The countdown to the GDPR is done, but what if your charity is not quite ready? Alexandra Weatherdon, solicitor in the charity and social enterprise team at national law firm Stone King, says: ‘don’t fret, act’.
Over recent weeks it has been impossible to ignore the barrage of emails about updated privacy policies asking for consent to keep in touch, sometimes from organisations you’ve never even heard of. In case you’re in any doubt, the much publicised new General Data Protection Regulation (GDPR) on how personal data is collected, used and stored is now officially in place. The Data Protection Act 2018 is also now in force, implementing standards in the UK post Brexit.
But has your charity managed to prepare itself in time?
Some charities, particularly smaller ones, have struggled to find the resources to carry out the necessary reviews and adjustments in time. All organisations will ultimately need to be able to demonstrate compliance with the new data protection rules, but don’t worry if your organisation is not quite there. Lots of advisers in this area have been too busy to take on more work in the run up to implementation and the most important factor is that you can show that your organisation has been taking positive steps to comply and has a good action plan in place.
However, now that we are the other side of the GDPR deadline, we can recommend some key things to prioritise in your ongoing journey to compliance.
- Update your policies
One of the most basic ways for an organisation to demonstrate that it complies with the new data protection rules is to have a set of clear and comprehensive policies in place. Of course you also need the staff training and compliance along with the policies and procedures, but having the right policies is a good place to start. These should cover the elements required by law, as well as other useful policies and notes that will help to demonstrate understanding and compliance with the new regulations.
We would recommend drafting or updating the following policies:
- A general data protection policy, which covers how your charity complies with the data protection legislation generally: for example, what happens in the event of a data breach.
- A general privacy policy, which tells individuals what personal data your charity has about them and what you are doing with it.
- A privacy policy specifically for your workforce, so that staff know what you are doing with their information.
- A data retention policy, explaining how long you keep different categories of personal data.
- A basic IT policy, which sets out how personal data is kept secure within your charity.
- Checklists
As well as having up-to-date policies, there are other considerations for organisations carrying out their GDPR compliance projects. We recommend that charities work through several checklists. Even if drawn up retrospectively, these help to ensure your charity has considered the key areas and can be used as additional evidence to support your charity’s understanding and compliance.
We suggest ticking off:
- A personal data audit checklist that clearly accounts for all personal data that your charity holds or handles.
- A data processor checklist that shows which provisions must now be included in a data processing agreement under the GDPR.
- A privacy impact assessment checklist setting out the factors which need to be considered if your charity is carrying out ‘risky processing’.
- Direct marketing and GDPR
Most charities rely on an element of correspondence with existing or potential donors to generate some of their funds. However, if you are sending these fundraising communications to individuals by email, the charity will need opt in consent to do this, hence the recent barrage of GDPR consent emails. A robust and up-to-date contacts database is necessary, recording only those for whom you have an appropriate legal basis to contact with marketing material. So how can you reach people to obtain consent for fundraising and marketing by email?
A few tips include:
- Social media. Charities could run a social media campaign to encourage followers on its social media platforms to give their consent to marketing by email, including a link to an online form and up-to-date privacy policy.
- Events. Organisations should take advantage of any events they are hosting and attending to gain the necessary consent from relevant individuals, either with a paper or online form.
- Website. Charities should make the most of their resources and make it as clear and easy as possible for visitors to their website to opt in and give their consent to be sent marketing and fundraising materials in future.
Need more support?
Useful information about the GDPR can be found on a number of websites, including:
- The Information Commissioner’s Office
- The Fundraising Regulator
- Stone King can also help, with template policies tailored to charities and support in implementing them. More information is at: GDPR Guidance Pack for Charities
The ACEVO blog has moved! 