GDPR for charities

The General Data Protection Regulation (GDPR) came into effect on 25th of May 2018. If your non-profit organisation has directors, employees, grantors, donors or a means of marketing, you are most definitely subject to the requirements of the GDPR. Compliance with GDPR is not only important in terms of respecting data subject’s rights, or to avoid fines up to €20 million or 4% of the organisation’s annual turnover but also to maintain the trust of donors, stakeholders and those to whom you provide a service.

The impacts of GDPR for non-profit organisations relate primarily to data held about your service users; your donors; and your staff or volunteers. Each of these groups have different privacy requirements and must be accommodated in your data handling processes and data protection measures.

Service users that your organisation works with may include children, vulnerable adults or individuals in a time of some need. The personal data you collect about these service users – depending on the services you provide – may include sensitive personal information (now known as special categories of data under GDPR). These special categories of data extend beyond traditional personal data elements such as name, address, phone number, etc., and include information which could potentially be used to discriminate against someone, such as their ethnicity, racial origin, medical history, disability status, sexual preference, or criminal history and so forth. Often this information is a vital part of the services you provide, or the use of your services may heavily imply such information about an individual.

Donors are key to most not-for-profit organisations. In order to maintain their trust and support, good data protection practices are required. In particular, you must determine how you contact donors and the lawful basis for doing so. GDPR and the ePrivacy Directive allow for donor contacts with their consent, or as a legitimate interest where the data subjects have previously donated and supported your organisation. Documentation of this lawful basis is a key part of maintaining compliance. You must also avoid sharing personal data without the appropriate controls.

The personal data of your volunteers and staff must similarly be protected and safeguarded, in particular as relates to their own special categories of data. Volunteers and staff must be trained in data protection measures, in particular as relates to data breach management; subject rights’ requests.

In the wake of significant privacy misunderstandings, such as the removal of rubbish bins from a prominent public sector body, and the removal of visitor books from public attractions, it is worth noting at this stage that data protection requirements can be over-zealously implemented. The important thing is to consider the risks to the individuals whose data is being processed.

ICO fines Non-Profits

152 data security incidents were reported to the UK’s Information Commissioner’s Officer in the year to March 2018. A third of such incidents were reported in the first three months of 2018. Between 2016 and April 2017, the ICO fined eleven charities, including Cancer Research UK and Great Ormond’s Street Hospital Children’s Charity. Most notably, the British and Foreign Bible Society has been fined £100,000 for putting personal data in jeopardy and potentially revealing the religious identity of its donors. Hackers accessed the personal data 417,000 of its donors. The ICO stressed, although the charity had been victim of a criminal attack, it failed to take appropriate and organisational steps to protect its supporters’ personal data.[1]

It is clear that non-profit organisations are not exempt from GDPR. Due to the types of data charities often possess from data subjects (credit card details, health data, political preferences, data relating to minors, recipients of benefits etc.) it is extremely important that organisations get to grips with the terms of GDPR on all levels. To assist with an improvement in compliance in non-profit organisations, the ICO has published a report carried out on eight charities to identify areas of good practice in terms of data protection and areas which need improvement.

The Wheel, Ireland’s national association of community, voluntary and charitable organisations also published a report in order to assist Irish non-profits in preparing for GDPR.

Consent

Consent remains only one of the possible lawful bases that can apply to processing data under the GDPR. Consent receives a disproportionate amount of attention given the changes from how consent was previously understood. The GDPR now makes clear a number of requirements for consent to be truly voluntary and not assumed by an organisation when it suits them.

1. consent must consist of a clear affirmative action, e.g. ticking a box, ‘opting in’. Inactivity or silence is not enough, nor pre-ticked boxes;
2. implied consent is no longer sufficient to demonstrate a legal basis for processing, however, consent through a course of conduct remains valid, e.g. a continuous donation via standing order/direct debit, until such time as the consent has been withdrawn;
3. explicit consent is required for processing special categories of data. E.g. ticking a box, ‘opting in’; and
4. you will also need a process to record consent, document it and manage requests to withdraw consent.

Retrospective Consent

Organisations will have to verify the nature of the consent they have previously obtained for existing data processing activities. If these consents fail to meet the standards imposed by the GDPR, organisations will either have to request new consent or seek another legal basis for the processing of personal data as outlined above.

Consent and Minors

Many organisations support and work with children. With this, special considerations must be implemented to protect children’s personal data. The Irish Government has set the digital age of consent for a child at 13. GDPR sets it at 16. Therefore, organisations may have to seek consent from a parent or guardian. You need to be able to verify that person giving consent on behalf of a child is allowed to do so and any privacy statements will need to be written in language that children can understand.

The Irish DPC has given advice regarding donations to Charities by SMS:

1. the use of the phone numbers of donors for further electronic contact or to be put on a marketing database, may take place only where the phone subscriber concerned has actively opted in, to such use of their phone number in the knowledge that it will be used to contact them for direct debit and /or marketing/promotional purposes;
2. it is not acceptable or lawful for a charity to place a donor's phone number on a marketing database, solely on the basis that the phone subscriber concerned made a donation to the charity using the SMS method; and
3. the charity must have unambiguous (fully informed and voluntary) consent to send marketing or promotional messages or to make marketing or promotional phone calls to mobile phone numbers. ‘Opted-in’, phone subscribers must also be given the opportunity to ‘opt-out’ of marketing in each marketing communication which is subsequently sent to them.

Direct Marketing

Direct Marketing is a form of advertising which allows organisations to target individuals directly through a variety of media. Unlike mass advertising (television ads/radio etc.) which is presented to everyone, direct marketing is presented only to people who are suspected to have an interest or a need for an organisations’ products or services based on the information gathered about them.

Like SMS donations, obtaining consent correctly is essential for organisations who wish to carry out direct marketing.

The Charities Institute of Ireland issue guidelines on how to handle consent in terms of direct marketing:

1. databases need to record the most recent status of consent for personal data collected;
2. once again, charities will also need to be able to demonstrate ‘unambiguous’ consent; and
3. if the organisation uses more than one type of consent wording (e.g. for websites, face to face, in-bound call, etc.) it is recommended that an electronic file comprising indicative copies of all past and present consent statements is kept. These will help to meet the GDPR requirement for evidence of consent, in the form of:
   • status of consent (e.g. opt-in);
   • channel (e.g. for marketing emails); and
   • the purpose of communications.

[1] https://www.civilsociety.co.uk/news/ico-fines-charity-100-000-following-cyber-attack.html