As a result of GDPR, charities have had to pay close attention to their data privacy efforts across all facets of their business. With limited resources allocated for compliance, how can small charities ensure that they adhere to the GDPR without funneling precious time and money away from their core activities? Here are the top considerations for small charities when it comes to the GDPR.
Employees and Volunteers
Most charities carry personal data on their employees and volunteers – even if it is just contact details. The good news is that you will likely have a lawful basis for keeping this data, without the need for explicit consent. That lawful basis will likely be “legitimate interests” or “performance of a contract”, although be sure to get legal advice about your own particular situation.
Generally, make sure your organization:
- Stores all data securely
- Can respond to and take action on data subject requests within 28 days
- Provides a privacy policy written in clear language (and that includes your lawful bases)
- Documents what types of data you process, why you process them, and how long you keep the data
- Only collects the data it needs
You should also ensure that all employees and volunteers who may handle personal data as part of their role are fully trained in the fundamentals of GDPR and information security.
Fundraising
Your fundraising methods could be affected by the GDPR, depending on the methods you use. For most charities, there are two key occasions where you will collect personal data when fundraising:
- When collecting details for the donation
- When reaching out to people who have donated in the past or are ongoing donors
In addition to adhering to local fundraising regulations, you will need to make sure that you protect the data you hold on donors. Make sure that your organization:
- Stores all data securely
- Can respond to and take action on data subject requests within 28 days
- Provides a privacy policy written in clear language (and that includes your lawful bases)
- Documents what types of data you process, why you process them, and how long you keep the data
- Requires opt-in consent for any third-party direct marketing
- Allows data subjects to unsubscribe from any and all marketing communications
- Only collects the data it needs
For Websites
If your charity maintains a website, you may collect personal data such as an IP address, form entries or donation details. Make sure that your organization:
- Notifies users if cookies are being collected and enables consent management.
- Provides a privacy policy written in clear language
- Provides information notices when personal data is collected (for example, via a donation and contact form)
- Enables opt-in consent for third-party marketing
With good data management and an ethical approach to fundraising, charities can demonstrate compliance with the GDPR. With Sovy, we make it easy and affordable to adhere to the fundamentals of the regulation so that you can get back to fundraising for your cause. Find out more about how the Sovy GDPR Privacy Essentials could help your charity get compliant and stay compliant.