Charities and GDPR

The EU General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and aims to strengthen and harmonise data protection.  It applies to any organisation that holds information about an EU citizen.


Charities fall within the requirements and may have significant levels of information particularly relating to donors.  As a result of GDPR donors will have to opt-in to receiving information about future appeals and the activities of Charities.  This may have an effect on the level of donations received by the Charity and action should be taken now to ensure the impact of the changes is minimised and donors understand how their data is managed.


The Information Commissioners Office (ICO) have produced a twelve step plan to prepare for the changes in regulation.



Senior management and key people in your organisations need to be aware that the law is changing and understand the impact GDPR will have on your charity.   Given the resource restraints in Charities the sooner this process is started the better.


Information you hold

You need to document what personal data you hold, where it came from and who you share it with.  This may involve undertaking an information audit. This will help in satisfying the GDPR’s accountability principle.


Communicating privacy information

Review your current privacy notices and put plans in place for them to be updated.  GDPR requires the privacy notices to include additional information including your lawful basis for processing the information, the data retention periods and that individuals have the right to complain to the ICO if they think there is a problem with the way you are handling the data.


Individual’s rights

Check your procedures to ensure they cover all the rights individuals have, including how you would identify and delete personal data or provide data electronically and in a commonly used format.


Subject access requests

Under the new regulations, subject access requests will need to be complied with within 30 days rather than 40.  You will need to update your procedures and plan how you will handle requests within the new timescales.


Lawful basis for processing data

Review the various types of data processing you carry out, identify your legal basis for carrying it out and document it.



Review how you are seeking, obtaining and recording consent for the data processing activity.  Existing consents should be reviewed now to ensure they comply with the new regulations.  The ICO has provided detailed guidance on consent.



Start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.


Data breaches

Make sure you have the right procedures in place to detect, report and investigate a personal data breach.


Privacy by design and impact assessments

Familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.


Data Protection Officers

Designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.



If your organisation operates internationally, you should determine which data protection supervisory authority you come under.


If you would like to discuss GDPR for charities, or you would like to speak with a member of our team, please contact Nicola Mason or call 01772 821021 to be put in contact with a member of our Charity team.