Data protection compliance for charities and not-for-profit organisations

Organisations in the third sector hold and use various types of personal data: Third sector organisations, by their very nature, interact with a large number of internal and external individuals and hold a lot of data related to those individuals; for example: employees, volunteers, trustees, executive board members, donors/supporters (including legacy donations, high-net-worth individuals, direct debit donors, and one-off donors) fundraisers, beneficiaries, members, customers, players of lotteries, contacts of partnering organisations or organisations who receive grants from your charity. All of the personal data held about these individuals has to comply with the data protection legislation.

Issues to look out for: We have identified a few areas which are likely to be relevant for organisations in the third sector. How do you deal with the following?

  • Use of the personal data you hold: you should understand what data you have, why you have it, what you do with it and how you store it. Individuals also have a right to be told what you do with their personal data.
  • Donor profiling: If your charity profiles its supporter database or wealth screen potential donors then your organisation must make sure that this is in accordance with the law.
  • Fundraising: there are additional rules that govern certain types of fundraising, such as marketing by e-mail, text message and telephone calls in addition to which GDPR has raised the bar for valid consent. Organisations should also understand how they can lawfully use marketing lists in light of the GDPR and any additional obligations which may apply in relation to fundraising and/or gambling legislation (if you are involved in lotteries).
  • Third party providers: this could include IT providers, contractors, agencies and other suppliers and service providers. If third parties store or handle personal data on your behalf, then there are specific requirements on how you choose and contract with such third parties. You will also have to tell individuals about third party providers who have access to their personal data.
  • Data breaches: there are new obligations relating to data breaches, including specific requirements to notify the Information Commissioner’s Office (ICO) – the UK supervisory authority - within 72 hours of discovery of a data breach and individuals. Some data breaches (such as unauthorised disclosure of donation details) may result in a risk to data subjects which could trigger these notification requirements. It is essential to have a plan in place in case of a data breach.
  • Websites: as a result of GDPR, it may be necessary to update your privacy policy. GDPR (not to mention the pending ePrivacy Regulation!) also has an impact on the use of cookies which could mean you have to consider the cookies used on your website and review your cookie policy to ensure compliance with data protection legislation.
  • Trading subsidiaries: If your charity shares data with your trading-sub, or receives data from your trading subsidiary then you need to make sure that there is a data sharing agreement in place and that individuals are aware of this sharing.

Protect your donations: We have all heard about the potential (eye-watering) fines for non-compliance with the data protection laws: up to 4% of your annual worldwide turnover or € 20m, whichever is the higher! The ICO is not afraid to go after charities (as was provided in April 2017 when it fined 11 charities for non-compliance!). The ICO can issue ‘stop-processing orders’ which means that you need to stop using your data – could your charity operate without its data?

Protect your reputation: More importantly we have seen the negative press coverage when organisations get it wrong which can be very damaging to an organisation’s reputation and goodwill (Data Analytics and British Airways come to mind!).

Compliance is a sell: Good data governance and compliance are easy sells to donors, supporters and potential partners.

How can we help?

We can help organisations, both controllers and processors, in a number of ways to suit the needs of your organisation, from template documents to tailored advice and assistance:

1. Auditing and Data Mapping

To work towards compliance you need to know where you stand currently.

We perform data protection audits to identify any compliance gaps in your processes and recommending compliance solutions using a ‘traffic light’ coded action plan. As part of this process, we help clients to ‘map-out’ their data flows, which forms the basis of an organisation’s record of processing activities (which means from the assessment we undertake, you are already on your way to working towards compliance requirements).

2. Training and Workshops

Key to compliance is awareness.

Online training: We provide online training for employees and managers on a subscription basis. This is a useful tool for reaching large audiences quickly at a time and place that is convenient to them and to you.

Face-to-face training: We also provide interactive face-to-face training (on-site or off-site) to allow staff to ask questions and to work through practical examples. This training can either be a general overview of data protection or we can provide specific tailored workshops for your needs and on key issues such as, direct marketing/fundraising, collecting donor/supporter data, employee data and responding to SARs, dealing with personal data breaches, safeguarding of children and vulnerable persons and how this interacts with data protection considerations, drafting GDPR compliant contracts, etc.

3. Template and Tailored Documents

We have a number of template guidance tools, policies and procedures, and contracts that we can offer and tailor to your organisation’s functions, including:

  • Privacy Notices: We can assist with preparing internal privacy notices, aimed at employees , trustees and volunteers, and external facing privacy notices aimed at your donors, supporters, fundraisers, members, and / or beneficiaries.
  • Privacy Notice Checklist: To help you draft your privacy notices in accordance with the detailed requirements of the GDPR.
  • Direct Marketing Flowcharts: To assist you in determining whether or not you can contact individuals and businesses with direct marketing materials (this is an area that caused a lot of confusion in the lead up to May 2018!). With the additional layer of fundraising regulation and charity obligations in this regard, we have also produced tailored direct marketing flowcharts for charities and other not-for-profit organisations who are subject to fundraising regulation.
  • Legal Basis Flowcharts: To allow you to easily work out when you can lawfully process the personal data you hold.
  • Data Protection Policy and Privacy Standard: Let your staff, trustees and volunteers know what is expected of them when they process personal data as part of their role.
  • Personal Data Breach Policy and Procedure: If you have a notifiable personal data breach, you only have 72 hours from becoming aware of the breach to let the ICO know. This means that your staff, volunteers and trustees need to be able to act quickly, and a procedure outlining the process for dealing with a breach will assist with this.
  • Guidance Tool – Determining Roles of Parties: Before appropriate contractual arrangements can be put in place, organisations need to know what role they play under data protection legislation (sole controller, joint controller, processor, sub-processor, all of the above…) and this guidance tool assists you in determining this.
  • Data Processor GDPR Checklist: Before selecting a service provider, it is important that you are comfortable with their security measures (which should at least align with yours), their data protection compliance status, their location, and the sub-contractors they engage.
  • Contracts: We provide template data processing and data sharing agreements (for use with partnering organisations) to suit your organisation, whether by formal contract, or a more informal FAQ/Protocol document. We can also review and update your existing contracts with IT service providers, suppliers, etc. We have also provided advice and assistance with drafting more bespoke charity contracts such as commercial participator and professional fundraiser agreements, and grant giving terms and  conditions (and surrounding due diligence obligations) as well as considering the data protection implications of such contracts/arrangements.
  • Consent: Consent is more difficult to obtain under the GDPR and also brings with it new rights in favour of the individual, placing new requirements upon organisations. We can assist you with ensuring that your consent requests are valid, and advise you when consent is not the most appropriate legal basis to rely on and what other options are available to you.
  • DPO Advice Note and Questionnaire: Understand if you need a Data Protection Officer (DPO) under the GDPR and document your assessment and decision making (data protection accountability is all about good record keeping).
  • Template DPIA: If you are implementing a new procedure or project (e.g. new CRM system, new fundraising method or engaging with a new third party for collection of donations) that is likely to result in a high risk to the rights and freedoms of individuals, then you must carry out a Data Protection Impact Assessment (DPIA).
  • Procedure for Data Subjects Rights: A request from an individual can go to anyone in your organisation, it can be made verbally, and the individual does not need to expressly state that he/she is making a request to exercise a right under data protection legislation. To ensure that all your staff, volunteers and trustees know how to identify and deal with these requests, it is important that a clear procedure is in place.

4. Tailored Advice and Assistance

As well as assisting you to ensure that your documentation meets the requirements under data protection law, we can also provide advice and assistance on all matters related to data protection and privacy, and have assisted a number of clients in the charity sector with tailored advice on many practical areas, including; direct marketing; privacy notices; SARs; consent requests and scripts; personal data breaches; data sharing arrangements and international transfers. Our team have specialist experience and expertise in charity law and regulation and are therefore very experienced in providing tailored and bespoke data protection advice specifically for charities and not-for-profit bodies as well as considering how other regulatory obligations may impact matters (e.g. lottery and gambling legislation and guidance and/or charity governance and trustee duties).

5. International Transfers

We provide advice and assistance on all matters relating to international data transfers; whether this is within a group structure or simply as part of provision of services. We can assist you to ensure that your international transfers are carried out lawfully and regularly advise on matters such as Standard Contractual Clauses and joining the EU-US Privacy Shield. If your organisation requires guidance on particular jurisdictions, we can assist you in getting that guidance through our worldwide network of data protection experts.

We have assisted a number of high-profile and international charities in relation to their GDPR compliance journey and have connected with many lawyers in EU and non-EU jurisdictions in relation to national legislation and derogations from the GDPR.

6. Data Breach Response Team

In the event something does go wrong, we have an experienced Data Breach Response Team on hand to help guide you through the process, including everything from responding to the ICO, dealing with data subjects and third parties to assisting you with communications to the public.

Latest updates from @MacRoberts