Call us: 07866 440080


The charity sector is under intense scrutiny over data management and fundraising practices and badly needs to re-build trust.

Following the highly publicised fines of the RSPCA and British Heart Foundation, there is rightly an increasing focus within the sector on ensuring charities are compliant with the law and importantly are able to demonstrate the same.

Is your charity ready for GDPR? 

The newest legislation, General Data Protection Regulation (GDPR) enters into application 25 May 2018, after a two-year transition period. In essence, moving forward, charities must all ensure they respect the fundamental privacy rights of each and every one of their donors, supporters and volunteers.

The aim of this legislation is to improve all business and charity accountability, increasing clarity around the basis of collection and use of their data. Demonstration of compliance is key, evidencing how you have been both fair and responsible in your data management will be essential.

As a consequence it is important that all charities overhaul their policies and procedures to adhere to these more stringent guidelines. Infringements of the basic principles for processing personal data, including the conditions for consent, are subject to the highest tier of administrative fines. This could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher*.

Clearly there is no doubt that ensuring compliance needs to be a high priority for trustees of charities, both large and small.

Ensuring Compliance:

The Information Commissioner’s Office (ICO) has recently released comprehensive guidance to help charities navigate the new data management landscape. The main points of the ICO’s recent guidance are summarized in this article and focus on:

1. Being lawful

2. Understanding legitimate interest

3. Gaining consent

4. The importance of transparency

5. Re-using data

Essentially data should only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. It is important to be transparent about why you are collecting data, with clarity of purpose and importantly making it clear to the respondent that there is choice in permitting the collection, i.e the ability to opt in or out.

The practices of using external data sources to facilitate wealth screening in order to target high net-worth individuals has come under considerable scrutiny. In fact, the ICO strongly recommends getting the individual’s consent for data collection at all times, rather than sourcing such data without permission.

Consent Best Practice:

The consent to use contact details should cover all processing activities i.e e-mail, phone and postal communication. It is good practice to have clear and explicit consent in the form of opting in by communication method. Consent must be freely given, specific and informed and must involve a positive action indicating agreement. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

The contact should also explicitly be able to opt in to certain types or themes of communication, for example they may be happy to receive fundraising event news, but request not to be sent emails about volunteering.

Importantly you must ensure your CRM provides an audit trail or record of this consent and a way of managing communication preferences. Essentially you should be able to track consent by purpose of the comms, method of delivery, source of data and start/expiry date of consent. Investing in specialist I.T support, software and data management expertise will be of paramount importance.

In summary it is vital that moving forward you have to be fair, transparent and ensure your charity supporters are clearly informed about how you intend to use their contact information. The trustees of all charities are responsible for and must be able to demonstrate compliance with the data protection principles.

Are you ready for GDPR? 

*Source: Information Commissioner’s Office, GDPR Guidance

Leave a Comment