GDPR and Charities

GDPR and Charities: Key operational considerations

For companies and individuals that work in the area of data privacy, it is fair to say that 2018 was the year of privacy. In May, Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), the world’s most stringent privacy law, came into effect. The GDPR does not differentiate between organisations, it sets (pretty much) the same general rules for charities, private enterprises and all sectors, meaning that lots of organisations are going to have to go through the process of thinking about how exactly it applies to them and what they need to do. So, if you are working in a charity, what are the things that you should be aware of?

In this piece, we outline some of the key operational considerations that organisations working within the charity sector need to be cognisant of. By addressing these considerations organisations will be on the right track in addressing their GDPR compliance risks

You have to come up with some of the answers yourself

Every organisation, every sector, every business function needs to think what GDPR means for them. In lots of areas, the GDPR sets out an outcome to be achieved but then puts the ball in the court of each organisation to decide on their approach and how they will ensue compliance. Although that may seem daunting – no one wants to get it wrong – the lack of absolutes in the GDPR does give organisations the necessary flexibility to think about what works for them. This is important as new technologies emerge.

More thought, less speed

While each organisation will need to think about their own context and put in place relevant policies, processes and platforms, that does not mean that you need to reinvent the wheel each time. Making the wrong decision now can have serious consequences further down the line. Some concentred work during your initial GDPR compliance journey will make your life easier in the long run. Some initial steps you could take include:

  • Undertaking a data audit to understand what personal data you have, where it is stored and what you process it for
  • Reviewing and updating where necessary any policies which cover the processing of personal data
  • Establishing a Data Protection Impact Assessment template for any future projects which involve the processing of personal data

Once you have got these initial steps in place, the rest should flow from there and you will not have to go back to the drawing board each time you need to make a decision.

Obtain consent before engaging in direct marketing  

According to the forthcoming e-Privacy Regulation, which will complement the GDPR, direct marketing refers toto any form of advertising by which a natural or legal person sends direct marketing communications directly to one or more identified or identifiable end-users using electronic communications services. The draft Regulation goes on to state that in addition to the offering of products and services for commercial purposes, this should also include messages sent by charities to support the purposes of the organisation. Campaging style communicaitons can be deemed as direct marketing. Thus, It is critical that organisations have the consent of individuals before engaging in direct marketing initiatives.

International transfers of data

If you have international offices and work outside the European Union (EU), then you should bear in mind that the GDPR imposes restrictions on the transfer of personal data outside the EEA. This includes using a Customer Relationship Management (CRM) database that hosts data outside the EEA.

Embrace a whole of organisation approach 

GDPR compliance should run through all aspects of an organisation. Your staff, volunteers, service users, supporters and donors will all have personal data that you will be processing. Sometimes different areas of charities’ work can get fragmented and operate in data silos. Frame the GDPR as an opportunity to get all parts of the organisation working together to a consistent and agreed approach, rather than a regulatory hinderance. All individuals that you work with should have their personal data treated fairly, securely, and have their choices respected.

In sum, it is imperative that charities remain true to the humanitarian principle of “do no harm”.  Complying with the GDPR should not be seen as a mere ticking box exercise. The  GDPR with its roots in international human rights law is part of that ethos and while it is not a very inspiring topic, it’s an urgent one. If 2018 is anything to go by, then data privacy will remain a topical issue during 2019. Trilateral is on hand to help organisations navigate this new landscape.

For more information visit Trilateral Data Protection Officer page and contact our team:

Kai Matturi, Data Protection Advisor at Trilateral Research

Kai Matturi