The GDPR has had a major impact on many charities and not-for-profit organisations.

Those relying on charitable donations for funding have to ensure their marketing databases are GDPR compliant, that records of consent and retention policies are maintained without dramatically reducing their marketing reach.  Many charities, particularly those supporting medical research or the disadvantaged can process significant volumes of sensitive and special category personal data.

Staff must understand their individual responsibilities for data protection and ensuring this can be particularly difficult for those organisations relaying on a large part-time volunteer work force.

This page explains what the new legislation means for charities and no-for-profit organisations and the key areas they need to consider when managing and protecting personal data.

WHAT DOES THE LEGISLATION MEAN FOR CHARITIES & NOT-FOR-PROFIT ORGANISATIONS?

Like all other organisations, charities and not-for-profit organisations must:

ok2
Be transparent in the way they process personal data and accountable for doing so
ok2
Be able to detect, manage, report and respond to data breaches including, if necessary, liaising with the Information Commissioner’s Offfice (ICO)
ok2
Understand the data they have, where it is stored and who has access to it
ok2
Implement robust processes and procedures to protect personal data
ok2
Allow donors, staff, beneficiaries, customers, suppliers, all people receiving charitable support to:

  • Access the data stored on them
  • Ensure the data is correct and modify it as necessary
  • Have the data deleted (unless needed for legitimate reasons

ok2
Appoint a designated data protection officer if they:

  • Are a public body
  • Process data on a large scale

IMPORTANT DATA PROTECTION CONSIDERATIONS FOR CHARITIES AND NOT-FOR-PROFIT ORGANISATIONS

Charities and not-for-profit organisations must protect personal data in a wide range of their operations.  Some major considerations include:

Marketing and fund raising

  • Managing consent of individuals receiving direct marketing materials
  • Impact of Personal Electronic Communications Regulation (PECR) and ePrivacy
  • Data retention
  • Data base management and data minimisation

Staff and Volunteers

  • Training staff and volunteers to understand their protection responsibilities
  • Embedding a culture of data protection often across multiple sites staffed by part-time, voluntary and permanent staff
  • Avoiding the creation of multiple local copies of data on different platforms

Managing sensitive information

  • Data Protection Impact Assessments
  • Information on people receiving charitable support including medical and other sensitive personal details
  • DBS checks

Governance and the role of trustees

  • Understanding responsibilities
  • Having robust reporting systems

Managing data across multiple sites

  • Minimising data held in multiple formats and locations
  • Avoiding duplicated data
  • Disposal and retentions
  • Managing legacy and non standard systems

Administration

  • Email systems
  • Staff payroll, pension and HR records
  • Visitors’ book, access and CCTV

Data Security

  • Maintaining network and server security
  • Data encryption

Policies and agreements

  • Privacy, retention, cookie and data protection policies
  • Staff handbooks
  • Data sharing agreements
  • Data processing agreements

If you would like to speak to us about any of our Data Protection consultancy services

 

Contact Us