Data protection laws and regulations are applicable to all organisations regardless of sector, from finance to healthcare. These laws and regulations also apply to charities and not-for-profit organisations (NFPs). One of the most important pieces of legislation charities and NFPs will need to be aware of is the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR). This is because most charities are considered as a data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data. as they will:
- Instigate the processing of personal data
- Determine what personal dataInformation which relates to an identified or identifiable natural person. is being collected and used for
- Document the lawful basis for processing the personal data collected
Any charity or NFP that gathers and processes personal data is considered a data processorA third party processing personal data on behalf of a data controller.. This includes any personal data relating to beneficiaries, volunteers, employees, clients, donors, suppliers, and any other stakeholderAn individual with an interest or concern in something (i.e. a Social Worker, Healthcare Professional, Headteacher etc. in respect of the welfare of a child). that benefits from your charity or any subscriber that is signed up to hear from you. All data controllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data. are responsible for ensuring compliance with the GDPR and other regulations.
Navigating data protection laws can be confusing for anyone, especially for a charity where the money, knowledge and resources may not be accessible. In this blog we will answer some of the most common questions we hear from charities and how we are committed to ensuring every sector has access to data protection compliance.
How does GDPR affect my charity?
All organisations that are considered as data controllers and processors are subject to GDPR. GDPR applies to any personal data you collect, including volunteers and employees, and requires you to provide a reason as to why your charity is collecting and storing the information.
GDPR requires you to have a lawful basis for why you are collecting and processing personal data, and charities are no exception to this rule (see our blog for more information). Charities will have to show that they have one of the six lawful bases, set out in Article 6 of the GDPR, before processing any personal data. Charities may choose one of the following as their lawful basis:
- ConsentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed.
- Contract
- Legal obligation
- Vital interest
- Public task
- Legitimate interest
Each area of data processing your charity undertakes will need to have a lawful basis. For example, you may processA series of actions or steps taken in order to achieve a particular end. volunteers’ addresses for marketing purposes. In this example, you’re likely to rely on consent. But, if you’re processing the addresses of your employees for tax reasons, you will have a legal obligation to do so.
Does my charity need to appoint a DPO?
This question very much depends on what kind of personal data your charity or NFP processes, as not all charities will need to appoint a Data Protection Officer (DPO). But you should keep in mind that there are three situations when a charity or NFP will likely need to appoint a DPO, these include:
- Your charity or NFPs core activity requires the regular and systematic monitoring of your data subjects on a large scale
- Your charity or NFPs core activity consists of processing ‘special category’ data. This includes health data, biometric data or criminal history on a large scale
- The organisation is a public body or a public authority, excluding courts and parish councils (this is unlikely going to be the case if you are a charity)
A few charities could fall into category one and/or two, the phrases “core activity” and “on a large scale” are important qualifications. To work out whether the processing of special category of data is a “core process”, your charity should look at whether your main activities are directly linked to the processing of that category of personal data. For “large scale”, there is no clear guidance. However, it is suggested that your charity must regard the volume of personal data that is being processed, the number of data subjects you have, the permanence of the processing activities and the geographic scope of the personal data you collect.
If you meet one or all of these, regardless of size, you should appoint a DPO. Outsourcing a DPO can be a better option for this, as it can save you time and money, allowing you to focus your valuable internal resource on the cause.
Are there any exemptions for charities or NFPs?
Along with the possibility of not needing a DPO there could, potentially, be other exemptions for your charity. These include:
- Exemptions around employing less than 250 people – this allows your charity to be exempt from certain documentation, meaning that you will only be required to document processing activities that:
- Is more than a “one-off “occurrence or something that you rarely do
- Is likely to result in the risk to the rights and freedoms of your charity’s data subjects
- Involves special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal... or criminal convictions and offence related data
- If your charity handles personal data belonging to a child, who your charity is offering counselling or preventative services to, you may be exempt from the rules around consent. GDPR provides that organisations cannot obtain consent from minors (under 13), so you would have to seek it from their guardians; however, if you meet the above criteria, you will be exempt from this
- You will also be exempt from releasing certain aspects of data as a part of a Data Subject Access RequestA verbal or written request made by a data subject to access their data (in a portable format if requested), be informed about how it is used, to have their data modified if it is incorrect, or to have it deleted. (DSAR) to the parent/guardian if the data in question relates to child abuse. This is known as the ‘serious harms test’ – if the data, when released, could cause harm to the child, you will be exempt from releasing it in a DSAR
How can charities ensure compliancy?
There are many legal and technical ways you can ensure that your charity is GDPR compliant, including:
- Ensuring that your staff are trained and understand how to handle personal data – this should not be done with basic online training but should cover what your charity or NFP does in specific situations. It should also cover the policies you have and what staff should do if there is a breach
- Ensuring that all your policies, procedures and documents are up to date – If any of your processing has changed, and you have previously done a Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA), you should ensure that this is up to date and reflects any changes in processing. You should also ensure that your charity’s policies and procedures are up to date and reflect any changes that your charity has made; you should also ensure that they are accessible for your data subjects
- Put in place technical and organisational measures as per Article 32 – this will ensure that your charity is processing personal information appropriately. You will need to ensure that your charity has developed an excellent information security policy, encrypted and pseudonymised data where appropriate, and implemented technical controls like Cyber Essentials
- Monitor your compliance and conduct audit checks – you should continuously monitor your processing activities, including any vendors that you have. You should check your DPIAs and Records of Processing Activities (RoPA), as well as testing any security controls you may have. You should also periodically audit your charity or NFP to ensure there are no gaps in your compliance. You can do this internally or have an independent company come in to audit your charity (something we offer at The DPO Centre as a part of our consultancy service)
The DPO Centre Charity and Community Fund
If you are a charity or a not-for-profit organisation, you could be entitled to apply for The DPO Centre’s Charity and Community Fund*. The fund’s purpose is to provide access to our data protection consultancy services at an 80% funded rate; this enables worthy causes to access our expertise, but with the least effect on your ability to fund your charity’s core purpose. The funding can support your charity by:
- Offering you immediate access to Subject Matter Experts and broadly experienced team of data protection professionals
- Removal of the ‘unknowns’ experienced when conducting a similar process internally
- Peace of mind that you are working with one of the largest and most established teams available
- A decrease in the potential for compliance failure across the organisation
- Substantial reduction in regulatory and reputational risk
- Ultimately leading to improved trust, increase engagement, elevated reputation – promoting ever-increasing organisational value
If your charity (or non-profit) is interested in applying for the fund, please click here to see more information.
*There are limitations on who can join, please see here for the requirements
Fill in your details below and we’ll get back to you as soon as possible
Alternatively click one of the options below to speak to us
Email Call