Most charities cannot fail to have noticed that the General Data Protection Regulation (GDPR) comes into effect across Europe on 25 May 2018.
Many charities have been working on their GDPR compliance plan for some time and we have been helping our clients to develop and implement their data protection strategy.
But what should you do if your charity has not thought about the GDPR yet? And what if you’re on the road to compliance, but you know you won’t be 100% there by the end of this month?
Our strong advice is to avoid looking at GDPR compliance as a tick-box exercise. We know that charities have limited resources and we understand the temptation to look for a quick-fix or a one-size-fits-all template but, when it comes to data protection, this approach could make things more difficult.
Every organisation collects and uses people’s personal information for different reasons – while one approach might work perfectly well for charity A, the same approach would not work for charity B. If you try to copy what others are doing, you’re unlikely to arrive at the best solution for your organisation and you might well find yourself feeling confused and overwhelmed.
Step by step – taking a strategic approach
The first step towards GDPR compliance is to list all of the ways that you collect and use people’s personal data (this could be names, addresses, email contact details, health information, equalities monitoring information, criminal convictions data, etc.). You then need to make sure that what you’re doing is lawful and fair, which might mean asking people to give you consent, but might just as well be a process of reassuring yourself that what you’re doing is GDPR compliant already.
If you rush straight into asking for people’s consent to you keeping in touch with them,to only find out later that there would have been another lawful way to stay in contact, it will be very difficult to turn back the clock. The Information Commissioner’s recently-published guidance on consent warns:
"Even if you could originally have relied on a different lawful basis, once you choose to rely on consent you are handing control to the individual. It is inherently unfair to tell people they have a choice, but then continue the processing after they withdraw their consent."
Once you are clear about what your charity is doing with people’s personal data, you’ll be in a much stronger position to work out what your organisation needs to do and where you should focus your efforts.
Implementing your policy
Most charities will need to update or draft new privacy notices to inform people of how their personal information is being used. Even the smallest charity will need a privacy notice should it collect personal information via its website or keep a record of its supporters.
Staff training and awareness is also important as employees, volunteers and trustees are the ones who will be handling personal information on a day-to-day basis.
Many charities use third-party suppliers to provide services such as IT support, payroll, and event management. Third-parties such as these usually act as data processors; the GDPR contains a list of things that must be included in a written agreement with them. It might also be a good idea to review or put in place data sharing agreements with partner organisations to ensure everyone is clear about what information can be shared and where each organisation’s responsibilities lie.
It’s true that many charities will have a little way to go in order to meet GDPR standards but data protection has always been something that should evolve with your organisation. Having a good grasp of the data processing that your organisation carries out, a clear plan, and taking things one step at a time will ensure your charity is in a much better position than a rushed quick solution, or allowing the panic stop you from doing anything at all.
Whether you’re half way there or still at the start, our charity data protection lawyers can help.