How will GDPR affect charities?
The charity sector, like businesses, must comply with the European General Data Protection Regulations (GDPR), due to the personal data which they process. The GDPR states the regulations that should be met if an organisation is processing personal data, therefore charities are expected to comply with the GDPR. Charities conduct a lot of their business through directly contacting their members and volunteers, however the new protection regulation may restrict this process, so it is crucial that charities are aware of the protection regulations that they need to meet.
Personal data processed by the charity sector:
Charities utilise electronic marketing methods to contact their members and volunteers, as well as for their campaigns. Therefore, a collective procedure needs to be implemented by the charity to ensure volunteers collectively handle personal data appropriately.
As the newly implemented GDPR places more emphasis upon consent, charities need to receive specific consent which is freely given, informed and unambiguous. There has been debate regarding whether members of a charity should only be contacted if they have "opted in," or whether individuals can be contacted by the charity but have the option to "opt out." This is particularly relevant to charities because they utilise direct marketing through email and posting information to individuals.
For example, email marketing under the GDPR has meant that the emailing database for a charity is now smaller, yet it consists of individuals who actually want to be contacted. This means that a charity can really target their emailing list with specific campaigns, maximising the emails impact on an individual, who will actually engage with it.
Accord, a UK based independent trade union, exposed within a recent study that 47% of individuals said they would rather opt-in to receive communication from charities, rather than opt-out. Therefore, this suggests that individuals favour a tailored and specific email or text from a charity, reminding them of their work.
Charities can use the legitimate interest clause, which does not always require consent from individuals being contacted. For example, a charity can contact an individual without consent, but only if the charity can justify the legitimate interest of this action. The reason to contact these individuals has to be because they have expressed an interest in the organisation previously. If legitimate interest is used inappropriately, then it could come under the scope of the Information Commissioner's Office (ICO) which administers the consequences to an organisation for causing a data breach.
Charities and data breaches:
The ICO reported that the charity sector was found accountable for 110 data breaches in 2017, comprising 4% of incidents. During the latter half of 2017, there was an increase in the number of reports of data security breaches, and it has been considered that this increase was potentially due to the changes brought about the by the GDPR. The pending changes to GDPR potentially encouraged organisations to become more aware of when breaches have happened, getting them prepared for the GDPR's implementation in 2018.
Consequently, to reduce the number of breaches conducted by the charity sector, charities need to have a well prepared collective procedure, used to comply with the GDPR and ensure handling of personal data is done so correctly.