General Data Protection Regulation: GDPR’s Impact on Charities

GDPR Blog Title and EU Flag

Data governance is concerned with almost every aspect of your data: data management, data security, data usability, data accuracy, and so on. This is a concept that should be present in absolutely every organisation, from a small local charity to a multinational corporation; this difference is found in the scale and complexity of data governance.

From a risk standpoint, data governance is concerned with data management, access and security and is intertwined with the requirements of the Data Protection Act (1998) and the soon to be implemented General Data Protection Regulation (GDPR).

The GDPR isn’t a huge departure from the Data Protection Act, instead it serves to both update and add to the current framework. The major changes that GDPR will bring are:

Requirements for consent are more rigorous

Consent is a very hot topic, especially within fundraising. The GDPR seeks to ensure that consent is given and given freely, which means the subject must have a choice and isn’t forced to give unnecessary details in the process of a transaction. Consent must also be informed and specific, with clarity on how to opt in and out, and about how the data will be used. Lastly, a subject must actively confirm that they provide consent.

Requirement to delete data at the subject’s request

The GDPR’s implementation will bring with it the ‘right to be forgotten’ and the ‘right to object’. All organisations must understand these rights and have processes in place to react to subjects invoking their rights, including, but not limited to, removing their consent and securely deleting their data.

Requirement to notify authorities within 72 hours of any data breach

The GDPR enforces a requirement on all organisations to report any personal data breach to the relevant authorities and, in some cases, to the individuals affected by the breach. The requirement to notify is for breaches that may result in a risk to the rights and freedoms of individuals and this includes events that, for example, may lead to financial loss, discrimination or loss of confidentiality.

Increased fines for failure to comply

This is very simple: the GDPR has two tiers of fines which are going to be 2% of total global annual turnover or €10 million (whichever is higher) and, for the more serious infringements, 4% of total global annual turnover or €20 million (again, whichever is higher).

GDPR will apply to all organisations, no matter where they are based, if they offer goods or services (even if free) to individuals in the EU. In addition, despite Brexit, the ICO have confirmed that they are likely to implement similar rules after we have left the EU, to allow the United Kingdom to operate on a level playing field with the continent. All organisations should plan for, and be ready to comply with, the GDPR.