GDPR for Charities - what you need to do before 25th May 2018.
The GDPR is nearly upon us and will come into force on 25 May 2018 and organisations large and small should be well underway with their preparations by now.
The new regulation is deliberately drafted in broad terms to ensure that it can be implemented by organisations of all shapes and sizes, which also means that there's no ‘one size fits all’ approach to compliance. There are no significant exemptions for charities under the regulation, which are likely to hold a wealth of personal information not only in relation to their supporters but also in relation to their members, trustees and employees. For those who have been tasked with overseeing their charitable organisations’ preparation for the GDPR, we recommend taking the following actions:
1. Carry out a data audit
Charitable organisations can't possibly implement appropriate policies and guarantee the security and integrity of data if they aren’t sure what personal information is being held, where it's stored and in which format. A data audit should be carried out at the outset of the GDPR preparation process to determine these points, as well as:
- the purposes for which the data is processed;
- which of the six ‘legal bases’ justifies the processing (and, where applicable, a separate condition for processing special category or ‘sensitive’ data);
- who has access to the data;
- the retention period and deletion policy;
- any particular risks associated with processing the data; and
- the existence of any data processors or sub-processors.
It's up to each organisation to decide how to carry out and document the outcome of its audit, but this should be stored and reviewed periodically, particularly when developing new projects and initiatives which may have an impact on privacy.
If any data processors or sub-processors are identified, there must be written agreements setting out the terms of the relationship alongside a number of mandatory clauses. We would recommend that you seek specialist legal advice to update or implement data processing contracts.
2. Update or implement policies and procedures
The GDPR stipulates certain mandatory information which must be provided to data subjects at the point their information is collected, or within a reasonable time afterwards if the information is obtained via a third party. The full list of required information is set out in Articles 13 and 14 of the GDPR, but includes:
- the identity of the data controller;
- the personal information collected, the purposes for which it's used and the lawful base for processing;
- the identities of any third party recipients of data; and
- the existence of data subject rights, for example the right to restrict processing (however, please note that the availability of each right is dependent on the legal base being relied upon and the only absolute right is to stop direct marketing).
The simplest way to deliver this information is to include it in a privacy notice displayed on the website, or communicated by whichever means is most appropriate in the circumstances. The language used should be clear, concise and user-friendly.
Charitable organisations which carry out wealth screening to find potential donors should take particular care. Data subjects should be specifically informed that their data will be used in this way and if the screening will be carried out by a third party, they must be identified. Even if data is obtained from publicly available sources, data subjects must still be provided with the above mandatory information.
Organisations might wish to consider implementing other policies as circumstances might require, for example an internal data handling policy outlining technical and organisational security measures for protecting data and procedures for reporting breaches to the supervisory authority.
3. Review your marketing lists
Many charities send newsletters and promotional material to their supporters. Where this is done by phone, text or e-mail, charities must have obtained the specific consent of the recipient to receiving marketing communications in this way under the Privacy and Electronic Communications (EC Directive) Regulations 2003. While many other types of business can rely on ‘soft opt-in’ consent to send promotional material to customers who have previously purchased their products or services, this exemption is not applicable where the communication concerns fundraising activity.
Charitable organisations should check their marketing lists to ensure that the appropriate consents have been obtained and from 25 May 2018, that this consent is based on a positive opt-in and to a GDPR standard.
This presents a particular problem where organisations have bought in third party marketing lists. While this isn't prohibited under the GDPR, organisations using such lists must be absolutely satisfied (and able to document) that the requisite consent has been obtained and the mandatory information has been provided to the data subjects on the list.
The above is not intended to constitute an exhaustive guide to preparing for the GDPR. Documenting processing activity and having written policies in place is invaluable and might help organisations demonstrate their compliance with the rules, but what is of utmost importance is that these policies and procedures are observed and complied with at organisational level. The best way to avoid fines and sanctions is to avoid breaches happening in the first place.
This note provides general information on aspects of the subject matter. It's not exhaustive and should not be relied upon as legal advice.Back to news list