Data protection, Finance & law, Law, Fundraising

GDPR Conference on 6 March - Secure your space now

Are you ready for the GDPR?

One-day GDPR conference in partnership with Russell-Cooke

The General Data Protection Regulation (GDPR) takes effect on 25 May 2018. Most charities and not-for-profit organisations realise they should be reviewing their data protection practices now, and taking steps to prepare, but it can be difficult to know where to start.

This one-day conference, organised by Directory of Social Change in partnership with Russell-Cooke , will feature a series of workshops focusing on key areas of the GDPR. The workshops will include practical exercises, tips and suggestions to help your organisation get ready for May 2018.

You will also have opportunities to ask a panel of data protection experts about the issues that are bothering you and to hear what other organisations are concerned about.

Who should sign up?

Staff and trustees of charities who have basic knowledge of the GDPR and delegates who have attended the DSC’s half day course GDPR: What you need to know.

What will I get out of it?

  • Four practical, interactive workshops to kick-start your GDPR preparation
  • An opportunity to share thoughts and experiences with other organisations and to reflect on practice within the sector
  • A chance to ask the experts in Q&A panel sessions

What will the sessions cover?

Fundraising and direct marketing (Gary Shipsey, Managing Director, Protecture)

  • What counts as direct marketing? Is consent always needed to send direct marketing material?
  • What does GDPR-standard consent look like? How can you get GDPR-standard consent from your existing subscribers and supporters?
  • What happens if you don’t get GDPR-standard consent before 25 May 2018 and how long does consent last?
  • What are the rules for business-to-business marketing, and what if you receive someone’s contact details from a third party?
  • Can you use publicly-available personal information (e.g. LinkedIn and Companies House) to research potential donors? Will fundraising research count as profiling under the GDPR?
  • Will the ‘right to be forgotten’ mean you can no longer keep marketing suppression lists?

Privacy notices (Victoria Ehmann, Associate, Russell-Cooke)

  • Do you need to have more than one privacy notice for different data subjects? Do you need a special privacy notice for children?
  • What information needs to be included in your privacy notice? How much detail do you need to provide?
  • What do you have to tell people if you receive their personal data from a third party? Do you have to name third parties with whom you share personal data?
  • What information do you need to tell people about their individual rights, such as the right to access their information?
  • How can we write privacy policies that contain all of the required information and is also concise, easy to understand and written in plain language?
  • Who needs to see a copy of your privacy notice and when do you need to give it to them?
  • How should you present your privacy notice? Is a link on your website homepage sufficient? What about when we are speaking to people face-to-face or over the phone?
  • When you update your privacy notice, do you need to contact everyone to let them know?

Record keeping and security (Ian Singer, IT Assurance Partner, PKF Littlejohn)

  • What are the lawful bases for processing personal data? Is consent the best one and when can you use legitimate interests?
  • What are legitimate interests assessments and how do you do one?
  • What does the GDPR mean when it says that processing needs to be “necessary”?
  • What’s different about processing special categories of personal data and data about criminal convictions or offences?
  • When do you need to decide your lawful basis? Can it change at a later date?
  • What should you do if someone withdraws their consent to processing their personal data? What about if someone objects to processing on legitimate interest grounds?

Accountability and governance (Carla Whalen, Associate, Russell-Cooke)

  • What information do you need to keep about the personal data you collect and hold? How can you organise your records?
  • Do you need to appoint a data protection officer? Who can be a data protection officer and what do they do?
  • What does data protection ‘by design and default’ mean and what measures should you consider putting in place to meet your obligations?
  • When do you need to carry out a data protection impact assessment and how do you do it?
  • Do you need to review or negotiate written contracts with third party data processors? What information must the contract contain and what does it mean?
  • When do you need to report a data breach to the Information Commissioner and how do you do it?


 Carla Whalen, Associate, Russell-Cooke

Carla Whalen is an Associate in the charity and social business team at Russell-Cooke solicitors. She specialises in data protection and employment law, providing advice and support to a range of organisations from household names to start-ups and local voluntary groups. Carla is currently helping clients to prepare for the GDPR by delivering training, carrying out data reviews, drafting privacy policies and consent statements, and reviewing data processing agreements.


Victoria Ehmann, Associate, Russell-Cooke

Victoria Ehmann joined Russell-Cooke in 2012 and is an associate in the charity and social business team. Victoria assists charities, social businesses and other third sector organisations with all aspects of governance and commercial law. Victoria particularly advises on all aspects of data protection law including making representations to the Information Commissioner’s Office


Ian Singer, IT Assurance Partner, PKF Littlejohn

Ian has been involved in IT Governance and the management of data processing systems for more than 30 years for commercial and not-for-profit clients. He is currently actively involved in advising a wide range of organisations on the General Data Protection Regulations (GDPR).


Gary Shipsey, Managing Director, Protecture

Gary Shipsey is co-founder and Managing Director of Protecture, and is approaching 14 years of practical experience turning information law into practice. Gary is co-author of the Fundraising Regulator’s Guidance “Personal Information and Fundraising: Consent, Purpose and Transparency” and regularly speaks and advises on all things GDPR, data protection and privacy related.

Each session will be a 90-minute workshop led by an expert consisting of the following:

  • 45-minute  exercise
  • 15-minute review of exercise
  • 15-minute break – these will all occur at the same time across all sessions.
  • 15-minute Q&A

Conference Schedule

8.15 am – 9.00 am Registration
9.00 am – 9.45 am Welcome Q+A Panel
10.00 am – 11.30 am Session choice 1
11.30 am – 13.00 pm Session choice 2
13.00 pm – 13.45 pm Lunch
13.45 pm – 15:15 pm Session choice 3
15:15 pm – 16:45 pm Session choice 4
16:45 pm – 17:15 pm Closing and final Q&A   panel

*Lunch is included with your booking. If you have any dietary requirements or any other requirements that we need to know about, please fill in the ‘special requirements’ box when booking your place.

In Partnership with

*Fundraising and Direct Marketing: 10am -11.30am,  Privacy Notices 11.30am-1pm, Record Keeping and Security: 13.45pm-15.15pm and Accountability and Governance: 15.15pm-16.45pm are all full. Please choose an alternative. 

Conference schedule

Please choose one session per time slot. Ensure that each session you pick is different in each time slot.

6 Mar 2018
Privacy notices10:00 — 11:30
Record keeping and security10:00 — 11:30
Accountability and governance10:00 — 11:30
Fundraising and direct marketing11:30 — 13:00
Record keeping and security11:30 — 13:00
Accountability and governance11:30 — 13:00
Fundraising and direct marketing13:45 — 15:15
Privacy notices13:45 — 15:15
Accountability and governance13:45 — 15:15
Fundraising and direct marketing15:15 — 16:45
Privacy notices15:15 — 16:45
Record keeping and security15:15 — 16:45

Booking options

Band A

Band A

Voluntary and community organisations with a turnover of up to £500,000.
Choose sessions first
Band B

Band B

Voluntary and community organisations with a turnover of over £500,000.
Choose sessions first
Band C

Band C

Statutory and commercial organisations.
Choose sessions first
Date Band A

Band A

Voluntary and community organisations with a turnover of up to £500,000.
Band B

Band B

Voluntary and community organisations with a turnover of over £500,000.
Band C

Band C

Statutory and commercial organisations.
6 Mar 2018£255.00£320.00£450.00
All days£255.00£320.00£450.00

Delegate information

By placing this order you agree to DSC's terms and conditions:
Terms and conditions