The new General Data Protection Regulations (GDPR) come into force on 25th May 2018, with some key implications for charities. Ultimately, charity revenues could be hit hard if these issues aren’t addressed in time.
What is the GDPR and why should charities care?
Fundamental to the GDPR are the increased privacy rights for individuals coupled with the increased responsibilities of data processors. This is important since personal data is a critical asset for many charities in terms of supporters, service users, volunteers and staff.
In the past, charities have been in the ICO’s firing line for data breaches and fines. However, with the GDPR the stakes are even higher - today’s potential £500,000 fine rockets up to £17 million or four percent of global turnover, whichever is greater. And there is no charity exemption. Furthermore, people affected by data breaches or misuse have the right to sue both data controllers and processors for compensation.
Here are five key implications of the GDPR on charities.
1. Accountability - proving that data privacy is at the heart of your charity
Under the GDPR, charities must have policies and procedures that demonstrate compliance - not just in relation to fundraising but right across the charity. You must:
- Be able to demonstrate extensive internal records of your data processing flow
- Appoint a Data Protection Officer for certain scenarios, for example if you process a large volume of data or sensitive data
- Have robust information security measures such as encryption for risk mitigation
- Demonstrate privacy by design – i.e. that it’s at the heart of all processes. This includes carrying out a Data Protection Impact Assessment (DPIA) before any potentially risky projects or marketing campaigns, for example.
2. Consent will be difficult to obtain
Many charities use “consent” as a legal ground for data processing, particularly regarding fundraising communications. The ICO considers such communications as direct marketing, since they involve promoting the aims and objectives of the charity. Unfortunately, under the GDPR this means it will be harder to obtain valid consent. Pre-ticked boxes are no longer enough.
Consent will have to be:
- Freely given
- Specific to each processing activity carried out - for example just because somebody consents to emails regarding an event doesn’t mean you can email them your newsletter or about future projects
- Revoked as easily as it was given
3. Make sure your data processors are GDPR compliant
Charities will have to prove they’ve done their due diligence on third-party data processors such as a marketing agency or payroll company to make sure they are GDPR compliant
They need to set up a GDPR-compliant contract with third parties to include:
- Duty of confidentiality on staff
- No sub-contracting without the charity’s consent
- Generally helping the charity (as the controller) with its own compliance requirements
4. Breach notification - what to do if your data is compromised
Under the GDPR, organisations must report a data breach to the ICO within 72 hours unless there is unlikely to be a risk to individuals. Where the risk to individuals is likely to be high, you must also report the breach to those affected individuals. The report should include your proposed, mitigating steps to manage the situation.
Failure to report a breach can result in a fine of €10 million or two per cent of global turnover.
5. Enhanced rights for individuals
- People can assert personal data erasure under a widening of the right to be forgotten principle. This would happen when there is no longer a need for you to hold their data, if they object to it or if it’s unlawful.
- Organisations can no longer charge for subject access requests and have one month to respond.
- Individuals have the right to appeal any automated decision-making or profiling.
If you need help preparing for GDPR, Me Learning has developed a series of e-learning courses to help organisations navigate the changes to data protection law. You can find out more here.