Charities and the GDPR – key issues to think about29th June 2021
“The UK General Data Protection Regulation (UK GDPR) . . .sets out the requirements for how organisations need to handle personal data.” www.ico.org.uk
The first, most important thing to remember is that the legislation is about personal data, i.e. information that makes it possible to identify a living individual. Secondly, the GDPR treats a Charity very much as any other organisation; however, there are some particular issues that charities have that we highlight here to make sure you are aware of some of the specialist matters you face.
As a charity, you have many balls to juggle and many stakeholders to consider: Trustees, volunteers, staff, beneficiaries, donors.
Here at the Griffin House Consultancy, we have always done our best to support our friends in the Third Sector. We know that many charities are small organisations without dedicated Data Protection Officers – so our Level 1 Introduction to Data Protection for the Third Sector – Fundraising and the Law course is always run at a discount.
- Ultimately Trustees are responsible for ensuring that their organisation is compliant as far as Data Protection law is concerned. Trustees may not be involved with the Charity daily, so everyone within the Charity who works with any personal data must be aware of their responsibilities. This includes occasional volunteers. You must have robust controls and processes in place to ensure compliance.
- Do you have a full audit of everywhere within your organisation where you interact with or store personal data? This is an essential document.
- Don’t forget that it is not just electronic data that you need to take account of, but also any personal data held in paper format (or even photographs or CCTV if it is possible to identify a person from them). If you have volunteers or staff who collect data manually ‘in the field,’ make sure this is treated carefully and securely. We suggest you capture the information electronically if you can to make the process of controlling it much more manageable. For example, another of the demands of the GDPR is that an individual can request to know what information you hold on them – if you are still using paper records, this is very difficult and time-consuming.
- One of the demands of the GDPR is that data is not held longer than is necessary. As a charity, we know that you often have to demonstrate the impact you are having and that this may necessitate a requirement for using your data to show the difference you have made. This is OK to do, so long as you make the data anonymous.
- Data retention is another important aspect of GDPR – generally, data should only be retained for a short a time as possible. However, if your Charity relies on legacy income, it may be helpful for you to hold relevant data for longer. If you choose to do this (in case, for example, the Will is contentious, or if you want to thank the next of kin), make sure you document why you are keeping that particular set of data and ensure it is held securely and up to date.
- If you work with Third-Party Fundraisers, it is essential that they too comply with the data protection legislation. If you share data with them, it will be necessary to set up Data Processing Agreements between the parties. In this instance, the Charity is likely to be the Data Controller.
- While in the main, Charities are treated precisely as any other organisation under the GDPR, there are one or two exemptions – mainly regarding complying with subject access requests in relation to data held on the well-being of ‘at risk’ minors.
- Special category data may be an issue for some health and well-being-related charities. This includes information such as medical records and sexual preferences. The UK GDPR makes stricter demands on the processing of this kind of sensitive information. If you need to process Special Category data, we strongly recommend you contact us here at the Griffin House Consultancy for further, specific advice.
Don’t forget that you also need to remember the basics of GDPR and PECR (for electronic communications), such as:
- Lawful basis for processing personal data
- Privacy notices
- Reporting of data breaches
- International transfer requirements
- Whether you need a Data Protection Officer
- The individual’s rights to their data
- Training of management and volunteers in data protection
Please book either a complimentary 30-minute consultation or take advantage of our reduced-priced Level 1 Introduction to Data protection for the Third Sector – Fundraising and the Law course.