As part of the data protection reform coming into effect from 25 May this year there will be new notification and registration procedures.
It is important that all organisations check the requirements and the fees payable.
At the recent Data Protection Practitioners conference the Information Commissioners Office (ICO) was keen to ensure that charities were aware of their obligations.
Holly Dobson, solicitor at Wake Smith Solicitors, looks at the ramifications for charities and GDPR.
“It is important to be clear about the notification and provision of information required to the ICO under GDPR as some charities can benefit from a reduced fee or be wholly exempt from the charges.
“Unless the ICO is likely to know from information it already holds that an organisation is a charity, or a charity provides information to the ICO to evidence its charitable, there is a default annual fee of £2,900.”
GDPR was designed to end big business’ complacency with regards to safeguarding our personal information. The legislation’s potential high penalties for poor data protection practices means these establishments will be forced to take data protection more seriously.
Holly added: “However, for charities and small businesses, the GDPR has brought a hefty new piece of legislation to comply with.
“Now every organisation, whether it is a small business, one-man-band, charity or voluntary organisation, that holds data on its customers, irrespective of its size, must abide by its rules.
“Under the GDPR, they have to provide evidence for every contact on their lists to prove opt-in status. Obviously, many charities, who gain supporters information from a variety of sources, will struggle to provide this information for a large proportion of their database.
“If the charity cannot determine how everyone on the list came to be there, they will have to seek their re-approval. If only half of respondents reply, under GDPR, they may have to delete half of their database. This has serious ramifications for charitable funding and for the knock-on effect this will have on the lives the charity supports.
“A potential solution for the opt-in dilemma faced by charities is the Legitimate Interest provision in the GDPR.
“Charities can refer to Legitimate Interest as a lawful basis of processing to the extent that such activity is necessary (for the purpose of the Controller’s or a Third Party’s Legitimate Interests).
“So, in theory, a charity can use Legitimate Interest to make the case that maintaining a database of donors for fundraising purposes is a necessary activity for them.
“This may serve as a workaround for the opt-in requirement, however, since this is still a grey area, I would advise charities continue to offer the ability for donors to opt out at every opportunity.”
The ICO has offered the following recommendations for charities, giving guidance on the minimum expected from them under the GDPR:
- Tell people what you are doing with their data and who it will be shared with
- Make sure your staff are adequately trained on how to store and handle personal information
- Use strong passwords (we would recommend always using a random password generator)
- Encrypt all portable devices such as memory sticks and laptops
- Only keep people’s information for as long as necessary
For further advice on GDPR contact Holly Dobson at Wake Smith Solicitors on 0114 266 6660 or at [email protected]
