According to The Institute of Fundraising survey, most (72%) charities see lack of clear guidance as the biggest challenge to the GDPR. 25th May 2018 is D-day for compliance, so charities that haven’t yet got to grips with GDPR need to get their skates on.
Our earlier blog identified five key areas where the GDPR will significantly impact charities come May. Here, we advise on the action charities should take urgently, if they haven’t already.
Action points for charities in preparation for GDPR
1. Accountability – prove that data protection is a priority for your charity
- Review your existing compliance programme and conduct a data protection audit
- Make sure you have clear records of all processing activities and consents
- Appoint a Data Protection Officer if you process large volumes of personal data, or sensitive data
- Update your policies, compliance structure, job starter packs and training
2. Review your processes for consents
- Check the validity of your existing “consents” – you may need to obtain consent again, which will be more difficult to do after the May deadline
- Make sure you can deal with consent withdrawal
- If consents prove too difficult to obtain and maintain, you may find an alternative legal ground for processing
3. Are your data processors GDPR compliant?
- Review all key current data processing agreements with suppliers
- Update your standard purchase terms
- Ensure all supplier and partner contracts meet GDPR requirements
- Set out the scope of processing clearly and comprehensively
- Include appropriate indemnities in your agreements
4. Prepare for data breach notification
- Develop a data breach response plan and test it
- Review your information security measures – can breaches be detected and managed?
- Make sure your records are fit for purpose so, for example, you can quickly work out who to tell
- Encrypt data where possible
5. Enhanced rights for individuals
- Carry out Data Protection Impact Assessments (DPIAs) to make sure you can cope with requests – for example for data deletion or a subject access request.
- Set up processes and user interfaces (for example on your website/with your call centre) for handling and documenting requests and appeals.
If your charity needs help preparing for GDPR, Me Learning has developed a series of courses to aid Charities in understanding the changes to data protection law. To find out more click here.