0370 1500 100

The impact of GDPR on Charities

The scrutiny of Facebook has ensured that data has recently become front-page news, but change is already on the way.

On May 25 data protection rules across Europe, which are 20 years old and seen as not fit for purpose, will be tightened up under the EU GDPR (General Data Protection Regulation).

It will change how customer information must be handled by businesses, public sector organisations – and charities.

Personal data definitions are largely the same as those within current protection laws and can relate to information that is collected through automated processes. Under GDPR they are extended to cover pseudonymised information.

There are also 99 articles setting out the rights of individuals and the obligations on organisations, including allowing people to have easier access to the data held on them, a new fines regime, and a clear responsibility for organisations to obtain the consent of people they collect information about.

So all who handle personal data need to be aware of the new rules and what it means for the data they hold.

Charity trustees as volunteers need to be both guided by their charity officers, as to the details of their responsibilities, but also oversee their officers to ensure they have good practices and systems organised.

It will be important to keep in mind what the new regime means for any data received by the charity, whether by e-mail, post, or in accompanying documents.
This could include details on:

  • Employees and volunteers
  • Applicants for jobs
  • Appointments of trustees
  • Supporters and fundraising
  • Applicants for grants if it is a grant-making charity
  • Recipients of charity benefits, including health information
  • Suppliers of goods and services to the charity.

Trustees will have to understand what is “sensitive data”, which will apply to many charities, particularly those dealing with children or medical conditions.

It will be important to be clear about the charity’s arrangements for processing and storing, both manual and electronic records, keeping them for no longer than needed, and destroying all personal data when no longer needed.

All this underlines how culturally, while data may in the past have been a fringe issue for IT or legal advice, it is now centre stage and a mainstream issue for how charities are run.

Advisers should check the protection of trustees, and their insurance, in the event of fines from the Information Commissioner’s Office (ICO) or compensation claims by individuals.

Once the charity’s policies and procedures are clearly established, the next step is to ensure they are kept under review.

Finally, trustees and officers should be fully aware of the need for new staff and volunteers to be made aware of the details of these policies and procedures..

Published: 24 April 2018

A monthly briefing from Irwin Mitchell Private Wealth

Sign up to receive a moment of clarity

April 2018

Key Contact

Darran Fawcett