GDPR – What Small Charities Can Do Now
With the GDPR deadline fast approaching, Martin George, The Foundation for Social Improvement (FSI’s) Programme and Data Manager, shares his experience in learning more about GDPR and the resources small charities can access to clarify next steps to take.
There has been a huge amount of talk about GDPR over the last few months as organisations – both large and small – begin to gear up for May 2018.
The EU General Data Protection Regulation (GDPR), due to come into force on 25 May 2018, is the culmination of four years of work in the EU parliament and aims to normalise data privacy laws across Europe. Although Britain is of course set to leave the European Union, the UK government has indicated that Brexit will not impede the implementation of GDPR. It is therefore important that UK small charities are ready for when the new regulation ‘goes live’, especially as new hefty fines will be imposed on those not complying with the new regulations.
Whilst 25 May 2018 may seem just around the corner, official guidance around GDPR is still unclear. Few organisations (even the Information Commissioner’s Office) are yet to publish revised privacy notices and so there isn’t a great deal of real-examples small charities can get their hands on in order to update their data policies and procedures. Nevertheless, there is already a mind-boggling array of webinars, blogs and resources out there for those who are responsible in their organisation for implementing GDPR. So, I have tasked myself with trying to make sense of what I have read and consumed in recent weeks.
Key Points to Consider
- I have heard it many times already – GDPR is an ‘evolution not a revolution’. Whilst it is the first significant update to UK data protection law in nearly 20 years, if you are proactively complying with the current Data Protection Act (1998), you should be well on your way to being ready for May 2018.
- GDPR puts greater emphasis on transparency and accountability. Through your privacy/data protection policy, you should aim to be clear with your supporters and beneficiaries about what data you are collecting, for what purpose you are collecting it and how to exercise their rights (for rights, see the ICO guide in the further reading section below). You should also be clear internally about the procedures to be followed should your organisation fall victim to a data breach.
- Consent to the processing and use of personal data requires a positive opt-in when no other lawful basis applies. In other words, there needs to be an unambiguous indication from a supporter or beneficiary of what they wish us to do with their data – this could be through a tick box with a clear caption or description, for example.
- Despite press speculation, breach reporting (when personal/confidential data is viewed or stolen by unauthorized parties) will not be mandatory, unless the breach is likely to infringe on people’s rights and freedoms. For more information, see the ICO guide in the further reading section.
What steps you can take now:
- If you haven’t done so already, start to audit the data you hold. Thought-shower all of the personal data your organisation currently keeps, obtains or receives. This can be information from website registrations, details given at fundraising events, or information you collect from third parties. Don’t forget about details you keep about current and past employees or volunteers as GDPR is relevant to all data collected by an organisation.
- Map out, in a flow chart, or similar, how this personal data is processed through your organisation (ie. Where it is stored, how it is used, and who it is shared with – including any third parties). This will help you to analyse what you currently do, what could be improved and what ultimately needs to be included in your privacy notices and data protection policies and procedures.
- Consider and agree the roles and responsibilities within your organisation for data protection. A Data Protection Officer (DPO) is not mandatory under GDPR and the role does have legal ramifications – see the ICO guide under ‘further reading’. However it is important to ensure that someone in your organisation with appropriate knowledge and seniority has delegated responsibility for the proper handling of data, and that this individual is properly consulted during the initiation of new projects and internal change.
- Begin to consider your organisation’s policy for escalating and communicating any data breaches, and how your staff and volunteers are made aware of this.
- Taking the above considerations into account as well as the events/further reading sections below, begin to draw up your updated privacy notices. With no solid finalised guidance on GDPR it is impossible to currently be compliant, but what is important is that you are able to show you are taking steps within your organisation to meet the changes coming into effect.
Training You Can Access
- FSI half day training, ‘GDPR Essentials’ in London (30th January) and Swindon (31st January)
- GDPR Breakfast Meeting, hosted by Civil Society Media
- The FSI GDPR workshop at the February 2018 London Skills Conference
- NCVO Webinar Recording ‘What Does GDPR Mean for your charity’
- Blackbaud’s Webinar Recording ‘Communicating Privacy Practices to Donors’
Essential Further Reading and Resources
- eugdpr.org – giving the history and broader context of GDPR.
- The FSI’s General Resources on GDPR, including informative guides from the Institute of Fundraising and Blackbaud.
- Information Commissioner’s Office, ‘Guide to the General Data Protection Regulation’
- Information Commissioner’s Office Blog – Myth busting and sorting fact from fiction.
- NCVO, ‘How to Prepare for GDPR and Data Protection Reform’