What do charities need to know about GDPR?

Is your charity or non-profit organisation ready for the new General Data Protection Regulations (GDPR), effective from 25 May 2018?

Is your charity or non-profit organisation ready for the new General Data Protection Regulations (GDPR), effective from 25 May 2018?

They’ll affect fundraising, campaigning and volunteer management in the third sector and replace the current Data Protection Act.

Now’s the time to be clear on what’s expected if you’re not already – or you could face some lofty penalties.

So, here’s everything charities need to know about the GDPR, condensed for your convenience.

1. It’s a ‘whole organisation’ issue

The focus has understandably been on the way charities will be able to contact and approach potential and existing donors. But it’s important to remember the new regulations won’t just apply to this area.

Instead, charities will need to adopt a whole organisation approach for campaigning, marketing, managing volunteers – essentially, any area that involves recording personal data.

A recent report by the Guardian on this topic advises charities to organise a data audit to work out what they hold, where it came from and who they share it with. Be aware that volunteers as well as employees will need to be trained to protect data in line with the new rules.

2.Consent must be clarified

Those ‘click here to read our privacy policy’ boxes will be made redundant when the new regulations come in.

Under GDPR, charities will need to clarify exactly what people are giving consent to when it comes to their personal data, stating clearly why it’s needed and what will happen to it.

Plus, if data could be passed on to third parties, express consent must be given by a defined and unambiguous action. Under GDPR, inaction – such as leaving pre-ticked boxes – will not be an indication of consent

3. Opt-out options are essential

A tricky one, as express consent isn’t necessary for all forms of direct marketing.

Charities are permitted to contact potential and current supporters, as long as they can clear the ‘legitimate interests’ condition. But a charity’s legitimate interest in gaining support for their cause must take pains to walk the line and not override an individual’s rights.

The bottom line is that, under GDPR, the individual’s right to opt out always takes precedence.

4. Users must be able to access their data

GDPR will mean users have greater transparency on how their data is being held and used. This means people will be able to submit subject access requests at any point to find out what sort of personal information charities hold and how their data is being used.

Charities should make sure there are processes in place to communicate with users and effectively deal with these requests. Plus, GDPR will allow users to submit requests to have their data deleted – and charities must consider putting procedures in place to facilitate this process too.

5. Stay on top of data breaches

With data comes great responsibility – the responsibility of keeping it safe from prying eyes.

Charities will not only need to make sure they have a robust system in place to detect and investigate a data breach, they’ll also be responsible for reporting certain types of breaches too.

There has been a steep increase in fines from the Information Commissioner’s Office so, as the new regulations come into play, it’s crucial that charities keep up-to-date with any changes in this area.

Go further

Need a more in-depth look at what GDPR means for the charity sector?

Read ‘GDPR: The essentials for fundraising organisations’ – a guidance document from the Institute of Fundraising and Bircham Dyson Bell.

The Institute is also holding seminars across the country to make sure all fundraisers are GDPR ready.