Don’t panic! Here’s the good news about GDPR for non-profits

The self-proclaimed experts, fuelled by the press hype, have created a climate of fear around the upcoming EU General Data Protection Regulation (GDPR), which comes into force on 25th May 2018. While not-for-profits, including charities and membership associations, need to take the new regulations on handling personal data very seriously, there is absolutely no reason to panic.

This is the message shared by Allen Reid, Hart Square’s director of client projects to assembled charities and membership organisations at a joint Hart Square and Pythagoras briefing last week.

Here are the slides (below) and the key takeaways from the briefing.

If you missed this week’s session, don’t worry… Hart Square is running another GDPR breakfast briefing on February 28th in Mayfair, London and a Preparing for GDPR webinar on 5th April.

The Dos and Don’ts of GDPR for non-for-profit organisations

Charities, foundations, member associations and other non-profit organisations that behave responsibly and respectively with donor or member data:

  1. Do not need to toss out all donor and member databases.
  2. Do not need to pay a fortune to scare-mongering consultants or rush into a new CRM implementation.
  3. Should not see better, cleaner data, transparent processes and happier donors and members as bad for business.
  4. Have better justification for marketing under legitimate interest than commercial organisations and those that share personal information for commercial gain.

To be responsible and respectful with personal data, not-for profit organisations:

  1. Must be able to prove that the entire organisation, from chief executive down, and all suppliers and partners understand their GDPR responsibilities.
  2. Must evaluate and document the compliance of all processes and systems and the steps taken to rectify them.
  3. Must be honest and transparent about how you use donor or member data.
  4. Must obtain an active opt in/permission from the customer, before storing or sharing personal data.
  5. Must make it easy to unsubscribe / opt out of marketing messages.
  6. Must be able to respond to customer requests for access to their personal data or requests to have records deleted.
  7. Should not panic and rush into anything regrettable.

Next steps:


Hart Square’s GDPR White Paper for Non-Profits

GDPR compliance is mandatory from 25th May 2018

Building on current Data Protection legislation, GDPR is designed to bring the regulations up to date and ensure they’re fit-for-purpose in a digital economy.

Its introduction will increase the requirements placed on organisations to properly manage the personal information they process, increase individuals’ rights to privacy, and increase the penalties which can be issued where non-compliance is found.

At Hart Square we work exclusively within the non-profit sector and we know the impact this could have on our clients and across the sector. It’s not all doom and gloom though, there’s work to be done before May 25th 2018 but that work should have a host of positive outcomes.

Our White Paper is intended to summarise our approach to the challenge created by the introduction of GDPR and to the opportunity it presents charities, membership bodies and all non-profits.

Download it, have a read, then get in touch to tell us what you think!

Hart Square’s GDPR FAQs

General Data Protection Regulation (GDPR): Frequently Asked Questions

Does the GDPR replace the Data Protection Act (DPA) and Privacy and Electronic Communications Regulations (PECR)?

  • Yes, the GDPR does replace the DPA. It does not replace the PECR, which give people specific privacy rights in relation to electronic communications.

Does the UK’s decision to leave the EU have any impact on GDPR?

  • No, it doesn’t. The government has confirmed that the UK’s decision to leave the EU will not affect the introduction of the GDPR on 25 May 2018.

Who is affected by GDPR?

  • You can assume that if you hold personal information that falls within the scope of the DPA, it will also fall within the scope of the GDPR. The regulation will apply to any organisation providing goods/services inside the EU that says how personal data and sensitive personal data should be processed and to those that process it too. GDPR applies equally to not-for-profit and charitable organisations. It also applies to both automated personal data and to manual filing systems.

When am I ‘processing’ personal identifiable information or sensitive personal data?

  • If you are storing, collecting, using or destroying personal data about your staff, members, supporters, suppliers, or any other contacts, or disclosing or transferring their data to another organisation, then you are processing personal identifiable information.
  • Sensitive personal data is information covering:
    •    racial or ethnic origin
    •    political opinions
    •    religious or philosophical beliefs
    •    trade union membership
    •    genetic data
    •    biometric data
    •    data concerning health
    •    data concerning a natural person’s sex life or sexual orientation

What ways can I justify processing data?

  • There are some fundamental ways to demonstrate a legal basis for the collection and processing of personal data:
    •    You have explicitly gained the consent of the data subject to hold and process their personal information. This consent must be actively given and you must be able to provide evidence of this consent.
    •    You have a “legitimate reason” to hold and process personal information. For example, during an online purchase you have to provide whatever basic information is necessary to fulfil a transaction i.e. contact and address information and the seller will have to record your transaction.
    •    You may have a legal obligation to collect and process personal data. For example, if the person is an employee, you have a legal obligation to record and process payroll information and report details to HMRC. As you are legally bound to do this, you do not require the explicit consent of the individual to do this.
    •    Processing is necessary to protect the “vital interests” of an individual, that is effectively matters of life or death.
    •    Processing is necessary to comply with a UK legal obligation.
    •    Processing is necessary for the performance of a task carried out in the public interest.
  • In Hart Square’s opinion, consent and legitimate interests are the two most relevant legal bases to the NFP sector.

We pass our member/supporter data to our mailing house supplier so that they can send out member/supporter communications. Can we still do this after the commencement of the GDPR?

  • Your supplier needs to demonstrate to you that they are compliant with GDPR. Your contract with your supplier needs to have a GDPR compliance policy. If your supplier is not compliant, your organisation as well as the supplier could be liable for a fine.

Can our organisation carry on using existing DPA consents?

  • You are not required to automatically refresh all existing DPA consents in preparation for the GDPR. However, if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being: specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, then you should obtain GDPR-compliant consent.
  • Consent must be actively given. There must be some form of clear affirmative action – that is a positive opt-in.
  • Consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent.
  • When obtaining consent, the purpose for which the data is being collected and the way it will be processed must be explained in clear and simple terms.
  • Ideally explicit consent is required for each channel of communication – both electronic and non-electronic – to allow the individual choice and flexibility.
  • You should also consider if you can rely on another of the legal bases to process personal and sensitive personal data. (See question above.)

How long does consent last?

  • There is no explicit expiry date, but there is an expectation that consent should last between two to three years. It is essential to record the date of when was consent was given, at the time it was given and a record of what the individual was told to capture their consent.
  • There is a requirement to have evidence of that interaction or conversation that recorded that consent and a link to the statement that was used to capture it.

Will audits from the Information Commissioner’s Office (ICO) increase?

  • The ICO has not made their position on this subject clear. However, the need to evidence compliance is most likely to come from members/supporters in first instance. You must show at once upon request that you are compliant, or face the possibility of significant fines.

Isn’t having to sacrifice all this data a bad thing?

  • Whilst the numbers of contacts may reduce, the quality of information should increase and you can become more targeted in your communications. It’s an opportunity to manage your organisation’s data better and ensure you have the accurate, quality information about your member/supporter database and build better and closer relationships.

Do I need to go on training or require certification for GDPR?

  • It’s not part of the requirements to attend any training or gain certification.

Shouldn’t our strategy just depend on how sensitive the data we’re holding is?

  • No, if your organisation is holding staff data, keeping HR records, customer/member/supporter lists, or other contact details then you will need to take steps to comply with the GDPR.

What are the consequences of not adhering to the GDPR?

  • The minimum penalty for non-compliance is 2% of global turnover or £10million whichever is more. In addition, there is the media coverage that would be generated by the non-compliance, the loss of your organisation’s reputation to hold data responsibly, which in turn may affect member or supporter retention, as trust in the organisation is eroded

Isn’t the number of complaints I had under DPA indicative of how many I will get under GDPR?

  • Not necessarily. It is likely that the increased media interest in non-compliant organisations following the commencement of the GDPR will raise awareness to all members of the public about their rights.

Hart Square’s GDPR Self-Assessment Form

Hart Square have worked within the charity and not-for-profit sector for many years, and during that time have helped numerous organisations make better use of their technology to meet their aims and objectives.

GDPR’s (General Data Protection Regulations) impending introduction in May 2018 is one of the most significant changes to impact the sector over this timeframe, in that it demands that all organisations tighten and improve the way they capture, store and utilise their contacts’ information.

The questions and examples in this Self-Assessment are intended to help organisations to better understand how prepared they are for these changes and to identify areas of greatest risk.

Our hope is that through this self-assessment, you will be able to identify areas of improvement and then go about tackling these in a timely and efficient manner.

GDPR compliance is the sole responsibility of each organisation, regardless of outside support, systems, or recommendations provided by 3rd parties.