Capability Scotland

The designated Data Protection Officer (DPO) worked alongside Capability Scotland’s internal privacy team to review how personal data was used across the organisation. By engaging with different departmental teams, the DPO updated the charity’s Record of Processing Activities (RoPA), clarified lawful bases, and identified where additional assessments were required. 

The DPO finalised several mandatory assessments, including Data Protection Impact Assessments (DPIAs) and a Legitimate Interests Assessment (LIA) for fundraising activities. This enabled Capability Scotland to demonstrate that higher-risk processing activities had been properly considered and documented. 

To address access control concerns, the DPO facilitated communications with internal stakeholders and third-party providers to ensure access to personal data better reflected operational responsibilities. This helped limit unnecessary access to sensitive information and supported the charity’s wider data minimisation objectives. 

The DPO also strengthened the organisation’s wider privacy framework by introducing practical policies and procedures tailored to its operations. This included updates to data breach and DSAR processes, an Acceptable Use Policy, and bespoke Privacy Notices for donors, staff, service users, and website visitors. Together, these measures gave teams clearer guidance on handling personal data consistently and appropriately. 

Outcome

Clare Beesley, Executive Support & Governance Manager at Capability Scotland, said: ‘The support we received from the DPO Centre was invaluable. Our DPO was clear, knowledgeable, patient and provided practical guidance throughout the process, which made compliance requirements much easier to navigate. Our experience has been extremely useful, and it was reassuring to have confirmation that a number of our current documents were fit for purpose but left us with an understanding of what work was required to ensure we were fully compliant. Many thanks!’