Posted by Will Hanbury on January 10, 2018
The Information Commissioner’s Office (ICO) has recently published an FAQ guide to the General Data Protection Regulation (GDPR), aimed specifically at charities.
GDPR will take effect from 25 May 2018 and covers everyone about whom you keep personal data, including employees, volunteers, service users, members, beneficiaries and donors.
The document covers 12 areas related to the GDPR and signposts users to a package of tools aimed at small organisations including charities in preparation for its implementation.
The document does suggest, however, that the ICO will not produce any further guidance tailored to the charity sector.
“Our guidance focuses on the general application of the GDPR. But we are engaging with representatives from the charity sector to assist them in producing their own sector-specific advice and guidance”
The advice also makes it clear that it is not necessary to rely on consent in order to process data or contact donors.
"you can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact and people would not be surprised or likely to object"
Some health charities have been concerned that the requirements will make it impossible for them to process special category personal data, however, the guide seeks to reassure health charities that GDPR will not prohibit this.
“The conditions for processing special category data under the GDPR in the UK are likely to be similar to the Schedule 3 conditions under the 1998 Act for the processing of sensitive personal data. Conditions for processing special category data are set out in the Data Protection Bill and more detailed guidance will follow when it is finalised”
So what do you need to do?
Charities will need to have an action plan to deal with the implementation of GDPR. This should include the following:
1. Review what personal data you hold and where it is stored. You will also need to consider how best to protect the information.
2. Educate all Trustees, employees and volunteers so they know what GDPR is and why it is important.
3. Update internal systems, procedures and policies in order to meet the requirements of GDPR.
The ICO has published 12 steps to take in preparation for GDPR, which can be found here and they also have a dedicated advice line for small businesses and charities, the details of which can be found here.
The ICO lists five top data protection tips for charities, as follows:
1. Tell people what you are doing with their data
2. Ensure your staff are adequately trained
3. Use strong passwords
4. Encrypt all portable devices
5. Only keep personal data for as long as necessary
If you have any questions, or would like further information, please feel free to contact a member of our Charities team.