We’re finally in the year of GDPR. As organisations of all sizes may feel bombarded with advice and scaremongering, spare a thought for charitable organisations that are having to get their head around the Data Protection Act update.
What do charities need to know about GDPR?
So let’s assume you already have a basic understanding of what the General Data Protection Regulation (GDPR) is. If not, or if you would like to brush up on your knowledge, you can take a look at some of the various GDPR resources ISMS.online has put together.
- GDPR glossary of terms
- What is a Subject Access Request (SaR)?
- What does a Data Protection Officer (DPO) do?
- Free GDPR resources
Although there is currently no charity specific guidance being published by the Information Commissioner‘s Office, you can use the general educational guides that the ICO has produced. The ICO is the organisation responsible for regulating the Data Protection Act and the subsequent updates from the GDPR.
- Preparing for the GDPR – 12 steps to take now
- Guide to the GDPR
- Getting ready for the GDPR checklist
Now we are going to take a look at some of the frequently asked questions that charities have been asking the ICO.
Do charities need to have a Data Protection Officer?
Like many aspects of the GDPR and any regulation for that matter, there are a number of factors which will determine whether or not your charity should appoint a Data Protection Officer.
Just like any organisation, you will be required by law to have a DPO if:
- you are a public authority;
- you practice large-scale monitoring of individual’s behaviour (like using analytics software on a website); or
- you process a large amount of special category data, or data relating to criminal convictions.
We talked a little bit about special category data in an earlier blog article on Information Commissioner’s Office updates. These are categories which are considered particularly sensitive, and if the security of that data is compromised, there could be a “more significant risks to a person’s fundamental rights and freedoms.”
It is likely that as a charity, you will be processing special category data and this can be handled (at time of writing) in a similar way to Section 3 of the Data Protection Act 1998, Sensitive Personal Data.
For reference, those categories are Race, Ethnic origin, Politics, Religion, Trade union membership, Genetics, Biometrics – where data is used for ID purposes, Health, Sex life and Sexual orientation.
But just because you might not be required under the GDPR to appoint a DPO, you can still choose to do so. Additionally, it is acceptable to employ a single Data Protection Officer to oversee a group of companies, as long as it is realistic that they would be able to manage them all.
What should a charity say in their privacy notice?
The ICO has made this easy by breaking down into four sections, the information you need to consider when writing a privacy notice; What, Where, When and How.
Determine what to include in a privacy notice
To do this you should figure out what kind of personal data your charity holds. You need to know what is being done with the data or what you plan to do with it. Then you should ensure you are only collecting and storing information that you need. The ICO also suggests that your charity should decide “whether you are creating new personal information and whether there are multiple data controllers”.
The consent to share personal information should include a positive opt-in – this means that the checkbox must not be pre-filled. Explain how you will use the information, how long you will keep it for and allow options to “agree to different types of processing“.
You could also include information on how the data links to other types of data, what you won’t use their information for and explain any genuine consequences of not giving you their information.
Where should you communicate the privacy statement?
The ICO has given examples of this:
Give privacy information:
- in writing;
- through signage; and
Consider a layered approach:
- just-in-time notices;
- icons and symbols; and
- privacy dashboards.
How to write and present a privacy notice?
The language you use should be clear and straightforward, and be in the same style as your audience.
If you have different audiences, you should provide separate notices for each. It is also important to be able to update the notice when required.
Once written, it is useful to test the privacy notice with members of staff or real users of your services. This ensures they understand the consent they are giving.
Obtaining consent from your charity’s fundraisers and donors
The ICO has written a checklist for obtaining consent for data processing with GDPR. The list sets out ways to help you identify any gaps you may have in your current processing. It may be that the consent you have obtained under the current Data Protection Act is sufficient, but it may also uncover circumstances where consent will need to be requested again, in order to comply with GDPR.
In addition to GDPR, if your charity markets to individuals by phone, email or text message, you will need to comply with the Privacy and Electronic Communication Regulation (PECR).
So I know a bit more about GDPR. What now?
There is a lot to take in, but one of the many positives of GDPR is that once the work is done and maintained, you will be marketing to potential fundraisers and donors that are genuinely interested in the work your charity is doing.
If you are looking for a tool to help you describe, demonstrate and continually manage your GDPR responsibilities, get in touch with the team and book your demo.