With fewer opportunities to fundraise and provide services on the ground, charities are increasingly making the move online. Going digital offers a multitude of new opportunities to organisations to share their message and reach new audiences. Although increased digitisation has been brought about by reason of necessity, the benefits will last far beyond the current crisis.
A breach of data protection compliance can cause irreversible reputational damage, making it crucial that a pivot online is underpinned by robust data protection compliance. We highlight the key data protection recommendations that charities need to consider when putting new innovations in place.
Before you start: consider whether you need a Data Protection Impact Assessment (DPIA)
A DPIA is a risk assessment that examines what data you hold, what you’re doing with it, and what impact that has on individuals’ data protection rights. Article 35(1) General Data Protection Regulation (GDPR) states that you must undertake a DPIA if your processing is likely to result in a high risk to the rights and freedoms of natural persons. The Data Protection Commissioner (DPC) lists the types of processing activities that give rise to a DPIA, for example processing:
- data on a large scale
- special category data, such as health data
- data concerning vulnerable data subjects, such as children, and
- the innovative use of technology
Considering and documenting whether a DPIA is necessary should be carried out as soon as possible in the project timeline. This reduces costs and interruptions by ensuring that data risks are identified and mitigated before they present big problems. It’s also a great way to demonstrate your organisation’s commitment to data privacy by design, which is a major concept of the GDPR (Article 25).
Make sure you know where your suppliers are going to process your data. Put in place an appropriate agreement with them. As the data controller, you are required to ensure that the agreement is in line with your data protection obligations.
If your supplier is based abroad, you should check whether the European Commission has designated the country it’s based in as having adequate data protection. If not, you need to use standard contractual clauses as part of your service agreement.
If the way you’re using personal data is changing, you might need to update your privacy notice and provide a new copy, for example by email. Ensure that you have an appropriate legal basis for processing, for example, legitimate interests. If you’re using data for certain new activities, like direct marketing, you might need to obtain fresh opt-in consent if the individual hasn’t already consented. This also applies if you’re sharing data with social media sites for fundraising purposes. Individuals must be informed if their information is being shared.
Data Subject Access Requests
Have a plan in place for identifying and handling requests for access to personal data. Under Article 15 GDPR, these requests have to be fulfilled within one month unless certain circumstances apply.
Building data protection compliance into every step of the digitisation process ensures charities are minimising their risk to adverse publicity arising from a breach of data protection law and negating against hefty fines that may be imposed by the DPC. A practical and considered approach at the start of the process can save a charity from the costly and time consuming process of investigations into breaches of data protection law. While the introduction of effective and efficient processes to deal with data subject rights, such as the right to access data, will assist a charity in allocating its resources to the provision of the vital services it provides.
For more information and expert guidance in all related matters, contact a member of our Public, Regulatory and Investigations team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.