GDPR for Charities

28 June 2018 - Elizabeth Nichols

Later this year the introduction of new General Data Protection Regulation (or GDPR) will come into force. The proposed changes to the way that all organisations and charities can gather, store and use staff, volunteer, client and donor data will bring the UK into line with a new European standard. Whilst some had hoped that Brexit would give us a ‘get out clause’, the need for a common set of standards across all territories, both within Europe and the USA is required in a world where organisations work across international borders and exchange data. Although some details of GDPR are yet to be clarified, from 25 May 2018 the new regulations will apply, so it is vital that charities are prepared. Paul Goddard Head of Internal Audit and Risk at Scrutton Bland explains how the new rules will require all charities to review their data processing policies.

Under the new proposals, the assumption that individuals are happy to receive marketing in any form, including telephone calls, texts and emails unless they have specifically opted out is turned on its head. From May this year, under the proposed regulation, organisations will no longer be able to distribute marketing unless the express consent of the recipient has been received, or ‘opted-in’.

As a result, charities will need to ensure that anyone in their database is happy for their details to be held and that their marketing preferences have been recorded. It is essential to hold personal and sensitive data correctly and securely. Failure to comply with the new rules will result in hefty fines of up to €20m or 4% of turnover, whichever is higher. According to Paul Goddard: “The changes required by the introduction of GDPR will be significant for all organisations including charities and not for profit organisations.

Where an organisation is dependent on its database of donors and supporters compliance with GDPR is critical and will require a significant change in both process and culture. With the May deadline looming, organisations should be taking action now by undertaking a wholesale review of their data processing systems and procedures, and retrain their staff and volunteers to be familiar with their new data protection responsibilities under the GDPR,” he said.

Achieving GDPR compliance is likely to be a journey for most organisations. The Information Commissioners Office have issued guidance on their website aimed at helping organisations prepare for GDPR. Here are some practical steps you should consider if you hold or access the data of individuals:

1. Awareness – Ensure key people and decision makers are aware of the impact GDPR is likely to have.
2. Document the personal and sensitive information you hold, where it came from, how you use it, why you need it and how long you will keep it.
3. Communicate your privacy notices and update if necessary in readiness for the implementation of GDPR.
4. Check your procedures to cover the rights of individuals’ data, including how you delete records (the ‘right to be forgotten’) and how you receive, retain and transmit data.
5. Plan who has access to data records and who has the ability to amend and update records when required. This ensures a transparent audit trail of who is using the data and for what purpose.
6. Confirm the legal basis you have for using the data you hold and document it.
7. Review the way you obtain data with particular regard to obtaining and recording consent to use it from the individual.
8. Plan how you verify the age of individuals when data gathering to ensure if dealing with minors that parental/guardian consent is obtained and recorded.
9. Ensure you have procedures in place to detect, investigate, and report a personal data breach.
10. Use the guidance of Privacy Impact Assessments to understand how to implement them within your business.
11. Designate a Data Protection Officer, if necessary. This must be a responsible person as the role should sit within your company governance arrangements.
12. If you deal internationally, you will need to determine which data protection supervisory authority you come under.

Scrutton Bland have a specialist charity team who can advise on all areas of risk management and internal audit for organisations operating in the voluntary and charity sector.

For further advice on how to protect your organisation contact Paul Goddard on 01473 267000 or by email.

Related news

Get in touch for forward-thinking, impartial advice

With offices in Bury St Edmunds, Cambridge, Colchester, Diss and Ipswich, we’re close enough for personal meetings with clients from anywhere across the East of England. Got something on your mind? We’ll be happy to listen and give you our thoughts.

Call us on 0330 058 6559
Email us at

Get in touch