The General Data Protection Regulation (GDPR) affects charities and non-profit organisations - much to everyone’s surprise. GDPR is applicable to all organisations that are either data controllers or processors.
Essentially, if you process personal data then the GDPR will apply, whether you are a profit or non-profit organisation. The type of personal data that a charity would process could be information in relation to employees, suppliers, supporters, beneficiaries, or donors.
Unfortunately, the GDPR doesn’t take any prisoners, if a charity is found to be in breach or non-compliant, then financial penalties of up to 4% of the annual global turnover or £17.5 million, whichever is greater, can be applied. For non-compliance of administrative requirements of the GDPR, the standard maximum amount will apply, which is £8.7 million or 2% of the annual global turnover, whichever is higher.
While these consequences are scary, the regulations can be difficult to understand leaving many charities feeling stuck between a rock and a hard place. Luckily, we promise to provide clear, jargon-free advice. Our data protection solicitors are on hand to provide assistance and training across all areas of data protection and privacy law.
Top tips for staying compliant
According to the Information Commissioners Office (ICO), charities must make sure donors or individuals provide 'a positive opt-in...offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.' It’s important to remember that Consent should be easy to withdraw as it was to give. Charities should also consider whether Consent is indeed the correct lawful basis to use, and if it is, then, make it easy for the individual to withdraw should they wish to do so, effortlessly, and quickly.
Charities should let people know why they are gathering information and what they are going to do with this information. This should be in the form of a privacy notice and readily available as well as easy to understand.
Information collected should be sufficient and relevant.
There’s no point in collecting data that’s inaccurate, you may as well not have it. Charities should check what they have is accurate and useful for the purposes of why they are processing that personal data.
Personal data should not be stored longer than necessary, charities should review their retention schedules and store only what they need and in accordance with local retention and privacy laws. The reasons for storage should be justified.
Charities should ensure that data is protected, and access should be on a need-to-know basis, i.e., those that have a legitimate reason to have access to it. Data sharing should be done securely, and charities should use encrypted, and password protected files for sharing data, to ensure it’s not compromised.
Charities should ensure those that are trusted with responsibilities of processing personal data should be provided with GDPR training to ensure technical and organisational measures are adhered to. Each person has their part to play in an organisation where personal data is being processed, it may be considered necessary to train all staff and volunteers, but the level of training may differ dependant on job roles, for example, some roles may require a more in-depth training if they handle a lot of personal data on a daily basis.
Records demonstrate compliance. Whether some projects or documents are a work in progress or complete, it would be necessary to keep records of these documents as well as processing activities, to be able to prove compliance and adherence to the GDPR.
Legitimate Interest Assessments - How do they apply to Charities?
Charities may often find 'legitimate interest' as being the most flexible lawful basis for processing, but it cannot be assumed it will always be the most appropriate.
A Legitimate Interest Assessment can assist charities in assuring they are legitimately processing personal data and demonstrate compliance.
The ICO recommends applying the following three questions when considering legitimate interests as a lawful basis:
- Purpose test - Is there a purpose to processing the data?
- Necessity test - Is the processing of data necessary for that purpose?
- Balancing test – The charity must balance their interests against the individual’s. If individuals would not reasonably expect the processing, or it would cause unjustified harm, their interests are likely to override the charities’ legitimate interests.
Charities should specify the purpose for processing personal data, one example would be; having a legitimate interest to increase donations. The ICO’s Legitimate Interests Assessment (LIA) template can assist charities in deciding whether or not legitimate interests is likely to apply to processing.
The ICO has also, helpfully provided the following examples to assist charities in how legitimate interests may be used as a lawful basis to process personal data:
A charity wants to send fundraising material by post to individuals who have donated to them in the past but have not previously objected to receiving marketing material from them. The charity’s purpose of direct marketing to seek funds to further its cause is a legitimate interest.
The charity then looks at whether sending the mailing is necessary for its fundraising purpose. It decides that it is necessary to process contact details for this purpose, and that the mailing is a proportionate way of approaching individuals for donations.
The charity considers the balancing test and takes into account that the nature of the data being processed is names and addresses only, and that it would be reasonable for these individuals to expect that they may receive marketing material by post given their previous relationship.
The charity determines that the impact of a fundraising mailing on these individuals is likely to be minimal however it includes details in the mailing (and each subsequent one) about how individuals can opt out of receiving postal marketing in future.
We understand that it can be a difficult task to complete an LIA and assess whether legitimate interests can be applied to processing activities, however, the team at Harper James are here to help you every step of the way.
Where do we report breaches?
Just like any other data controller, if a breach has occurred at a charity and is likely to result in a risk to the rights and freedoms of individuals then it must be reported to the ICO within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals then the charity must also notify those concerned (data subject’s) without undue delay. Failure to notify a breach when there is a requirement to do so can result in a fine.
For charities, there is a second line of reporting, as well as reporting a data breach to the ICO, a charity will also need to consider whether the data breach is a serious incident and if so whether it requires reporting to the Charity Commission. The Charity Commission is the regulator of charities in England and Wales and maintains the charity register. They are an independent, non-ministerial government department accountable to Parliament. The charity trustees or Data Protection Officer (DPO) should decide whether an incident is significant and should be reported to The Charity Commission. To assist, there is a list of the types of incidents to report and not to report.
The Charity Commission guidance states:
If trustees fail to report a serious incident that subsequently comes to light, the Commission may consider this to be mismanagement…may prompt regulatory action….if further abuse or damage has arisen following the initial incident.