Many charities have been working hard to ensure they are compliant with GDPR by 25 May, but there are other charities which still have work to do. For these charities it may be reassuring to know that the Information Commissioner recently stated that "For those that still feel there is work to be done – and there are many of those too – I want to reassure you that there is no deadline. In fact, it's important that we all understand there is no deadline. 25 May is not the end. It is the beginning."
With the Information Commissioner's words in mind, a reminder of the available guidance from the ICO and the Charity Commission is below.
The Charity Commission recently reminded charities that it is important to consider how the GDPR affects them.
The Commission advises charities to:
The Commission provides useful links to included directing charities to the resources published by the Information Commissioner's Office (ICO), including the FAQs for charities.
Earlier this year the ICO published sector-specific FAQs, providing guidance for charities on the particular challenges they face.
The ICO stressed that compliance can be easily achieved by small charities. The ICO has published a package of tools aimed at small organisations, including charities.
There is certain information that a charity must give individuals about what it is doing with their personal data, usually provided in a privacy notice. The GDPR states that such information must be given in clear and plain language, and be concise, transparent, intelligible and easily accessible. This means that charities will need to think about the type of person to whom they are communicating, and tailor the privacy notice to that category of individual (eg a child, a person with learning difficulties etc) to ensure that it is understood.
The ICO also provides guidance on the issue of consent, and in particular, how to ascertain whether the consents that a charity already has for marketing under the Data Protection Act 1998 (DPA 1998) remain suitable under the GDPR, which sets a higher standard of consent that can be withdrawn at any time.
In certain circumstances charities will need to appoint a DPO:
However, even if a charity does not meet any of the above conditions, charities must ensure that it has sufficient staff and skills to carry out the requirements of the GDPR.
Special category (sensitive) personal data will be dealt with under the GDPR in a manner similar to the current data protection regime. This is important for charities that deal with sensitive personal data, such as health charities.
The ICO has said that it will likely issue more detailed guidance on the processing of sensitive personal data, so we recommend that charity trustees keep an eye out for this.
The GDPR has further requirements around security, such as protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Charities therefore need to consider how they protect personal data, in relation to which there is further ICO guidance available.
For an analysis of the impact of the GDPR on charities (in particular, the new requirements and increased fines), please see our previous article.