Data security and the GDPR, what charities need to know

Last year we wrote a blog looking at the importance of data security and setting out how charities could protect themselves from the impact of malicious hacks.

Since then even more high-profile data leaks and hacks have hit the headlines.

Figures from the Information Commissioner’s Office (ICO) showed there were 74 data breaches affecting charitable organisations between April 2015 and March 2016, slightly down on the previous year’s figure of 76.

However, between April and December 2016 there were 97 such incidents.

In June this year the ICO fined eleven charities that breached the Data Protection Act by misusing donors’ personal data, following fines to two charities last December.

Information Commissioner Elizabeth Denham said people would be “upset” to learn how their personal data had been shared by charities they trusted, and urged charities to follow the law in future.

And data protection law is set to get even stricter in May next year with the introduction of the EU’s General Data Protection Regulation (GDPR).

Because of the vast amount of personal data charities and fundraisers collect, the charity sector is likely to be widely impacted by the new regulation.

Ideally, preparation for the new regulation will already be at an advanced stage in most charities.

If they are unprepared they risk not only huge fines for non-compliance but also serious reputational damage. For a sector already under heavy scrutiny this could be disastrous for public trust and confidence.

For those charities still unprepared, here’s a brief guide as to what they need to know:

Where to start

It is a good exercise for all charities to start by carrying out a detailed audit of what personal data they hold, where it came from and who they share it with.

At Connect Assist, helpline staff are fully trained in compliance with clear data protection policies as standard, but for charities handling service user information in-house, a clear policy must be created and implemented at all levels. This should state exactly how information is collected and how it will be used, and provide a clear strategy for protecting it. All staff and volunteers handling data of any sort must be fully trained on the importance of keeping that information secure.


Consent is a major part of the GDPR and it will no longer be enough for charities to use blanket clauses to gain consent when collecting personal data.

Instead they will have to explain clearly why the data is being collected and how it will be used.

Under the GDPR an individual’s consent must be fully informed and actively and freely given. Implied or presumed consent is no longer enough. The GDPR calls for “clear, affirmative action”, so gaining a signature is highly recommended.

Additional consent will be required if the data is to be passed to a third party.

Perhaps the biggest task for charities in this area will be dealing with consent for the data they already hold. If those consents do not meet the GDPR standard it is advisable to refresh them.








Legitimate interest

There have been fears that the GDPR will stop charities contacting their supporters without consent.

While it is true that specific consent will be needed for email text message or automated phone calls, charities can contact individuals by post and ‘live’ phone calls if they can demonstrate a “legitimate interest” for doing so.

Marketing counts as a legitimate interest under the GDPR, but it is important to balance this with the rights of the individual.

The GDPR will give individuals a series of rights, including the right to access any data held on them and the right to have data erased.

This means charities must manage data properly and make sure their systems are set up in a way that allows easy access to and deletion of individual records.

Data subject access requests can be made without restriction or fee, and organisations must respond within a month rather than the current 40 days. However, if a request is “unfounded or excessive”, particularly if it is repetitive, a “reasonable fee” can be charged or the request can be refused.

If a request refused you must explain why and inform the individual of their right to complain.

Data breaches

Finally, if data breaches do happen, there will now be a new duty on organisations to report them to the Information Commissioner’s Office within 72 hours. Charities should therefore ensure they have robust systems and procedures in place to detect, report and investigate data breaches.


Ultimately charities should see the GDPR as an opportunity to review their entire data handling systems and processes.

Some charities will only have a small amount of work to do to ensure they are GDPR-compliant. It’s been said that the GDPR is current best practice under the Data Protection Act given legislative recognition, so those already on top of their game should have few concerns.

For advice on how your charity might be affected by the GDPR and to find out more about our consultancy services, get in touch.

Leave a Reply

Your email address will not be published. Required fields are marked *

Case Study

Providing consultancy and specialist contact centre staff for a leading eating disorder charity


Connect with us