14 May 2018
A December 2017 survey by Ecclesiastical, a specialist charity insurer, suggests that a worrying proportion of the UK’s 160,000+ charities may be less prepared than they should be for the General Data Protection Regulation (GDPR).
36% of small charities (turnover below £500k) were not even aware that the GDPR was being introduced, leaving them potentially exposed to regulatory action in the event of a data breach.
And while awareness of the new regulation was higher among larger organisations,
37% of all charities felt they needed to know more about the new regulation,
with 10% saying they had little or no knowledge of it.
As the new regulation comes into force, it seems likely that many charities will still be somewhat in the dark. The key thing to understand is that the GDPR applies just as much to voluntary and not-for-profit organisations as it does to businesses – essentially, any organisation that collects, stores and uses personal information on EU citizens will be impacted.
As charities of all sizes continue to embrace digital channels for communicating and fundraising, the risk of data breaches and other cyber-security events is growing. In the light of the GDPR, this makes it important to have staff and/or volunteers with experience of data security, and access to expert partners who can provide training (and tools for remediation in the event of a breach).
It is also important for charity trustees and employees to understand their legal obligations around data protection, in particular, the legal requirement to notify the Information Commissioners Office (ICO) within 72 hours of a breach involving personal data. The potential need also to notify the affected individuals could imply significant cost, disruption and reputational damage – not to mention any financial penalties that could be levied by the authorities.
The good news is that charities who have developed best-practice approaches under the previous DPA legislation may not need to make enormous changes. For example, it is a myth that charities will always need to seek fresh consent to be able to contact existing donors. Provided you can show that your use of personal data is proportionate and unlikely to be objected to, you can typically rely on the “legitimate interest” provisions within the GDPR.
However, there are a number of potential subtleties. For example, while records of personal data should generally be retained for a minimal period, if your charity frequently receives gifts in wills, you may want the ability to demonstrate that a donor was previously a loyal supporter (in the event that the will is disputed). Equally, you may want to be able to contact the next of kin to thank them, and attempt to develop a new donor relationship.
If you still need to put your house in order when it comes to the GDPR, find out how Northdoor can help. We offer expert advice and consultancy services, backed by advanced tools for finding, classifying and protecting personal data – helping you to focus on fundraising and helping the needy without having to worry about compliance.
Read our blog: Fundraising in the age of GDPR