GDPR tips for your small charity

  • The advent of GDPR means that organisations need to ensure they have the right data processes, procedures and policies in place
  • The deadline for compliance is 25 May 2018
  • Sector expert, Andrew Cross, shares some first steps and useful reading for small charities

New GDPR regulations come into force on 25 May 2018. Andrew Cross, Data, Insights and Compliance Lead at Lightful, and one of the few GDPR qualified practitioners in the non-profit sector, explains what GDPR is, and offers tips to make sure your charity is on the road to compliance.

What is GDPR?

GDPR replaces the Data Protection Act (DPA, 1998). It aims to standardise the way personally identifiable information is dealt with in terms of data processors and data controllers that exist within the EU, or countries operating outside of the EU that process the data of EU nationals.

A data processor is a person or organisation that processes data, and a data controller is a person or organisation that owns (or controls) the data.

Put simply, this regulation gives an individual control over how their data is used by both data controllers and data processors, and what communications they receive from the controller.

For your organisation, it means:

  • Ensuring that you have the right processes, procedures and policies in place to carry out data processing
  • And more generally; accurately recording and storing data and permissions, so that you only contact those people who explicitly want to hear from you

GDPR step 1 – start the conversation now

If you haven’t already started, the first thing you should do is begin the conversation around data protection and how it’s currently handled by your charity. You may want to include your trustees in this initial discussion, as someone will need to take ownership.

Following the discussions – and depending on your resources – your trustees may want to form a working group to ensure your charity is compliant by 25 May 2018. Failure to do so may result in fines from the Information Commissioner’s Office (ICO), which has already fined some big charities for the misuse of donors’ personal data.

Opportunity to understand your data

It may seem daunting, but deal with GDPR as a positive opportunity.

This is a chance to tidy-up your data, processes, policies and procedures to ensure they are accurate, well organised and fit for purpose.

If you have lots of separate databases, or a system that has evolved rather than been designed, this is a good opportunity to review and resolve any outstanding issues. This could include examining the quality of your data in terms of duplicate or out-of-date records, or getting rid of any data you hold that’s simply not required.

It is also an opportunity to reconnect with your supporters, volunteers and beneficiaries, to check that they want to hear from you (providing you have the permissions to contact them under the current legislation). You can use this process to ensure you are sending them relevant and tailored information.

GDPR step 2 – map your data

Once you’ve established who will be responsible for data in your organisation, you need to start mapping it.

  • Make a note of all the places you currently capture and store data (for example, fundraising databases, mailing lists, lists of event attendees, Excel spreadsheets etc). TOP TIP: HR staff records (past and present) are considered personal data too
  • Document who has access to different types of data in your organisation. How is this managed? Are you taking the right steps to protect the data so it can’t be hacked or misused? How frequently do you change passwords?
  • Review your existing data policy. If you don’t have one, this is the perfect opportunity to create one

GDPR step 3 – make changes to be compliant

Once you have a clear picture of how data is used and works within your organisation, your working group will need to take steps to be compliant with GDPR by the deadline.

The best place to start is the ICO’s GDPR guide for organisations.

GDPR may seem like a huge task, but if you break it down into steps and tackle one step at a time, you’ll be compliant in no time. And don’t forget to look at it as a positive way of engaging with your supporters by only sending them the information that they are interested in.