The new General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, marks a significant change in the EU data protection regime, with an increased emphasis on transparency and accountability in the way in which organisations (including charities) gather, store and use people’s personal information. It is vital that charities act now to ensure that they are compliant before the implementation date.
While all aspects of the new regime require careful analysis, some of the new requirements are likely to affect the charities sector more than others, and will, therefore, warrant special consideration.
Legal bases for processing
The GDPR sets out a range of valid legal bases (which are unchanged from the legal bases set out under current legislation) for processing personal data, including for the purposes of fulfilling a legal obligation, to protect the vital interests of an individual and the administration of justice. Most charities, however, are likely to process personal data on the basis that the individual has consented to the processing, entered into a contract (or wishes to) with the charity or on the basis of the legitimate interests of the charity.
Where a charity seeks to rely on consent as the legal basis for processing personal data, the charity must ensure that the consent obtained is freely given, specific, informed and has been given by way of an affirmative action. In addition, organisations must be able to demonstrate that they obtained valid consent and an individual also has the right to withdraw their consent. In practice, therefore, the GDPR raises the bar for the consents which organisations obtain and your charity will need to understand the increased requirements for consent that the GDPR introduces.
For example, tick-the-box type consent forms covering all forms of data processing are unlikely to be sufficient. In its fundraising activities, for instance, your charity will need to ensure that consent has been obtained for the specific purpose of fundraising. If your organisation works with vulnerable persons, your organisation will also need to consider how it can validly obtain consent from these individuals.
If your charity seeks to process personal data on the basis of a “legitimate interest”, it will be necessary to carry out an assessment to determine, whether a legitimate interest in fact exists, whether you need to process the data, and whether, balancing the interests of the data subject and the charity, you ought to process the data. Examples of legitimate interests include, among others, processing data to determine your charity’s ability to assist a beneficiary or to monitor and optimise your charity’s services.
Data retention periods
Even where your charity has processed personal data lawfully, the length of time you retain the data will require careful consideration. The retention periods for different categories must each be considered separately, rather than applying a blanket policy for all data held and you must ensure that you have a justification for retaining personal data.
Proper GDPR training and management for volunteers is also vitally important in order to ensure that personal data is processed in line with the GDPR. In addition, your charity will have responsibility to ensure third-party contractors and processers, such as recruitment agencies also meet the GDPR requirements.
Increased data protection obligations and tough sanctions for those failing to comply mean that establishing a carefully tailored GDPR implementation plan is a must for your charity.
While the areas outlined above may affect the charities sector in particular, other aspects of the GDPR regime should not be overlooked. A structured, well-planned approach to implementation will reduce the risk to your organisation.
The UK-based Charity Finance Group has recently published a helpful guide to GDPR for charities, however, the distinctions between the UK and Irish data protection regimes and regulatory agencies involved must be borne in mind.
For more information on how to ensure compliance with the GDPR before 25 May, please contact a member of our Charities & Not-for-Profit team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.