Insights
We run through the latest GDPR issues for charities
Protecting client data is a top issue among compliance teams. Since the implementation of the EU General Data Protection Regulation (GDPR) framework, charities of all sizes have to ensure that personal data stays private.
The data includes personal details, IP addresses, and anything that could be used to directly or indirectly identify an individual. For charities, information around race, religion, ethnicity, political opinions, or age is considered sensitive and should be protected.
Brexit means space for the existing framework to change. Under the current legislation, the EU’s GDPR framework was considered under the UK’s Data Protection Act (DPA).
With Brexit now in full force, the country has an opportunity to amend existing laws. For charities, it’s important to get up to speed on GDPR and keep ahead of possible developments.
Prior to Brexit, GDRP and DPA frameworks meant that charities needed to consider whether they need to collect data or not. Earlier, we outlined a three-part test of legitimacy.
In addition to testing whether data is needed, charities are required to employ a designated ‘controller’ – someone who determines how the data is processed and stored.
The laws also mandate that charities inform and get consent from audiences about what’s being collected and how it’s used. CAF summarises the situation in an infographic.
To put it neatly, charities are obligated to ensure that only essential data is collected, that audiences are aware of it, and that data is stored for a limited amount of time.
In the post-Brexit world, the UK government has an opportunity to overhaul legislation from the EU. This includes reviewing GDPR laws and assessing whether to amend them or not.
The first thing to understand is that the EU’s GDRP frameworks and the depth of that piece of legislation no longer applies. That means that the detailed structure around the rights and obligations are not enforced. However, the DPA still applies.
So far, nothing has been amended in the legislation but there are rumblings of change. Oliver Dowden, Minster for Culture (since, he has been removed from this post) says change is coming: “[Brexit] means reforming our own data laws so that they’re based on common sense, not box-ticking. And it means having the leadership in place at the Information Commissioner’s Office to pursue a new era of data-driven growth and innovation.”
In practice, the Guardian reports that potential GDPR rules could change how Britons browse the Internet. Amending certain pieces of legislation could spell the end of annoying pop-ups, cookies, and consents.
While there is still much uncertainty around GDPR and DPA changes, charities can avoid missteps. Fines are relevant for charities. Unchanged by Brexit, they are administered by the Information Commissioner’s Office.
There have been a few fines issued to charities. The most high-profile breach of privacy involves HIV Scotland. The charity sent an email to 105 recipients and failed to use the blind-copy function.
Consequently, 65 recipients, whose names formed part of their email addresses could be identified. Sadly, the message inferred the HIV status of certain individuals.
The ICO issued a fine because the charity didn’t do enough to protect sensitive data. To avoid that mistake, identify key risks before implementing migrations. Then, proceed cautiously along a fixed timeframe so that compliance isn’t compromised.
The lockdown profoundly changed how charities fundraise and engage with audiences. However, when it comes to data protection rules, COVID-19 is no excuse to break them.
Operation Smile chartered across blurry lines when they decided to use third-party content. During one of their fundraising campaigns, the charity received a complaint. The complaint related to content which may have included names and addresses.
Responding to the complainant, the charity acted promptly and apologised. Here, the ICO ruled that the use of third-party data did not breach any rules.
Navigating the plethora of rules and compliance doesn’t have to be a struggle. We summarise a few key digital resources to help implement DPA rules:
The ICO is the authority on data privacy and openness. Here, charities can find information relating to each piece of legislation and how it applies to businesses and charities. Charity digital leaders can also find details on issued fines, and why they were applied in each case.
The NCVO offers practical advice on how to comply with DPA. They include risk assessments and online webinars on how to safeguard and protect personal data.
Get a grip on the basics with GoodBox’s summary. The digital resource offers suggestions on how to protect data from cyber-attacks and outlines the content of both GDPR and how to comply with data protection.
Our courses aim, in just three hours, to enhance soft skills and hard skills, boost your knowledge of finance and artificial intelligence, and supercharge your digital capabilities. Check out some of the incredible options by clicking here.