GDPR for Charities
GDPR compliance’s are changing on May 25th 2018. These changes will affect all organisations, from large corporations, to SMEs, to public sector services – even charities.
By now most of us have heard about General Data Protection Regulation (GDPR) changes and what it will mean for local businesses.
For anyone that is yet to hear about it, the GDPR are regulations that simply involve data protection and will replace the current Data Protection Act. These new EU regulations give consumers the benefit of knowing their data is safely stored by companies they have agreed to store it and also gifts them to right to request deletion from any company database, should they no longer wish to be contacted.
For the manufacturers and businesses out there, the GDPR changes mean a huge. They mean increased fines of up to £20 million or 4% of annual income (whichever is higher), as well as loss of power over media releases and even possible legal action.
That is only in the case of non-compliancy however.
Charities, however, aren’t the same as businesses. £20 million would be taken away from people or projects that truly need it. It’s then not a punishment on the company but on the cause they stand for.
Charities aren’t the same as businesses, however their punishment, however you view it, is. This is why it’s so important that charities and fundraisers get these regulations right.
So what do the changes actually mean for you?
All employees and volunteers must be properly trained to an acceptable standard on the regulations and requirements of data protection. Employees and volunteers must know that data needs to be taken in a clear and precise manner with all donors being given a clear understanding of what will happen with their data. They must then give clear consent for this to happen.
If any of these things are unclear,uncertain or the donor doesn’t give consent – you don’t have rights to even take their data.
Opt-outs are no longer classed as consent. Failure to state an objection is no longer classed as consent. Consent must be clear, it must be certain.
This is why training on how to set out consent forms and donations pages is key.
A large part of charity work involves reaching out to individuals that are yet to contact you, and GDPR compliance understands that. Therefore there are certain instances that can excuse lack of consent, one of which is ‘legitimate interest’ for advertising such as postal or phone call campaigns. However you must be able to prove that interest legitimacy and make it abundantly clear their data has been passed on via a third-party etc.
Any data that will be passed on to third-party programs (i.e. another company or software such as google analytics) requires separate consent. Lack of consent means this data CAN NOT be passed along.
Finally, you must also delete data instantly upon request.
Any external business used by a charity or for a fundraiser are under the responsibility of said organisation. The charity or organisation in charge are entirely accountable for any breaches or data retrieved in a way that does not comply to GDPR.
The only exemption is that should the illegally take your client data or use that data for their own personal gain in any way, they are then accountable.
Otherwise they are under the charity’s control that hired them and therefore you must be clear on how they are to handle and take data under the name of your organisation.
There’s no need to be alarmed when it comes to the GDPR changes. Provided you are prepared before 25th March 2018 with all the proper practices in place then you won’t run in to any issues.
It would be advisable, before the regulations come into place, to carry out an audit. This audit should cover who your employees are and what they have access to, who your volunteers are and what their training and access availability is as well as how you currently take in a hold donation and client data.
From there you can carry out the necessary actions to ensure compliance.
Do your computer systems have an appropriate anti-virus?
How old is your server and does it have a firewall in place?
Who has access to your email system and is it secure?
Are you files sensitive and if so are your systems and transferable systems encrypted?
How do you currently take donations? Or organise your donor’s data?
Who has access to your client/customer data?
If you can answer all of these questions with a positive and confident answer, then perhaps you are ready!
However if you stumble at any point, if you become unsure of your data security in any way, you must act now.
As aforementioned it isn’t the private company money that will be taken with a fine, it’s the donations and your employees that will suffer for the good cause you’re working towards.
It’s a shame, but its fact. And now is the time to do something about it.
If you have any further queries about how GDPR regulations are to affect charities or unsure of your current compliance standing, contact the team – we’ll be happy to help!