Data protection laws and regulations are applicable to all organisations regardless of sector, from finance to healthcare. These laws and regulations also apply to charities and not-for-profit organisations (NFPs). One of the most important pieces of legislation charities and NFPs will need to be aware of is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR). This is because most charities are considered as a An entity (such as an organisation) which determines the purposes and means of the processing of personal data. as they will:
Any charity or NFP that gathers and processes personal data is considered a A third party processing personal data on behalf of a data controller.. This includes any personal data relating to beneficiaries, volunteers, employees, clients, donors, suppliers, and any other An individual with an interest or concern in something (i.e. a Social Worker, Healthcare Professional, Headteacher etc. in respect of the welfare of a child). that benefits from your charity or any subscriber that is signed up to hear from you. All data controllers are responsible for ensuring compliance with the GDPR and other regulations.
Navigating data protection laws can be confusing for anyone, especially for a charity where the money, knowledge and resources may not be accessible. In this blog we will answer some of the most common questions we hear from charities and how we are committed to ensuring every sector has access to data protection compliance.
All organisations that are considered as data controllers and processors are subject to GDPR. GDPR applies to any personal data you collect, including volunteers and employees, and requires you to provide a reason as to why your charity is collecting and storing the information.
GDPR requires you to have a lawful basis for why you are collecting and processing personal data, and charities are no exception to this rule (see our blog for more information). Charities will have to show that they have one of the six lawful bases, set out in Article 6 of the GDPR, before processing any personal data. Charities may choose one of the following as their lawful basis:
Each area of data processing your charity undertakes will need to have a lawful basis. For example, you may A series of actions or steps taken in order to achieve a particular end. volunteers’ addresses for marketing purposes. In this example, you’re likely to rely on consent. But, if you’re processing the addresses of your employees for tax reasons, you will have a legal obligation to do so.
This question very much depends on what kind of personal data your charity or NFP processes, as not all charities will need to appoint a Data Protection Officer (DPO). But you should keep in mind that there are three situations when a charity or NFP will likely need to appoint a DPO, these include:
A few charities could fall into category one and/or two, the phrases “core activity” and “on a large scale” are important qualifications. To work out whether the processing of special category of data is a “core process”, your charity should look at whether your main activities are directly linked to the processing of that category of personal data. For “large scale”, there is no clear guidance. However, it is suggested that your charity must regard the volume of personal data that is being processed, the number of data subjects you have, the permanence of the processing activities and the geographic scope of the personal data you collect.
If you meet one or all of these, regardless of size, you should appoint a DPO. Outsourcing a DPO can be a better option for this, as it can save you time and money, allowing you to focus your valuable internal resource on the cause.
Along with the possibility of not needing a DPO there could, potentially, be other exemptions for your charity. These include:
There are many legal and technical ways you can ensure that your charity is GDPR compliant, including:
If you are a charity or a not-for-profit organisation, you could be entitled to apply for The DPO Centre’s Charity and Community Fund*. The fund’s purpose is to provide access to our data protection consultancy services at an 80% funded rate; this enables worthy causes to access our expertise, but with the least effect on your ability to fund your charity’s core purpose. The funding can support your charity by:
If your charity (or non-profit) is interested in applying for the fund, please click here to see more information.
*There are limitations on who can join, please see here for the requirements
Fill in your details below and we’ll get back to you as soon as possible