So you’re a charity or other non-profit, and all GDPR “experts” go on about is business, commerce, profit, customers — what about the great and good who aren’t out to get rich, but to enrich? Let’s explore what the EU’s new data protection law means for non-profits.
In this article I’m going to be open and to the point. Depending on how you look at it, I spent between 5 and 10 years managing the regional compliance programme for a large non-profit in England, very much at the coalface; “hands-on” couldn’t be more accurate. Add scarcity of personnel and voluntary commitment to the mix and you can do away with traditional commercial approaches to securing cooperation such as paying overtime or encouraging job security. Non-profit compliance is good old fashioned hard work.
The GDPR isn’t going to be easy for the non-profit sector, and I’m confident that in the case of smaller charities, the ICO and other national data protection agencies will take a measured approach to enforcement, but with scandal rocking some of the larger non-profits at the moment, it’s hard to say how exactly things will pan out. You certainly can’t afford to ignore it.
What is personal data?
It’s the first question you have to answer in order to start along the road to GDPR compliance. The new definition is broad, and catches almost every organisation of any size. If information can be linked directly or indirectly to a living person, it comes under the umbrella.
Do you have a list of your members? Personal data. Do you have a list of previous and/or prospective donors? Personal data. Do you employ any staff, or have records of the contact details of volunteers to call upon? Personal data. We haven’t even crossed into data being used to fulfil the purpose of the organisation, just its basic structure and existence. Some non-profits will have huge databases and even paper files used daily as part of their operations, which may be complex, even if undertaken by volunteers.
Do I need consent?
There are six legal bases for ‘processing’ personal data — which can be as simple as just storing it in a file. Consent is just one of them, and GDPR-compatible consent has far more detail than previously specified in law. Although some forms of processing and some types of personal data explicitly require consent, it’s up to the organisation to evaluate — and document — whether consent is the most appropriate basis to apply.
You may very well need consent, and if you want to use data you already have under this basis and nothing else, you’ll need to work fast to establish your processes and administration, and obtain those consents from each person whose data you hold.
What about a DPO?
The role of Data Protection Officers isn’t new as a profession, but in some parts of Europe it hasn’t been on many people’s lips until the advent of the GDPR, which makes the appointment of a suitably-qualified and independent DPO a requirement in certain circumstances. If you’re regularly and systematically monitoring a large number of people (5,000+ has been suggested but it isn’t specified in the Regulation) through the data you hold, or if you’re processing more sensitive information including health data or even religion and belief, then you’re obliged. It’s optional otherwise, but if you do appoint a DPO voluntarily, it has to be done according to the law, the same as if it were mandatory. If you just want to make one person responsible for implementing your compliance programme, you may be best not calling them the DPO.
With salaries ranging anywhere from 40 to 60 thousand pounds, hiring a DPO is going to be out of reach for many non-profits, but the GDPR permits you to outsource the role. A large part of what I do at Privada is carrying out this role on behalf of companies and organisations in precisely that situation. A benefit to bringing a consultant on board as your data protection partner is that they have access to more resources and experience than an employee would, and I’d argue this offers added value.
How do I get help?
As I’ve mentioned, Privada does offer help, and not just by way of a DPO service contract. Maybe you need a little advice to point you in the right direction initially, or assistance to manage the programme you work out for the coming months; perhaps it’s training of other members, staff and volunteers that you’re going to need. Your organisation is unique, and no cookie-cutter solution is going to be 100% applicable nor appropriate to your requirements.
The NCVO has published a number of resources to help non-profit executives make headway toward compliance, including a 12-point plan that I recommend you read, whatever stage you may currently be at. Some of you will have to manage with a shoestring budget, which I can appreciate, and the DIY approach means you have lots of reading (and writing) ahead of you. Bringing someone on board such as myself or a solicitor, who can give insured advice on the direction you’re taking, will definitely reduce the risk to your organisation if you must do it yourself, and I can’t stress enough how important this is with the prospect of huge fines and still untested interpretations of the law begging for court cases to be brought against non-compliers.
If you’re in a position to afford outside help, or you’ve simply no choice but to appoint a DPO, and you’re not a multinational charity with millions in the war chest, then I highly recommend you outsource. You don’t have to outsource to Privada, but if you need someone to talk to, we’re here for you and we understand not only the challenges you face, but who you are and why you do what you do.