What is GDPR?
There are four letters on everyone's lips at the moment: GDPR, otherwise known as the General Data Protection Regulation. This new legislation applies to all types of businesses and organizations, including charities, and requires a clear organizational strategy that brings everyone on board — from the chief executive and board of trustees through to junior staff and volunteers.
Coming into force on 25 May 2018, the GDPR will replace the U.K.’s current Data Protection Act (DPA) 1998 governing how organizations can legally use individuals’ data. (Though the GDPR is a European Union (EU) regulation, the U.K. government has confirmed that it will apply here even after Brexit.) But what does that mean for your charity? How is the GDPR different to the DPA? How can you prepare for the GDPR and make sure you’re abiding by the law?
One thing is clear: the clock is ticking, so your charity needs to act quickly.
And, if you were in any doubt as to the significance of the new legislation, Information Commissioner Elizabeth Denham, who heads up the Information Commissioner's Office (ICO) — the independent regulator which protects the U.K. public's information rights and data privacy — has called this "the biggest change to data protection law for a generation."
"If your organization can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organization open to enforcement action that can damage both public reputation and bank balance," she continues. "But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit."
The ICO says that good data protection practices — such as being transparent and accountable to donors about the collection and use of personal data — will help charities to build trust and reputation. On the other hand, charities that don’t comply risk losing the trust of supporters and incurring financial penalties, although Denham has said in a recent blog that "issuing fines has always been and will continue to be a last resort."
GDPR privacy for individuals?
Applicable across the EU, the GDPR aims to give individuals more rights and protection in how their personal data is used by organizations. Personal data can include anything from a person’s date of birth to their phone number or email address. The new regulation has specifically created new rights for individuals while strengthening some of the existing rights under the DPA.
Under the GDPR, members of the public have the following rights:
- The right to be informed — individuals should know and understand how their data is being used.
- The right of access — individuals have the right to obtain confirmation that their data is being processed and gain access to their personal data.
- The right to rectification — individuals are entitled to have personal data corrected if it is inaccurate or incomplete.
- The right to erasure — individuals have the right to have their personal data removed from an organization’s database. The charity would be able to retain data for regulatory reasons (for example, payments made), so not everything can or should be deleted.
- The right to restrict processing — individuals have the right to block or suppress processing of personal data (processing ranges from collection, recording and storing of data to sharing of information). When processing is restricted, an organization is permitted to store the personal data but not further process it. An organization can retain just enough information about the individual to ensure that the restriction is respected in future.
- The right to data portability — individuals can obtain and reuse their personal data for their own purposes.
- The right to object — individuals can oppose the processing of their personal data based on legitimate interests or the performance of a task in the public interest, or where the data is being processed for direct marketing purposes or scientific, historical research or statistical purposes.
- Rights in relation to automated decision making and profiling (using data to build up a picture of a person) — the GDPR safeguards individuals against the risk that a potentially damaging decision is taken without human intervention.
GDPR requirements for charities
These rights place new responsibilities on any organization dealing with individuals’ data. They are similar to those under the DPA, but with added detail and a new accountability requirement which requires organizations to show how they are complying with the GDPR (for example, by documenting the decisions they take about a processing activity). Some organizations employing fewer than 250 people may be exempt from keeping records of their processing activities but this depends on the nature of their work.
The responsibilities (known in ICO terminology as principles) are:
- Process personal data fairly, lawfully and transparently.
- Obtain personal data only for specified and legitimate purposes.
- Limit personal data to what's relevant for the intended purpose.
- Update personal data to make sure it is accurate.
- Store personal data only as long as needed.
- Take appropriate measures against unlawful or unauthorized processing or accidental loss of personal data.
The GDPR does not have principles relating to individuals’ rights or overseas transfers of personal data in the way that the DPA does. Instead, these are addressed in separate articles — GDPR Chapter III and Chapter V — which means that the requirements to process data in accordance with individuals’ rights and to not transfer data outside the European Economic Area unless there is an adequate level of protection still exist. Overseas processing of EU nationals’ data also needs to conform to the GDPR.
To understand the GDPR in detail, explore the ICO's data protection reform hub on its website.
GDPR preparation — its time to take action
The GDPR applies to 'controllers' and 'processors' — the definitions of these terms are broadly the same as under the DPA. In other words, the controller (usually an organization) says how and why personal data is processed and the processor (any person other than an employee of the data controller, for example, a third party you share data with, such as a call centre) processes the data on behalf of the controller.
Also, if you buy personal data from a company, they are a data controller for the purposes of selling the data, and you are a data controller once you buy it, so take care to understand your responsibilities if you are purchasing lists from a broker.
If you’re responsible for data protection at your charity or if you’re the CEO of a small organization that is subject to the DPA, it’s important to understand the additional steps you need to take once the GDPR replaces the DPA.
GDPR expert Henry McNeill says now is the time to start planning for the GDPR before the last minute rush starts. "The GDPR can provide your charity with many benefits, including credibility and transparency with your stakeholders, and you want to treat this project like any other to build integrity among funders and grow your income."
The new regulation may feel daunting especially for small organizations with limited staff resources. But the Institute of Fundraising’s head of policy and research, Daniel Fluskey, says charities don't need to panic.
"GDPR is an evolution, not revolution. The Data Protection Act already requires that data is processed fairly and lawfully, so charities shouldn't have too much more to do. Take it as an opportunity to review how you process data already and make sure you've got plans in place to make any changes that you need to be ready for next May,” explains Fluskey.
Much of the debate about GDPR so far has been around how fundraisers can lawfully contact donors, and whether organizations should only contact supporters who have opted in to give their consent.
Fluskey says that under the GDPR charities don’t need consent from supporters for all forms of direct marketing and can still send direct marketing by post or make calls to numbers not registered with the telephone preference service (a central opt-out register where individuals can say no to sales or marketing calls), as long as they satisfy the legitimate interest condition.
He explains: "Giving people an opportunity to opt out of these will still be acceptable, but that won’t mean a charity has consent — it will rely on legitimate interest and charities have to make sure [they] get this right. This is a tricky balancing act. A charity’s legitimate interest in furthering their cause must not override the rights of the individual, so the reasonable expectations of the individual based on their relationship with the charity must be taken into account. Ultimately, GDPR is very clear that an individual’s choice to say 'no' is paramount."
The Institute of Fundraising (IoF) has produced guidance for fundraisers to explain the key parts of the GDPR in relation to direct marketing.
But while direct marketing is important, data protection is not just a fundraising issue and applies to all aspects of running a charity, including campaigning, marketing, managing volunteers and recording information about service users, says Fluskey.
He writes: "Charities will need to adopt a whole organization approach, with a strategy agreed at board level. Volunteers are no different to employees; they must be trained and equipped to protect data. Arrange an audit of what personal data you hold, where it came from and who you share it with to get a sense of what you'll need to do next."
Help with GDPR
The ICO is offering advice via its helpline and live chat service. It also provides an overview of the GDPR and a self-assessment toolkit as well as 12 tips for preparing for GDPR.
Meanwhile, the National Council for Voluntary Organisations is offering training and events (at a cost) on GDPR with sessions taking place in Birmingham, Bristol, London and Manchester. The Directory for Social Change is also running paid-for GDPR events at its North London office.
If you’re a fundraiser, the IoF is running paid-for events on GDPR in Exeter, Glasgow and London.
This article draws on the expertise of Henry McNeill, advisory and non-executive director of services for technology growth, mergers, acquisitions and integration at ComputerBright Ltd, which uses IT to achieve business improvement for data driven businesses.