There is a lot of scaremongering happening at the moment when it comes to GDPR. There’s a lot of ‘you can’t do this’ and ‘you must do that,’ when a lot of the details surrounding GDPR are yet to be confirmed. Before we get started with this blog, we want to point out that we are not legal experts. We’re writing this to keep you informed of what we are hearing in the IT industry and to try and help you get started with understanding GDPR.
GDPR and Data Protection are starting to get a bad reputation due to rumours and scaremongering, when in reality a lot of the legislation coming into place is just common sense when you look at the way that technology has developed over the past twenty years.
Under GDPR, the bottom line is that if you hold personal data you must set out what you want to do with it and why, and then you need to make decisions about what your justification is. For charities and non-profit organisations that are starting to think about GDPR this can be difficult as you have six options to use as justification and you are not told which one to use.
The six options of justification are referred to as the ‘legal grounds for processing’ and are: consent being given by the data subject, necessary for processing a contract, necessary for compliance with a legal obligation, necessary to protect the interests of the data subject, necessary for a task carried out in the public interest or for an official authority and processing is necessary for the legitimate interests of the controller.
Data and fundraising
Charities and non-profit organisations are not exempt from GDPR and therefore when contacting people in regard to fundraising they need to consider their justification for holding people’s personal data. If a donor or other individual does not fully understand what your organisation is doing with their personal data then you cannot do it. Due to being able to use the grounds for legitimate interest, it appears that you don’t need to have consent for every bit of personal data that you hold but you need to be clear on your justification for holding that data other than having consent. When fundraising, it is important to understand that consent cannot be assumed. Failure to opt-in is not consent, nor is silence or previous support. Charities and non-profits need to be aware of this when considering how they use data when fundraising.
GDPR and your charity
It is important that charities and non-profit organisations (and all companies holding personal data) understand that GDPR goes beyond rules for being able to contact people. GDPR is about data protection as much as what you are allowed to do with data when you hold it. The likelihood is that you will also hold a lot of client data and this may be very sensitive.
Charities need to consider that while they must train their staff on the importance of protecting data, they must also train their volunteers. There is no exemption under GDPR for volunteers, your organisation must operate with the aim of protecting the data that you hold. Using volunteers is a choice that your organisation has made and it is up to you to reduce the risks that can come with doing so. You should also be aware that any agencies or contractors that you engage with to do work for you is wholly your responsibility. It is up to you to ensure that they have the adequate measures in place to protect your data.
GDPR and security
It is not just the people that operate in your organisation that you must consider when protecting your charity’s data. You also need to consider the IT you have in place and whether it is adequate. When was the last time that you reviewed your IT and its security? If you haven’t invested in it recently, the likelihood is that what you have in place won’t be adequate because it will not be able to deal with new cyber threats. While achieving perfect security is impossible, and things will always slip through the cracks, the failing to try is unacceptable under GDPR. Organisations must be seen to be doing their absolute best to protect the data that they hold, and if your IT security solutions are not up to scratch you could suffer for it.
When you’re looking at your IT, you need to think about a multitude of different things. You need to think about when you last upgraded your Firewall and whether it has the functionality for a deep packet inspection. You need to look at your IT policy and your staff training and ensure that your employees are fully versed in how to protect the organisation and themselves online. Your IT is what is protecting your data, just as much as your policies and your staff. We highly recommend that you take a look at your IT and see if it is what is needed in the new GDPR landscape.
If your charity or non-profit organisation is not compliant with the new GDPR legislation you will be liable for fines of up to 4% of your global turnover or €20 million, whichever is greater. There are no leniencies in place for charities. You need to consider whether you can afford that kind of fine and whether your organisation would recover from the effect on its reputation. Your donors are likely to help other causes if they believe you do not process or protect their data adequately.
If you are at all concerned about GDPR and want to discuss it further, please call 01675 469020 or email firstname.lastname@example.org. Even if it’s not about your IT (which is what we do) we are more than happy to have a conversation. Say hello today.