Data protection services are important for any organisation in any industry as GDPR covers all aspects of data use, processing, and storage, no matter who is storing it. This includes charitable organisations that collect and process the data of donors, staff members, and third parties on a continuous basis. Therefore, it is vital that not-for-profit organisations (NFPs) hire a Data Protection Officer (DPO) or outsource GDPR services to a company that has expertise and knowledge of all things data security.

What is GDPR?

GDPR came into effect on the 25th of May 2018 across the European Union. It refers to the way in which any organisation handles data and was incorporated into the UKs data protection law after the Brexit transition period. It protects the personal data of both UK and EU citizens, which also affects charities and the data they deal with on a daily basis. The ICO (Information Commissioner’s Office) is the regulator of GDPR in the UK, and charities are treated in the same way as all other organisations that the regulations affect, even though they do not collect and store personal data for profit. This is due to the potential for data breaches and violations of privacy.

How are charities affected by GDPR?

Any organisation that processes data and might be classified as data controllers are subject to this regulation. Any personal information and data that is collected and stored relating to users, donors, volunteers, and employees is relevant to this. Charities, the same as any type of organisation, must have a reason for collecting and storing data.

Once the data is understood, there are a range of processes and rules that must be implemented to meet rigorous GDPR compliance. Outsourcing to a Data Protection Officer (DPO) or wider GDPR services will help the charity to get a handle on what is required of them and how to protect all data that is collected and how it is processed. Charities have a legal obligation to handle all personal data in a lawful, fair, and transparent way with legitimate interest. Legitimate interest for a charity can be tested by asking the following:

· Do you have a reason to process the data in the first place?

· Is data processing required?

· Is the legitimate interest at odds with the rights and freedoms of the individual in question?

A charity must have the evidence to support any data processing taking place and should offer complete transparency to the process and the reasons behind data collection and processing.

How do charities stay GDPR compliant?

It might seem a bit daunting at first for charities to fully understand and implement GDPR policies, but with the help and guidance of expert GDPR services, there is a clear and thorough process that can be followed successfully. This is especially the case for smaller charities who have not appointed a DPO (Data Protection Officer).

Acquire consent

The first thing to do as a charity is to provide people with an explicit choice of what data they provide you, giving them an easy way to withdraw their consent if they wish. This simple approach is a great way to build trust.

Be clear with purpose of data

It is important that you are transparent at every stage. Provide clear information about why you are gathering information and data, how your organisation will process and manage the data, and whether it is for purely operational purposes or if there is a marketing angle that they need to be aware of.

Secure data protocols

Personal data should only ever be accessible to those who have a valid reason for accessing it. Data sets and important documents that need to be kept separate and secure should be protected as such, with separate secure passwords and encryption protection.

Clear documentation

To comply with GDPR as a charity you need to document and update your processes and protocols on a regular basis. Evaluating these GDPR compliance documents ensures that your policies are compliant with the most recent regulations and there is a clear process in the event of a data breach.

What are the penalties for non-compliance?

Any organisation that is deemed to be non-compliant with GDPR, whether a non-profit or not, could face harsh financial penalties. The risk is a fine of up to 4% of its annual global turnover. There are some special considerations for charities though. This relates in particular to the processing of the personal data of minors, where there might be a requirement for a charity that deals directly with minors to bypass the stipulation that consent must be sought from the person with ‘parental responsibility’ over the minor in question.

Outsourcing your GDPR services as a charitable organisation helps to ensure that the data of all staff, third parties, donors, and recipients of charity involved in the enterprise is kept safe and secure at all times. There is so much data collected, processed and stored every day within a charity, it is understandable that there must be expertise and knowledge when it comes to the implementation of robust data privacy and security policies and processes. Remaining compliant with GDPR is important to maintain trust with the general public, with staff members and trustees of the charity, and to ensure that you do not fall foul of potential hefty fines.