GDPR is a new legislation that comes into force on the 25th of May 2018, and it will affect all organisations that store personal information about individuals, this legislation includes charities.
The General Data Protection Regulation (GDPR) will give people more rights into how their personal information can be gathered, stored and used. Every charity will need to comply to the regulations being set out by this new legislation by the 25th of May, not doing so can incur strict penalties.
Many charities already comply with what is being brought in by GDPR, however, time should be invested into making sure that your charity is fully compliant, so as to avoid any possible penalties.
If the GDPR legislation is new to you, here is an outline of the basic information that you need to know:
-
GDPR brings in new and updated rights for individuals regarding their personal data, and the charity must have a legitimate, legal reason for holding a persons information. There are 6 possible legal bases that a charity can use for holding data, make sure that you are aware of these. Click here for more information on the legal rights for holding a persons data
-
Anyone who has their data stored by your charity can request to see a copy. This would include everything that is stored about that person, whether it be on spreadsheets, databases, documents, USB sticks or printed paper. A copy must be given within 30 days of the request being made. (There is an exeption if the commuication mentions another subjest) Should a person make this request electronically, such as by email, then information must also be supplied electronically. For charities using paper based systems, you will need to transfer all of this information to an electronic form. Find out more about the Right to Access by clicking on this link.
-
An individual may request for all their information to be erased, should a request be made, the charity must comply by removing all their data, if the data has been shared with a third party, they too must be informed. There are exceptions to this right, such as for child protection purposes, for Gift Aid claims, or should the charity have another legal basis for holding the data. You will also need to make any consequences of erasure clear to the individual, e.g. that you will not be able to schedule them on a charity rota if you cannot hold the necessary data. Click here to find more information on the Right to Erasure.
-
Transparency is key to GDPR, the charity must provide accessible information to individuals about how their personal data will be used. A comprehensive Privacy Notice therefore, must exist, outlining in detail all your plans for an individual’s data. If your charity does not have a Privacy Notice then you can purchase a Draft Privacy Notice from our website, or click here for more information as to what should be included in your Privacy Notice.
-
Whilst your charity doesn't necessarily need a Data Protection Officer in place, you will need to appoint someone to be responsible for data protection within your charity. This person should be named within your charities Privacy Notice so that everyone knows who they should contact, should they have any data-related concerns. You can click here to read further information on Data Protection Officers.
A lot of GDPR is common sense, treating an individual's data the way that you would want your own data to be treated, however it is important that chrities understand what is required of them under GDPR so as to ensure full compliance. You can work through this GDPR Checklist to help meet compliance, however, we recommend that you seek legal counsel to ensure that your charity is completely compliant with GDPR.
________________________________________________________________________________________________