• Careers
  • Contact Us

GDPR - It's Not Too Late

on Friday, 25 May 2018.

As the GDPR comes into force, we remind those charities who still have work to do where to find resources.

Many charities have been working hard to ensure they are compliant with GDPR by 25 May, but there are other charities which still have work to do.  For these charities it may be reassuring to know that the Information Commissioner recently stated that "For those that still feel there is work to be done – and there are many of those too – I want to reassure you that there is no deadline. In fact, it's important that we all understand there is no deadline. 25 May is not the end. It is the beginning." 

With the Information Commissioner's words in mind, a reminder of the available guidance from the ICO and the Charity Commission is below.

The Charity Commission

The Charity Commission recently reminded charities that it is important to consider how the GDPR affects them

The Commission advises charities to:

  • ensure they understand the basics by getting the information they need and sharing it throughout the charity
  • assess the impact of GDPR by making sure they know what data they have and how it’s managed
  • get an action plan agreed with trustees on how the charity will manage the data the charity holds or intends to get, in line with GDPR, and complete the ICO self-assessment
  • make sure your details with the Charity Commission are up to date

The Commission provides useful links to included directing charities to the resources published by the Information Commissioner's Office (ICO), including the FAQs for charities.

ICO FAQs for Charities

Earlier this year the ICO published sector-specific FAQs, providing guidance for charities on the particular challenges they face.

Small Charities

The ICO stressed that compliance can be easily achieved by small charities. The ICO has published a package of tools aimed at small organisations, including charities.

Privacy Notices

There is certain information that a charity must give individuals about what it is doing with their personal data, usually provided in a privacy notice. The GDPR states that such information must be given in clear and plain language, and be concise, transparent, intelligible and easily accessible. This means that charities will need to think about the type of person to whom they are communicating, and tailor the privacy notice to that category of individual (eg a child, a person with learning difficulties etc) to ensure that it is understood.

Consent and Marketing

The ICO also provides guidance on the issue of consent, and in particular, how to ascertain whether the consents that a charity already has for marketing under the Data Protection Act 1998 (DPA 1998) remain suitable under the GDPR, which sets a higher standard of consent that can be withdrawn at any time.

Appointing a Data Protection Officer (DPO)

In certain circumstances charities will need to appoint a DPO:

  • if you are a public authority
  • if your core activities require large scale, regular and systematic monitoring of individuals
  • if your core activities consist of large scale processing of special categories of data (eg health data) or data relating to criminal convictions and offences

However, even if a charity does not meet any of the above conditions, charities must ensure that it has sufficient staff and skills to carry out the requirements of the GDPR.

Processing Sensitive Personal Data

Special category (sensitive) personal data will be dealt with under the GDPR in a manner similar to the current data protection regime. This is important for charities that deal with sensitive personal data, such as health charities.

The ICO has said that it will likely issue more detailed guidance on the processing of sensitive personal data, so we recommend that charity trustees keep an eye out for this.


The GDPR has further requirements around security, such as protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Charities therefore need to consider how they protect personal data, in relation to which there is further ICO guidance available.

For an analysis of the impact of the GDPR on charities (in particular, the new requirements and increased fines), please see our previous article.

If you would like more information about implementing the GDPR, please contact Mary Rendle on 020 7665 0830.

Leave a comment

You are commenting as guest.