GDPR has been set up to protect an EU individual’s data and information, so why is it important to charities?
Changes in the law applies to all electronic and paper based data that a charity holds on a living EU national. From May 2018 charities must only lawfully contact donors and supporters for fundraising, campaigning and marketing and managing volunteers. It is crucial that staff and volunteers are trained and informed about GDPR as they are likely to be the people gathering the data and must understand the impact it could have on the charity if GDPR is breached; large fines could be sanctioned which takes money away from worthy causes and the people who need it most.
Charities can use this to their advantage and build loyal relationships with supporters and donors through the way you ‘ask’ for consent. Explaining clearly why data is collected and how it will be used gives the supporter the chance to ‘opt-in’ or ‘opt-out’ of providing their information, ensuring that those who are opted-in are receiving welcome and relevant information from the charity.
There is plenty of detailed information and fantastic articles from professionals and industry experts but nothing that gives a simple view of what GDPR is and what it means. So, we have taken it upon ourselves to have a go…
What is it?
General Data Protection Regulation or GDPR = replacement for the Data Protection Act
When is this happening?
Goes live in May 2018
Who does is apply to?
Any businesses within the European Union AND outside the EU if they offer products, services to and hold personal data on EU nationals
What about Brexit?
This is tricky. If your business deals with countries within the EU and keeps data about EU residents then YES you must prepare and comply to the GDPR.
If, however, your business trades in the UK only then it’s not too clear what will happen. The government have advised it will implement a similar regulation but either way it is better to be safe than sorry…
Can I be fined for non-compliance?
Yes. Very hefty fines of up to 4% of annual global turnover or a maximum of €20m
What is personal data?
Any information held about an individual that identifies them
What is a data controller?
Someone who keeps and processes data and information about an individual
Why do we need it?
We’re living in a digital data-driven world and need protection from data breaches, especially as lots of companies hold all kinds of personal data
So, what’s changed since the previous regulation?
Well, that was 1998. A lot has changed since then but here are the key points:
- The World is getting smaller and companies all over the globe may hold some sort of data on EU nationals. Official line: ‘It applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not’
- Penalties are steeper with maximum fines of up to 4% of annual global turnover or €20 Million – whichever is greater!
- Consent has been made stronger. Opt-ins need to be clearer and opt-out need to be easier.
Data Subject Rights
- You have 72 hours. You must notify individuals and controllers as soon as you are aware of a data breach that poses a risk to the freedom and rights of an individual. This is mandatory.
- Individuals can contact a data controller for confirmation on if their personal data is being held and how it is being used. This needs to be provided to the individual electronically and FREE of charge!
- Please delete me! Also known as the right to be forgotten. Individuals can request to have a data controller erase their personal data, stop sharing their data and potentially have third parties stop processing data.
- Individuals can move their data. Known as portable data, it gives an individual the right to receive their personal data which they have previously provided and move it to another controller.
- You’re ready for the GDPR but you realise that the form on your website doesn’t have the right legal notice or opt-in section. Make sure controllers set up appropriate technical and organizational measures straight away, not as an afterthought… It could damage all that arduous work you put in!
- You don’t need my life story. Controllers must only hold and process data necessary for the completion of its duties. Individuals are not going to want to give you their home address and shoe size just to download your latest blog!
Who is responsible then?
A Data Protection Officer or DPO will need to be appointed for controllers and processors whose activities mostly revolve around data processing and monitoring, with internal record keeping becoming mandatory.
Your DPO can be an internal or external employee but importantly they must be:
- An expert on data protection law and practices
- Given appropriate resources and training to do their job properly
- Reporting directly to top level management
Tons of useful information is out there if you need more detail and the ICO have created a handy brochure on preparing for the GDPR and 12 steps to take now:
Toolkit for charities:
Information Commissioner’s Office: