Implementing GDPR in a Small Charity

Several months on from the introduction of the General Data Protection Regulation, it is impossible to estimate how many of the nearly 200,000 UK charities consider themselves to be ‘GDPR compliant’. In June the Foundation for Social Improvement asked its membership of over 6000 small charities (all with a turnover of under £1.5 million) whether they were ready for GDPR, and 37% of respondents answered that they were ‘still in the process of getting ready’.

This statistic shouldn’t necessarily be surprising. Whilst household names such Facebook and Google could (and should) allocate vast resource to ensure their data protection obligations are met, small charities simply don’t have that luxury. Often the staff member or volunteer responsible for data protection has multiple other roles within their organisation, which itself invariably doesn’t have the money to invest in technology that would ease the administrative burden of ensuring information rights are upheld.

This is not to say that small charities should feel overwhelmed by the apparent mountain that the GDPR represents. Here is a simple, low-cost, ten step checklist of what a small charity can do now to bring itself in line with the new legislation:

  1. Designate responsibility for data protection

It is vital that a culture of compliance is established in your charity around data protection; the first step in this process is to appoint an individual responsible for it. Ultimately this could be anyone, but this person needs an appropriate level of seniority and independence to have access to senior management or the board of trustees whilst maintaining the freedom to conduct audits and checks.

  1. Audit the data you hold, and the lawful basis you have for processing it.

The key principle of the GDPR is that you should only process the minimum amount of personal data necessary to fulfil your stated purpose. Undertake an organisation-wide audit of the different types of personal data you hold. The key questions you should be asking in this audit are:

  • Are you holding or processing personal information for which you do not have a lawful basis? (For instance, an individual has not given informed consent.)
  • Are you holding or collecting personal information that you do not use for your stated purposes?

If you discover you are processing data without a lawful basis, you should consider its destruction, or look to re-establish a lawful basis (see step four for more information about consent – other forms of lawful basis, such as legitimate interest, can also apply). Personal data that you are holding but do not use to fulfil your purposes should be destroyed, and the collection of it should cease.

  1. Agree a data retention schedule

The GDPR states that you must take reasonable steps to keep personal data up-to-date, and keep it for no longer than you need it. For both of these reasons, you should consider establishing a schedule that spells out how long you retain different types of personal data before its destruction. There are no firm rules for how long you should store personal data, but bear in mind there are legal obligations around the retention of financial and HR data.

  1. Review your consent methodology and records

If you rely on consent as a lawful basis for processing, it is important to review exactly how you obtain and document consent from individuals because the rules are tighter under GDPR. Key points to consider are:

  • Consent requires a positive opt in (ie. no pre-ticked boxes) and must be given for clear and specific purposes.
  • You must keep documented evidence of consent (who, when and how you told people).
  • In the case of children under 16 years, parental or guardian consent is required for any data processing activity.

If you find that consent was not given positively or explicitly, or you do not have appropriate consent records, you should consider asking individuals to re-opt in, or find another lawful basis for processing.

The solution for large charities would invariably be a paid-for CRM to ensure that consent is documented, but there are free solutions such as Hubspot available for smaller organisations, and even a well-managed spreadsheet containing dates and links to consent records would also do the trick!

  1. Communicate your privacy information

In order to be fair, transparent and accountable when processing personal information, it is vital that you clearly communicate your privacy information. Create (or refresh) a privacy notice that is available to individuals when they provide their information, setting out the reasons why you are collecting their data, what you intend to do with it and how you uphold their individual rights.

  1. Consider how you uphold rights of the data subject

A key component of your privacy notice should be information on how you uphold the rights of data subjects, including the right to access their data, and have it rectified or erased. Internally, you need to carefully consider of all of the individual rights included under GDPR and how your internal processes need to be adapted.

  1. Define your data breach procedure

Even the best laid plans cannot necessarily prevent a data breach from taking place. In the event that personal data is lost, stolen, corrupted or otherwise compromised, you must be clear on what your response will look like, who you will inform and when. A data breach could cover anything from leaving a memory stick on a train, to having your database hacked.

  1. Review your IT security

There is little point in having robust data protection procedures in place if your IT security is not up to scratch, as a weak IT infrastructure heightens the risk of a data breach from external threats. Check out the National Cyber Security Centre’s simple, low-cost ten step guide for protecting your charity in cyber space.

  1. Create your updated Data Protection Policy

It is good practice for your charity to have an internal policy that clearly spells out your approach to the issues outlined in all of the above steps. This document can be used to train staff, record processes to be followed and be relied upon as a point of reference in instances of data breaches.

  1. Train your staff and volunteers

All staff and volunteers should have a clear understanding of how data protection policy and best practice will affect their roles. Based on your data protection policy, organise training sessions for your team which include key ‘do’s and don’ts’ around data protection and lessons around processes and procedures.


Martin George, Programme and Compliance Manager at the Foundation for Social Improvement