. There will also be an obligation to consider data protection by design and default as part of day-to-day business as usual and, in some cases, you may be required to conduct data protection privacy impact assessments to identify the most effective way to comply with your data protection obligations.
Some organisations will need to maintain records of their data processing activities, including how long data is kept for and the security measures you have in place, and public authorities and charities doing large-scale monitoring or processing of certain special categories of data will need to appoint a data protection officer.
The GDPR also gives individuals enhanced rights with new provisions covering the right to access data (replacing subject access requests), the right to be forgotten and the right to data portability. Organisations will also have a duty to report certain types of data breach to the ICO and, in some cases, to the individuals affected.
What do I need to do to prepare?
The ICO has published a 12-step guide to preparing for the GDPR. The first step is to make sure your board of trustees and key decision makers are aware of the upcoming changes and of the work that will need to be done to prepare.
You will then need to review the personal data that your charity collects and processes.
- What lawful basis are you relying on to get the data and to use it in the way you do? Consent from the individual?
- Legitimate interest of the charity?
- Is it necessary for the performance of a contract?
- Is it required to comply with a legal obligation?
Consent has been one of the most hotly debated GDPR issues within the charity sector. The ICO’s draft guidance says opt-out consents based on pre-ticked boxes or inactivity will not be valid under the GDPR so if you are currently relying on opt-out consents you will need to obtain new consents or find another lawful basis for processing that data.
Contracts or agreements with any third parties that process personal data on your behalf, such as external payroll providers or IT support companies, will also need to be reviewed and may need to be updated or renegotiated in advance of May 2018 in order to meet GDPR requirements.
Where do I go for more information?
The ICO website is the best place to start if you want more information about the GDPR. It is regularly updated as new materials become available and it contains links to other sources, including guidelines from the Article 29 Working Party of European Data Protection Authorities.
We are running half-day courses to give charities the information they need to start preparing for the GDPR. The next course is on 12 September and there are alternative dates in October, November and December. You can find more information and details of how to sign up on our website.