What charities need to know about the GDPR

Whether it’s details of their donors, supporters, service users, partners or employees, most charities will collect and store large amounts of personal data. 

This means that when the GDPR comes into force in May 2018, ushering in the biggest overhaul of data protection regulation in the UK for more than two decades, the charity sector is likely to be widely impacted.

If they haven’t already, charities and fundraisers should start preparing for the new regulation immediately. If they are unprepared they risk not only huge fines for non-compliance but also serious reputational damage. 

For a sector already under heavy scrutiny after a series of high-profile data breaches this could be disastrous for public trust and confidence. The general advice for businesses and organisations on preparing for the GDPR is still relevant for charities and fundraisers, but there are also a number of specific considerations.

It is a good exercise for all charities to start by carrying out a detailed audit of what personal data they hold, where it came from and who they share it with. Senior buy-in is essential, so a strategy needs to be drawn up at board level and encompass everyone who works for the charity, including employees and volunteers.

Consent is a major part of the GDPR and it will no longer be enough for charities to use blanket clauses to gain consent when collecting personal data. Instead they will have to explain clearly why the data is being collected and how it will be used.

Under the GDPR an individual’s consent must be fully informed and actively and freely given. Implied or presumed consent is no longer enough. The GDPR calls for “clear, affirmative action”, so gaining a signature is highly recommended.

Additional consent will be required if the data is to be passed to a third party.

Perhaps the biggest task for charities in this area will be dealing with consent for the data they already hold. If those consents do not meet the GDPR standard it is advisable to refresh them.

There have been fears that the GDPR will stop charities contacting their supporters without consent. While it is true that specific consent will be needed for email text message or automated phone calls, charities can contact individuals by post and ‘live’ phone calls if they can demonstrate a “legitimate interest” for doing so.

Marketing counts as a legitimate interest under the GDPR, but it is important to balance this with the rights of the individual. The GDPR will give individuals a series of rights, including the right to access any data held on them and the right to have data erased.

This means charities must manage data properly and make sure their systems are set up in a way that allows easy access to and deletion of individual records.

Finally, if data breaches do happen, there will now be a new duty on organisations to report them to the Information Commissioner’s Office within 72 hours. Charities should therefore ensure they have robust systems and procedures in place to detect, report and investigate data breaches.

Ultimately charities should see the GDPR as an opportunity to review their entire data handling systems and processes. Some charities will only have a small amount of work to do to ensure they are GDPR-compliant. It’s been said that the GDPR is current best practice under the Data Protection Act given legislative recognition, so those already on top of their game should have few concerns.


By Ron Moody is CEO at Connect Assist, a charity multi-channel helpline provider

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at http://www.gdprsummit.london/