The impact of GDPR on the processing of employee, supplier and customer data, is well-known, but spare a thought for charities, who also have to manage data related to volunteers and donors.
Charities’ initial concerns focused on the administrative burden of GDPR. A survey by the Institute of Fundraising last September* showed that a third of all charities surveyed had done nothing about GDPR at that stage and almost half felt that they didn’t have the expertise in-house to deal with it.
But while more guidance from the Information Commissioner’s Office has made the picture clearer, it still presents problems, as Francis Evans, head of the executive committee at a faith-based UK charity, explained.
“We have two particular difficulties,” he said, “because of the nature of our support base – one is that our supporters and donors are quite elderly and don’t really want to engage with the administrative process. After sending the obligatory e-mails we are supposed to delete them from our database if they don’t opt in, but we know that often they don’t want that. We arranged for someone they knew to call them and make a note of the call for our records. It was time-consuming, but worth it not to lose touch with them.
“The second difficulty is that our volunteers have their own networks with whom they keep in touch about the charity’s activities. Their record-keeping is not GDPR-compliant and the dividing line between communication from the charity and from a friend is blurred. In this case, we decided that if the mailing was coming from an employee then it must be sent from an official address using the charity’s systems. Personal mailings from supporters are allowed on the understanding that they keep their own records and are not acting on behalf of the charity.”
A key principle of GDPR is that personal data must be processed lawfully, fairly and transparently. Many charities rely on legitimate interests (i.e. that the processing is necessary for the purposes of its legitimate interests or those of a third party) as their lawful basis for personal data usage. The requirement for fair and transparent processing make it more important than ever that charities (and all organisations) set out the details of their processing activities. This includes what data they are processing, their lawful basis for doing so, information about any data transfers, their data storage and deletion policies and the data subject’s rights in a privacy notice . People still have an absolute right to object to direct marketing, and the rules on electronic communications – in particular the requirement for the recipient to consent to most types of direct marketing by email and SMS – still stand.
There is no magic formula, but if charities have reviewed and cleansed their data, documented their decisions and actions in line with GDPR, and are prepared to deal with subject access requests (SARs) and data breaches in accordance with the new requirements, they will be on the right track.
The ICO has drawn together resources to help charities, ranging from its FAQ list to checklists and business resources pages. Its micro business page might also prove helpful.
Key Action Points
Carry out a data audit to assess what personal data the charity holds and how it flows around the organisation – how is it collected? where is it stored? who has access to it?
Identify any gaps or areas of non-compliance, come up with a plan to remedy them and implement it.
Policies and privacy notices – update and/or develop new inward-facing policies for staff and volunteers regarding processing data, dealing with SARs and data breaches, etc. as well as outward-facing privacy notices relating to how you process personal data belonging to donors and supporters.