The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. From this date, all UK organisations have been required to comply with certain data protection regulations. Charities are no exception. Large charities might have the resources to ensure that all of their activities are compliant with GDPR. But small charities might struggle.
This is an essential guide to data protection for small charities. We’ll outline exactly what your legal obligations are, and we’ll point you to numerous resources to help you stay compliant. We’ll also advise you on some steps you can take to protect your charity in the unlikely event of a data breach.
The 7 Principles of GDPR
The aim of GDPR is to give individuals control over their private data. Organisations can remain compliant through abiding by these seven principles:
- Lawfulness, Fairness, Transparency. You must tell your supporters exactly why you’re collecting their data. GDPR law also outlines six legitimate reasons for collecting data. If you’re not collecting data for any of these six reasons, then you shouldn’t be collecting it.
- Purpose Limitation. You can only use a supporter’s data for the purpose you specify. You cannot use the data for any purposes that you do not specify to your supporters. For example, if you store a volunteer’s phone number as an emergency contact, you cannot then pass this phone number to your telephone fundraising team.
- Integrity and Confidentiality. Your charity takes responsibility for ensuring that all of your supporters’ personal data is secure. You must take appropriate security measures to protect the data against loss, damage, and unlawful access.
- Data Minimisation. Only collect the data you need. Your aim should be to collect as little data as possible, and you should only retain the data that’s necessary for your ongoing operations.
- Storage Limitation. You should not store your supporters’ personal data for longer than necessary. You should therefore commit to periodic reviews to identify and delete any data you no longer need.
- Data Accuracy. Any data you hold should be accurate. If it’s inaccurate or outdated, you should either work to rectify it, or else delete it.
- Accountability. You have a legal responsibility to comply with GDPR. You should also be able to readily demonstrate that you’re complying with regulations.
Data Protection Tips For Small Charities
Larger charities can afford to appoint data protection officers to ensure that everything’s above board. Small charities are unlikely to have this luxury. But really, GDPR is nothing to worry about. Take the time to review your practices and you might find you’re already GDPR compliant without realising it!
Here are some general tips that will help you ensure your small charity abides by the seven principles of GDPR:
- Identify your data collection points. Think about all the points at which you collect supporter data. Think about the forms you ask people to fill in, both offline and online. What data do you ask people to provide at these points? Are you asking for anything that you don’t really need? What are you doing with this data, and how are you storing it once you’ve collected it?
- Communicate your purpose. For every bit of data you collect, make it crystal clear just why you’re collecting it – whether it’s for operational, marketing, or fundraising needs.
- Think about consent. Let supporters choose which data they share with you, and make it easy for supporters to withdraw their consent for you to collect, store, and use their data.
- Keep your data safe. Only people who have a legitimate need to use the data should be able to access it. Make sure any sensitive documents have password protection, and never share a supporter’s data with any other individual or organisation.
Data Protection Policies, Templates and Other Resources for Small Charities
There are many resources out there to help small charities achieve GDPR compliance:
- The ICO self-assessment tool. An interactive tool from the Information Commissioner’s Office (ICO) specifically designed for small organisations. Answer the questions honestly to find out whether you’re complying with data protection law, and you’ll get an outline of the steps you need to take to make things more secure. Start your GDPR self-assessment journey.
- The NCVO Data Protection Hub. A wealth of resources from the National Council for Voluntary Organisations (NCVO) covering all aspects of data protection. As well as general information and guidance, you’ll find webinars, training courses, and other events. Access the NCVO data protection hub.
- Data Protection Policy Template. Download a template that’ll help you write a GDPR-compliant data protection policy for your small charity. Access a collection of data protection policy templates for small charities.
How To Safeguard Your Small Charity Against a Data Breach
In theory, if your small charity’s compliant with GDPR, then you’ll be well on your way to your data being secure. But cyber criminals are getting smarter all the time. Even if you work tirelessly to secure your supporters’ data, you may still be the victim of a cyber breach.
That’s why all organisations – including small charities – should consider getting cyber breach response insurance.
Do Charities Need Cyber Insurance?
If your system’s hacked, or if you suffer from data loss or a data breach, cyber insurance can cover the costs of getting everything back up and running. It can also help you determine any vulnerabilities in your system, so you can make things even stronger in future. And crucially, it can help you reach out to anyone affected by the breach, and even cover the costs of any compensation they may be due.
Head here to learn more about cyber breach response insurance, and what it covers.
We offer specialist insurance cover tailored to suit the needs of small charities. Our cover starts at 35p a day with no hidden fees, and you can get a free quote online in minutes.
If you have any questions or would like to discuss your options please contact the Tapoly team at email@example.com, call our help line on +44(0)207 846 0108 or try our chat on our website.