holger-circle-120x120px

Holger Westphely

Senior Investment Manager

Charities Aid Foundation


WHAT DO I NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION REGULATION?

27 November 2017

In the new year, the General Data Protection Regulation (GDPR) is set to be a major challenge for charities. At CAF, we have a whole team dedicated to preparing the organisation for the 25 May 2018, when GDPR comes into force, but putting myself in the shoes of many of our clients, the picture looks somewhat different. Given the widespread use of personal data in many organisations and potentially crippling fines that can be imposed for non-compliance, this issue cannot be ignored. To help raise awareness and highlight the key issues, especially for small- and medium-sized charities, we have prepared a brief summary on this vital topic.

GDPR_ToDo_Charities_Aid_Foundation_709x434

WHAT IS IT ALL ABOUT?

GDPR is the new data protection legislation which is coming into force on 25 May 2018. It is stricter than current regulation, the Data Protection Act (DPA) on steroids! It’s a European wide regulation which has been introduced to protect any individual whose data is retained by any organisation. However, this isn’t just about a set of regulations but much more about increasing trust and transparency with an organisation’s stakeholders, whether they are donors, staff or employees. Ultimately being GDPR compliant should be a benefit as it means those that do share information should have greater confidence in the organisation they are sharing it with.

WHO IS AFFECTED?

The new regulation affects anyone holding and handling personal data such as donor lists, newsletter distributions lists or beneficiary, volunteer or employee information. Ultimately it relates to any data by which an individual can be identified (e.g. name; contact details; IP address; associations etc.).

WHY DO I NEED TO CARE?

Since December 2016 thirteen charities have been fined by the Information Commissioner’s Office (ICO) for breaching the Data Protection Act. The size of these fines was reduced because they were charities, but this will not be the case in the future under GDPR where worst-case scenario data breach can now attract a fine of 4% of annual global revenue, or €20m whichever is the greater. Even a relatively modest breach could cost tens of thousands of pounds. Gone are the days of a strongly-worded letter from the Information Commissioner's Office for a data breach. The ICO has teeth and it will bite hard.

The impact on the organisation will not just be about the size of the fine but on its broader reputation. Fines and adverse publicity don’t breed confidence in donors and funders. It is also expected that there will be an increase in litigations. Win or lose, this could bankrupt a charity.

WHAT IS CHANGING FROM DPA, THE OLD REGULATION?

The emphasis under GDPR is on “Privacy by Design”. Data privacy should be the default, not an afterthought. Consent for use of personal data for marketing or sharing with 3rd parties must now be strictly “opt in”. No more “Tick this box if you don’t want…….” Now “Tick this box if you do want……..”.

Access to people’s personal data will need to be more robustly controlled. Many charities are used to doing this for beneficiary data but less so for donor data. Under GDPR data needs to be managed in such a way that it is clear how those controls are managed and only those that need access have access.

Individuals now have a “Right To Be Forgotten”. The organisation must fully justify retention of personal data, and at the request of the individual must delete any superfluous, out-of-date, inaccurate, or unnecessary data. “We might need it for marketing” is not a justifiable reason to retain data.

WHAT DO I NEED TO DO NOW?

The first step should be to audit all the personal data you hold and establish at the very least: what the data is, why it is held, how the data is captured, how it is stored and retained (including back-ups), who has access and how it is being used.

You should assess and fully understand your current practices both from a business process and systems perspective. Legacy systems and procedures may well be non-compliant. If you are in any doubt, seek professional help.

WHERE CAN I FIND OUT MORE?

The ICO has produced a really helpful ’Getting ready for the GDPR’ tool kit which includes an online self-assessment.

I recommend starting now by assessing the size of the task to be completed by the 25 May. If you have to make major changes to your systems, that can take considerable time. Don’t leave it to the last minute!

Many thanks to Mike Griffin who is a member consultant with Eastside Primetimers, and an experienced data protection specialist, who has helped me enormously with this post. If you need help or additional advice on how to get your organisation ready for GDPR, please call now on 0207 250 8334 or email dawn@ep-uk.org.

WANT TO KNOW MORE?

Visit our website, contact the team on 03000 123 300 or email us at venturesome@cafonline.org and we’ll be happy to help.

RELATED CONTENT

Nine misconceptions about social investment


Are you an organisation looking to secure funding? Have you considered social investment or want to understand how it could help your organisation?

Loan finance - are charities missing an opportunity?


Is your charity thinking about loan finance, but feel that you haven't quite got enough details to make an informed decision?

Meet the team behind CAF Venturesome


An introduction to our team, who have a wealth of expertise in helping charities access social investment.


Charities Aid Foundation © 2018 | Registered Charity Number 268369
25 Kings Hill Avenue, Kings Hill, West Malling, Kent ME19 4TA Telephone: 03000 123 000
10 St. Bride Street, London EC4A 4AD Telephone: 03000 123 000

Anti-Slavery and Human Trafficking Statement