GDPR Compliance Checklist for Charities

GDPR directly relates to data collection, even when it’s not being used for the purpose of selling goods or services. Charities and nonprofit organizations collect a lot of personal data, therefore have the same obligation under the GDPR as any commercial organization. Since fundraising and marketing are primary activities for charities and nonprofit organizations, fundraisers need to ensure they are meeting their legal requirements whilst giving donors a great experience of supporting charities.

Is your Charity ready for GDPR? 8 Steps to Take Now

The GDPR takes a risk-based approach to data protection, businesses should assess their risk in the data that is collected and stored. Whether your charity is nearing GDPR compliance or you have just begun the journey to compliance, our GDPR requirements checklist is designed to get you on the right track.

1. Begin Creating Awareness

To raise awareness of the GDPR in your non-profit, you can follow a trickle-down approach, starting with decision makers and the operational teams. Awareness should not be limited to those that handle personal data, the impact of the GDPR is likely to be far-reaching across the business.  Identify areas that could cause compliance problems under the GDPR and inform staff, clients, suppliers and your vendor ecosystem at large.

2. Identify Personal Data You Hold

A core element of this GDPR requirements checklist – document the personal data your charity holds, and map where it came from and who you share it with. The next step is to identify why you’re holding this information and who has access to it. Conducting an information audit can help highlight accountability and whether the personal information held is useful (if it’s not then it should be removed).  Following the information audit, you’ll be better positioned to determine the information worth keeping, and what to erase or encrypt using techniques like pseudonymization.

3. Update your privacy information

Prior to May 25th, 2018, it was sufficient to highlight your identity and how the personal data will be used. With the GDPR now in-force you are required to provide additional information within your privacy notice:

  • Disclosing the lawful basis for processing personal information
  • Your data retention periods
  • Informing consumers of their right to complain to a data protection authority (such as the ICO), if they are unhappy with the way you handle their personal information

The GDPR also requires the information provided to be written in clear and concise language, allowing consumers to easily understand and identify why and how you are using their information.

4. Understand Individuals’ rights

Charities should implement procedures to meet the enhanced rights individuals enjoy under the GDPR. Donors now have the right to request their personal information from data controllers, and request information on how their personal data is being processed and why, along with its whereabouts. The data controller must provide a copy of the personal information for free, should it be requested. Your process should include how you would erase personal data or provide data electronically if requested. Do your systems help you to locate and delete this data? 

Under the GDPR, individuals have the following rights:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • the right not to be subject to automated decision-making including profiling

5. Implement Age verification

Since the age of which children can give consent varies across the 28 EU member states, you should be thinking about whether you need to put systems in place to verify a person’s age and to obtain parental/guardian consent for any information processing activity. The GDPR states that the minimum age is 16 for an individual to provide their own consent (however some EU member states consider 13 to be the appropriate age to give consent). You will need to get consent from a person holding ‘parental responsibility’ if an individual is younger than the minimum age to give consent.

6. Developing Procedures for Reporting Data Breaches

To meet GDPR compliance you should ensure that the correct procedure is in place to detect, report and investigate a personal data breach. If a data breach is likely to result in a risk to the rights and freedoms of individuals, you should report the breach within 72 hours to the supervisory authority (in the UK, the ICO). If the breach could result in posing a high risk to consumers directly, you should also notify these individuals. A risk could be a potential financial loss, loss of confidentiality, discrimination and so on. Under the GDPR, if you fail to report a breach when you are required to do so you could be fined, as well as an additional fine for the breach.

7. Do you need to hire a Data Protection Officer?

Under the GDPR, you are not always required to recruit a DPO, however, it is important to have someone designated to take proper responsibility of data protection compliance, whether that be someone within your business or an outsourced DPO advisor. The DPO should take proper responsibility for your data protection compliance and should have the knowledge and support to carry out their role. You are required to formally designate a Data Protection Officer (DPO) if you are:

  • A public authority
  • A business whose main activities involve regularly monitoring data subjects on a large scale
  • A business that carries out the large-scale processing of special categories of data (such as information about criminal convictions) 

8. Data Protection by Design and Data Protection Impact Assessments

It’s good practice to adopt a data protection by design approach to new projects and to carry out a Privacy Impact Assessment (PIA). The GDPR makes privacy by design an express legal requirement and makes  Data Privacy Impact Assessments (DPIA) mandatory in some circumstances. A DPIA is required to be administered in instances where data processing is likely to result in a high risk, for example:

  • when a new technology is being deployed
  • there could be significant effect to individuals resulting from a profiling operation
  • where there is processing on a large scale of the special categories of data

A DPIA offers various benefits including demonstrating GDPR compliance, improving awareness of data privacy throughout the business, decreasing operational costs by optimizing information flows, and reducing disruption of data by adding data protection at the beginning of the project design.

Our GDPR requirements checklist contains some of the most common area’s charities should be addressing, however, there are many more pieces to the GDPR compliance puzzle. You should consider engaging a professional GDPR consulting company to advise on your unique requirements. FileOM is a GDPR, data and privacy management consultancy working with clients from a broad range of sectors across the UK and internationally.