Data Protection for Charities and not-for-profits (NFPs)
The UK and the EU GDPR has had a major impact on many charities and NFP organisations.
Those relying on charitable donations for funding must ensure their marketing databases are GDPR compliant and utilised according to the requirements of the Privacy and Electronic Communications Regulations (PECR), that records of consent and retention policies are maintained without dramatically reducing their marketing reach. Many NFPs and charities, particularly those supporting medical research, or disadvantaged communities and groups often process significant volumes of sensitive and special category personal data. This data usually comes from their beneficiaries and stakeholders, as well as marketing data from individuals who donate and the wider stakeholder community.
Staff in this sector must understand their individual responsibilities for ensuring data is protected, which can be a difficult task for organisations who rely on an inexperienced or volunteer workforce.
The data protection experts at The DPO Centre can help your NFP or charitable organisation achieve and maintain compliance with both the GDPR and PECR, and help you better organise your data protection procedures and policies.
This page explains what the new legislation means for charities and no-for-profit organisations and the key areas they need to consider when managing and protecting personal data.
WHAT DOES THE GDPR LEGISLATION MEAN FOR CHARITIES & NOT-FOR-PROFIT ORGANISATIONS?
Like all other organisations, charities and not-for-profit organisations must:
- Access the data stored on them
- Ensure the data is correct and modify it as necessary
- Have the data deleted (unless needed for legitimate reasons
- Are a public body
- Process data on a large scale
DATA PROTECTION SERVICES FOR CHARITIES
We offer a range of services designed to address your organisation’s data protection concerns. Our consultancy services, outsourced DPOs, GDPR Representatives, Caldicott Guardians for medical organisations, staff training and awareness sessions, and a data protection advice line, will ensure your organisation has everything you need to appropriately and compliantly process and protect your personal data.
Our outsourced DPO service places one of our highly experienced DPOs into your organisation, working alongside your team either remotely or on-site. Outsourced DPOs provide your organisation with advice and guidance, helping you maintain your compliance framework. Having one of our DPOs in your team means they can assist with your data protection practices.
Some NFPs and charities collect information from donors from around the world. If your charity processes personal data on EU or UK residents, but you have no physical presence in these territories, your organisation may need to appoint a UK or EU Representative. Our representation service offers the expertise your charity needs to construct your Records of Processing Activities, and provides you with the necessary contact details.
NFP and charitable organisations have particular needs when it comes to data protection. They often have large databases containing the information of donors, partners and other stakeholders that must remain secure. NFPs are also likely to process sensitive data about staff and volunteers or the people the organisation serves. By engaging our consultancy services, your organisation will improve its transparency, reduce data protection risk, and increase levels of engagement from your target audience.
Your NFP or charity may rely on a large network of volunteers to keep things running. Those volunteers, as well as your staff members, should understand the basics of data protection and how they can help reduce risk within their role. The DPO Centre offers data protection and awareness training that not only educates your volunteers and staff about data protection law, but also guides them through their job-specific responsibilities. Taking our training courses also demonstrates to data protection authorities that your organisation makes the necessary effort to remain compliant.
If your NFP or charitable organisation operates in the medical sector or works with NHS patients under an NHS contract, you must complete the Data Security and Protection Toolkit (DSPT) mandated by the UK National Health Service (NHS). Completing the DSPT can be complicated if you don’t have a thorough understanding of data protection and compliance, so The DPO Centre can help your organisation complete this annual assessment. We can also identify gaps in data security you may have and offer support with their mitigation.
As part of our outsourced DPO and GDPR Representative services, we offer non-profits and charities a data protection Advice Line service. The Advice Line is staffed by our large team of experienced DPOs who are ready to answer your pressing questions or offer more immediate support to your everyday data protection issues. We can also offer your organisation access to our helpline as a standalone service to provide reactive support and guidance when required.
IMPORTANT DATA PROTECTION CONSIDERATIONS FOR CHARITIES AND NOT-FOR-PROFIT ORGANISATIONS
Charities and not-for-profit organisations must protect personal data in a wide range of their operations. Some major considerations include:
Marketing and fund raising
- Managing consent of individuals receiving direct marketing materials
- Impact of Personal Electronic Communications Regulation (PECR) and ePrivacy
- Data retention
- Data base management and data minimisation
Staff and Volunteers
- Training staff and volunteers to understand their protection responsibilities
- Embedding a culture of data protection often across multiple sites staffed by part-time, voluntary and permanent staff
- Avoiding the creation of multiple local copies of data on different platforms
Managing sensitive information
- Data Protection Impact Assessments
- Information on people receiving charitable support including medical and other sensitive personal details
- DBS checks
Governance and the role of trustees
- Understanding responsibilities
- Having robust reporting systems
Managing data across multiple sites
- Minimising data held in multiple formats and locations
- Avoiding duplicated data
- Disposal and retentions
- Managing legacy and non-standard systems
- Email systems
- Staff payroll, pension and HR records
- Visitors’ book, access and CCTV
- Maintaining network and server security
- Data encryption
Policies and agreements
- Privacy, retention, cookie and data protection policies
- Staff handbooks
- Data sharing agreements
- Data processing agreements
BENEFITS OF OUR OUTSOURCED DATA PROTECTION SERVICES
Our large pool of experienced DPOs has a deep knowledge of data protection compliance, and expertise working in the NFP and charity sectors. We can, therefore, deliver far greater value to your organisation than what is available from an independent contractor or smaller data protection team. We have worked with a wide range of platforms, tools, vendors, and software, so we can provide cost-effective and informed guidance to your organisation.
Fill in your details below and we’ll get back to you as soon as possible
DATA PROTECTION SERVICES FOR SECTORS
NSPCC’s Director of Corporate Service
“By working on-site and being seen as part of the team, the DPO Centre’s DPO really understands the complex data protection issues the NSPCC faces.
Being able to draw upon the combined knowledge of the wider DPO Centre team gives us an added level of confidence and means we can rely on their advice and support whenever we need it.”