GDPR for Charities (Part 1)
Charities are an essential part of life for many vulnerable groups of people. Data (in the form of donor lists, fundraising leads etc.) is one of the key assets of a charity. The data protection principles have not changed since 1998. Electronic marketing rules have not changed since 2003, and some elements (like the Telephone Preference Service) were in place before that. Various parties have issued misleading interpretations of the ICO’s relatively consistent advice to charities by those with an interest in doing so.
There are numerous examples of charities getting into trouble for not having adequate data protection measures in place or for flouting the rules. GDPR is no different. If your current data protection policies are not up to the mark, get ready to put some elbow grease into implementing GDPR. On the other hand, if your data protection policies are already robust to begin with, implementing GDPR should be relatively easy.
So, as a charity, what should you differently as opposed to a private company?
Nothing! You should not do anything differently to any other organisation. Data Protection treats charities in pretty much the same way as private companies. Asking people for donations, assessing whether a person is a likely donor, or maintaining records of supporters are seen as no different to marketing a product or service, profiling a customer, or maintaining a customer database. There is a single exemption for not – for – profit organisations, covering the technical area of sending a Data Protection notification to the Information Commissioner. There are no exemptions covering marketing, fairness, security, enforcement or the use of volunteers.
However, your need for a more stringent data protection implementation is higher due to the nature of data you’ll come across.
So what should I look out for?
- Don’t assume the ends justify the means. Consent is consent – either you have it or not. So ensure you get your users consent to use their data.
- You cannot assume consent. Failure to opt-out is not consent. Silence is not consent. Previous support is not consent. A donation made is not consent!
- If a donor or individual does not understand what you are doing with their personal data, the practical effect is that you can’t do it, whatever it is.
- Volunteers are no different to employees; they must be trained and equipped to protect data. There is no volunteer exemption. Using volunteers is a choice you have made, and you are responsible for ensuring that you manage the risks adequately.
- If you contract out any work to an agency or contractor, you are wholly responsible for what they do, unless they steal your personal data or otherwise use it for their own purposes.
- Personal data available in the public domain is still personal data and Data Protection still applies to it.
- There are specific rules for consent over the method of communicating fundraising and other direct marketing communications.
(To be continued….)
Here’s where we can help:
Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at firstname.lastname@example.org or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.