How will the new GDPR rules affect charities?
The General Data Protection Regulation (GDPR) is set to come into force from in May 2018.
It will replace the current Data Protection Act and is the biggest overhaul of data protection legislation for over 25 years. GDPR will change the way organisations process personal data and regardless of what happens during the Brexit negotiations, it has been made clear that businesses and charities alike will have to comply with the new rules – this means it is likely we will adopt most if not all of GDPR as domestic legislation.
Fundraisers must ensure they are up to date with the new legislation to make sure they are fulfilling their legal responsibilities. In this article, we take a look at some of the things you can do to make sure you’re prepared.
Consent
Usually, under the soon-to-be old rules, simply saying “click here to read our privacy policy” would be perfectly acceptable. However, under GDPR this is no longer the case. GDPR states that you must clearly explain why you are collecting personal data and how exactly you intend to use it.
Furthermore, if you plan on selling any of the data on to third-party organisations, you must get explicit consent. In order for the consent to be valid, it will need to be freely given, informed, specific and an unambiguous indication through a statement or clear affirmative action, i.e. ticking a box.
Not just fundraising
The main focus about data protection so far has been about how fundraisers can legally contact donors or potential supporters. However, it is not just fundraising – it is across the board. For example, it will apply to marketing, campaigning, managing volunteers and recording information about service users. To put it more simply, anything that involves processing an individual’s personal data is subject to GDPR.
It means the whole organisation must adopt a new approach, with new strategies being developed from the top down. Volunteers and employees alike should receive training to ensure compliance with the rules.
Opt ins and opt outs
With GDPR, it is essential that a charity complies with a set of lawful conditions to process data for direct marketing purposes.
It should be noted that organisations do not need consent for all forms of marketing, charities are allowed to make contact for direct marketing purposes via calls to numbers that are registered with the telephone preference service or by post. As long as the organisation can satisfy the legitimate interest condition.
While giving people the opportunity to opt out is acceptable, it will not mean a charity has consent, that will rely on legitimate interest only. Charities must ensure that they get this right.
Managing data
People can request the removal of data under GDPR, dubbed the “right to be forgotten”. This could be for a number of reasons, such as the individual no longer wants the charity to have the information or if it’s no longer to be used for the purpose for which it was initially collected. The data must be kept up to date and accurate, so charities should consider how they are keeping data to ensure it is not held for longer than is necessary.
User access
One of the key points to GDPR is giving people the opportunity to see what data that charity has about them. Individuals are able to make information requests to view the data and what the charity intends on doing with it.
Data breaches
The fines for organisations that are subject to a data breach have been increased by the Information Commissioners Office (ICO), as well as new duty for organisations to report data breaches should they occur. Charities must ensure they have the correct procedures in place to detect, report and investigate a data breach. It is worth staying up to date with information from the ICO to keep on top of developments.
If anything in this article is of interest to you, or concerns you in any way, please get in touch with our advisors here.
