If you think that charities might be shown lenience under the GDPR (General Data Protection Regulation), you’re wrong.
The Regulation treats charities in much the same way as any organisation, because although they’re not using personal data to make a profit, they still run the risk of data breaches and privacy violations.
This is a lesson that the transgender advocacy charity Mermaids learned recently, after it accidentally made internal emails containing confidential client information available online.
The breach was reported to the ICO (Information Commissioner’s Office), which oversees GDPR compliance in the UK, and Mermaids is now subject to disciplinary action.
This isn’t a rare occurrence. The UK government’s Cyber Security Breaches Survey 2019 found that one in five charities suffered a cyber attack last year.
So, if you run a charity and want to know how to meet your GDPR compliance requirements, take a look at our guide.
What are charities’ GDPR requirements?
Most charities are considered data controllers, as they instigate the processing of personal data, determine what information is collected and document the lawful basis for processing.
The organisation that gathers and processes personal data is the data processor. This includes the collection of information related to employees, clients, suppliers, donors and those benefitting from the charity’s actions.
The charity might process some or all of this information itself, making it both the controller and a processor, or hire a third party.
In either instance, the data controller is ultimately responsible for GDPR compliance, and must be satisfied that third parties have adequate data protection measures in place.
If a third party is used, the two organisations should also agree in writing how data will be processed and protected. This contract will absolve the data controller of responsibility should the third party suffer a breach due to a violation of one of these terms.
GDPR exemptions for charities
Although charities are subject to the same requirements of the GDPR as any other organisation, they might benefit from a handful of exemptions.
One example relates to processing children’s personal data. The Regulation states that organisations can’t legally obtain consent from minors, instead having to seek approval of a person holding “parental responsibility”.
However, this requirement doesn’t apply when it comes to preventive or counselling services offered directly to a child. This covers any form of charity related to the mental or physical wellbeing of minors.
Similarly, organisations aren’t required to comply with DSARs (data subject access requests) if a parent or guardian requests information concerning child abuse data.
Charities might also be exempt from the requirement to appoint a DPO (data protection officer).
A DPO is an independent expert responsible for overseeing an organisation’s data protection practices. Organisations must appoint one if they:
- Are a public authority or body;
- Regularly and systematically monitor data subjects; or
- Process special categories of data on a large scale.
Plenty of charities won’t fall into any of these categories, so they aren’t required to appoint a DPO. But that doesn’t mean they shouldn’t.
There are several benefits of having a DPO (such as the ability to communicate quickly and compliantly with data subjects and supervisory authorities), and many experts recommend appointing one as a matter of best practice.
The GDPR also exempts organisations that employ fewer than 250 people from certain documentation requirements. If your charity meets this criterion, you are only required to document processing activities that:
- Are more than a one-off occurrence or something you do rarely;
- Are likely to result in the risk to the rights and freedoms of data subjects; or
- Involve special categories of personal data or criminal conviction and offence data.
There are several other exemptions that might relate to charities depending on the type of data they process. You can see a full list of these on the ICO’s website.
GDPR compliance checklist for charities
Now that you know how the GDPR applies to you, it’s time to look at how to approach compliance. Here’s IT Governance’s nine-step GDPR compliance checklist:
- Obtain board-level support and establish accountability
GDPR compliance requires board-level support. It’s therefore essential that the board understands the implications of the Regulation – both positive and negative – so that they can allocate the resources needed to achieve and maintain compliance.
- Scope your GDPR compliance project
Once you have obtained top-level support, you will need to work out what areas of your organisation fall under the GDPR’s scope.
- Conduct a data inventory and data flow audit
To comply with the GDPR’s data processing requirements, you must be able to fully understand what data you collect and how you use it.
- Undertake a comprehensive risk assessment
Risk assessments play a crucial role in any GDPR compliance plan, and the Regulation encourages a risk-based approach to data processing.
This enables you to develop appropriate measures to manage your risks. The Regulation doesn’t clarify how you should assess and quantify those risks, so you should consider using the methodology outlined in ISO 27001.
- Conduct a detailed gap analysis
Conducting a GDPR gap analysis will help you assess your current workflows, processes and procedures to identify the gaps that you need to fill.
- Develop operational policies, procedures and processes
Having established your compliance gaps, you should bring your existing policies, processes and procedures into line with the GDPR’s requirements, and develop new ones to ensure you fulfil all of your legal obligations.
- Secure personal data through procedural and technical measures
Article 32 of the GDPR requires organisations to implement “appropriate technical and organisational measures” to ensure that personal data is processed appropriately.
This means you’ll need to develop an information security policy, implement basic technical controls such as those laid out in established frameworks like Cyber Essentials, and encrypt or pseudonymise data where appropriate.
- Ensure that your staff are trained
Staff awareness and education is a key component of any organisation’s GDPR compliance framework. Everyone involved in processing data must be appropriately trained to follow approved processes and procedures.
- Monitor and audit compliance
GDPR compliance is an ongoing project. You should undertake periodic internal audits and regularly update your data protection processes.
This includes checking your records of processing activities and consent, testing information security controls and conducting DPIAs (data protection impact assessments).
Achieve GDPR compliance with IT Governance
Those looking to achieve or maintain GDPR compliance might be overawed at the scale of the task. Fortunately, there’s plenty of advice available.
IT Governance is a global leader when it comes to helping organisations address their GDPR compliance requirements. Our selection of training courses, books, software and consultancy services can give you an essential boost.
To get started, we recommend our GDPR Toolkit. It contains a complete set of easy-to-use documentation templates, which will help formalise your approach to GDPR compliance while saving you time and money.
It also includes:
- Helpful dashboards and project tools to ensure complete GDPR coverage;
- Direction and guidance from expert GDPR practitioners; and
- Two licences for the GDPR Staff Awareness E-learning Course.