Data Protection for Charities

The GDPR has had a major impact on many charities and not-for-profit organisations.

Those relying on charitable donations for funding must ensure their marketing databases are GDPR compliant, that records of consent and retention policies are maintained without dramatically reducing their marketing reach. Many charities, particularly those supporting medical research or the disadvantaged can process significant volumes of sensitive and special category personal data.

Staff must understand their individual responsibilities for data protection and ensuring this can be particularly difficult for those organisations relaying on a large part-time volunteer work force.

This page explains what the new legislation means for charities and no-for-profit organisations and the key areas they need to consider when managing and protecting personal data.

Alternatively click one of the options below to speak to us

Email Call

WHAT DOES THE LEGISLATION MEAN FOR CHARITIES & NOT-FOR-PROFIT ORGANISATIONS?

Like all other organisations, charities and not-for-profit organisations must:

Be transparent in the way they process personal data and accountable for doing so

Be able to detect, manage, report and respond to data breaches including, if necessary, liaising with the Information Commissioner’s Office (ICO)

Understand the data they have, where it is stored and who has access to it

Implement robust processes and procedures to protect personal data

Allow donors, staff, beneficiaries, customers, suppliers, all people receiving charitable support to:

Access the data stored on them
Ensure the data is correct and modify it as necessary
Have the data deleted (unless needed for legitimate reasons

Appoint a designated data protection officer if they:

Are a public body
Process data on a large scale

IMPORTANT DATA PROTECTION CONSIDERATIONS FOR CHARITIES AND NOT-FOR-PROFIT ORGANISATIONS

Charities and not-for-profit organisations must protect personal data in a wide range of their operations. Some major considerations include:

Marketing and fund raising

Managing consent of individuals receiving direct marketing materials
Impact of Personal Electronic Communications Regulation (PECR) and ePrivacy
Data retention
Data base management and data minimisation

Staff and Volunteers

Training staff and volunteers to understand their protection responsibilities
Embedding a culture of data protection often across multiple sites staffed by part-time, voluntary and permanent staff
Avoiding the creation of multiple local copies of data on different platforms

Managing sensitive information

Data Protection Impact Assessments
Information on people receiving charitable support including medical and other sensitive personal details
DBS checks

Governance and the role of trustees

Understanding responsibilities
Having robust reporting systems

Managing data across multiple sites

Minimising data held in multiple formats and locations
Avoiding duplicated data
Disposal and retentions
Managing legacy and non-standard systems

Administration

Email systems
Staff payroll, pension and HR records
Visitors’ book, access and CCTV

Data Security

Maintaining network and server security
Data encryption

Policies and agreements

Privacy, retention, cookie and data protection policies
Staff handbooks
Data sharing agreements
Data processing agreements

Enquire Today

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us

Email Call

DATA PROTECTION SERVICES FOR SECTORS

David Roberts

NSPCC’s Director of Corporate Service

“By working on-site and being seen as part of the team, the DPO Centre’s DPO really understands the complex data protection issues the NSPCC faces.

Being able to draw upon the combined knowledge of the wider DPO Centre team gives us an added level of confidence and means we can rely on their advice and support whenever we need it.”