When Ecclesiastical surveyed charities about GDPR at the end of last year, more than a third of small charities had not heard of the legislation. Fast forward five months and with the deadline looming, the good news is that the picture is now a very different one. In my conversations with charities over the past few months, awareness of the legislation has been steadily growing, and it’s now the hottest topic of discussion when I talk to clients.
There’s no doubting that the amount of time and effort that’s been put into planning and preparing for the GDPR has been significant. But while everyone is now aware of the legislation, there are still a lot of charities working hard to understand the implications for their own organisation.
A lot of focus for charities has been in reviewing the key questions for fundraising, in particular around the debate on whether or not they need to gather fresh consent from donors and supporters. Recent guidance from the Institute of Fundraising and, the Information Commissioners’ Office (ICO) has helped address some of these issues, but the implications of the GDPR are wider than just consent versus legitimate interest.
One area charities will need to think about is how prepared they are to manage the knock-on effects of data breaches. The GDPR imposes a new duty on charities to report certain types of data breach to the ICO within 72 hours of becoming aware. Above this if the breach is likely to result in a high risk in individuals, then they must also be notified.
This brings in a need for charities to review their processes to detect breaches, and then respond if something happens. The risks posed by cyber threats means that the likelihood of breaches is increasing and charities need to be prepared to manage the risks and deal with the consequences.
In light of this, charities are still in need of more support in terms of managing the risks posed by cyber threats such as hacking and phishing. There’s an increasing trend of charities data being targeted by cyber criminals so we’ve been working to help charities improve their cyber security, including publishing a recent guide in conjunction with the Cyber Security Forum.
It’s important that charities understand the risks to their organisation. The costs of not complying with the new data regulation are significant - new sanctions available to the regulator under the GDPR, include the power to issue greater fines for serious breaches, up to 4% of turnover or €20m. However these significant fines and penalties will only be used in the most serious of breaches.
So what can charities do now to prepare in the run-up to the introduction of the GDPR? If they haven’t already, then make sure trustees have discussed the GDPR and looked at what work needs to be done to ensure they are ready. It will depend on the circumstances of different organisations but a good place to start is to review all the personal data they hold, in all areas from donor and supporter information to staff and volunteer details and beneficiary data.
There’s guidance on the ICO website about the 12 key steps to take now so review all the existing guidance available. Charities should also see if there are similar organisations out there to talk to. One of the great strengths of the charity sector is its focus on collaboration so this is also a great opportunity to speak to similar organisations and learn from each other.
At this late stage, the key thing is not to worry unnecessarily about the GDPR. Many charities will already be well on the way to complying with the GDPR, particularly through any steps they’ve already taken to ensure they comply with the current data protection act. The GDPR will need focus from charities to ensure they are compliant but it’s not designed to be an excessive burden.
It provides charities with an opportunity to review the ways they engage with donors, supporters and beneficiaries to make sure they are fundraising effectively and taking any opportunities to show people how charities can do great things with personal data to help meet the needs of those who charities support.
David Britton is charity director at Ecclesiastical.