GDPR, PECR & Data Protection Best Practice

Blog by Eastside People Consultant Simon Hinks.

In today’s world, data drives nearly everything we do – and charities are no exception. Whether it’s keeping up with donors, tracking support, or measuring impact, data has become essential to a charity’s work. But handling this data is no small task. Charities may not be big tech firms, but they still need to follow the same GDPR (General Data Protection Regulation) rules as businesses.

For any charity, getting data protection right isn’t just about ticking boxes or avoiding fines. It’s about trust. The people who donate, volunteer, or benefit from a charity’s work need to know that their information is safe. Some charities have already faced heavy fines for data breaches, and more importantly, damage to their reputation. With data protection laws only getting stricter, there’s a lot at stake for charities to get it right.

Key GDPR Challenges Specific to Charities 

1. Consent Management: For charities, getting clear and valid consent can be tricky, especially with vulnerable groups like children or the elderly. GDPR requires that consent is clear, informed, and freely given – which can be challenging if you’re dealing with people who need extra support. Plus, charities often need different types of consent (for newsletters, donations, etc.), so keeping this updated and organised is essential. Without valid consent, there’s a risk of accidentally breaching GDPR. You also have the option of Legitimate Interest which for many charities allows them to work around not having consent for all their donors and we talk more about the Privacy and Electronic Communications Regulations (PECR) and soft-opt in later in this blog.

2. Handling Large Amounts of Personal Data: Many charities manage large amounts of data, from volunteer lists to donor info and beneficiary records. Compliance is more challenging with these big datasets since GDPR requires charities to regularly update, organise, and delete outdated data. It can be costly and time-consuming, especially if resources are limited, but keeping data up-to-date and secure is crucial. A single mishap can lead to a data breach or accidental sharing, so staying on top of data management is a must.

3. Third-Party Data Sharing: Charities often work with third parties – like event organisers or marketing firms – who help support their activities. But sharing data with these partners comes with risks. For example, if a charity shares donor information with an external event organiser, they must make sure that data is handled securely. If the third party fails in this, it’s still the charity’s responsibility. Charities need to set up clear contracts, do a bit of homework on these partners, and even consider auditing them to make sure everyone’s on the same page.

4. Fundraising and Marketing: Fundraising is the lifeblood of many charities, but GDPR means you need clear permission to reach out to people. Whether it’s emails, texts, or calls, GDPR requires that you know who wants to hear from you. Keeping track of this can be challenging, especially with a large supporter base. GDPR also has rules on profiling, such as using data to predict how likely someone is to donate, which can be common in targeted campaigns. To stay compliant, charities need to find the right balance between effective fundraising and respecting people’s privacy. Bear in mind that electronic marketing such as emails and SMS’s are governed by PECR , another regulation which sits alongside GDPR.

5. Data Security and Breaches: Data security is a huge part of GDPR, but not every charity has the budget or know-how for advanced IT protection. Many charities are more vulnerable to cyber-attacks or accidental breaches. Small mistakes – like emailing sensitive info to the wrong person – can be costly. GDPR requires charities to report breaches to regulators, so even basic steps, like access controls and password updates, make a big difference in keeping data secure.

As a charity when can I use the soft opt-in option?

1. Existing Relationship: Soft opt-in is allowed if the charity has an existing relationship with the individual, typically through recent interactions like a donation, membership, or participation in an event.
2. Similar Purposes: The soft opt-in can only be used to promote activities that are ‘similar’ to the reason the charity initially engaged with the individual. For instance, if someone donates, the charity may send updates on related fundraising efforts.
3. Clear Opt-Out Option: Each communication must include a clear and easy opt-out mechanism, allowing recipients to unsubscribe at any time.
4. Explicit Information at Point of Collection: When collecting contact details, the charity must inform individuals about future communications and provide an option to opt out immediately.
5. Only for Electronic Communications: Soft opt-in under PECR applies to electronic communications, such as emails or SMS. It does not cover postal communications.

Soft Opt-in Practical Example

If someone donates to a charity or registers for an event, the charity could send follow-up emails about similar efforts or events, as long as they provide an opt-out option in each message. However, sending unrelated promotional content without explicit consent would breach GDPR and PECR.

Charities are hoping that a proposed amendment to the Data (Use and Access) bill made by the Data & Marketing Association (DMA) to prevent the removal of the soft opt-in for charities’ marketing emails will be accepted.

Practical Steps for Charities to Ensure GDPR Compliance

1. Audit and Map Your Data:
   • Data Mapping: Identify where data comes from, where it’s stored, and who has access. It’s an essential first step in spotting risks.Review Existing Data: Clear out what you don’t need. Less clutter means fewer risks and better data quality.

2. Develop a Clear Privacy Policy:
   • Transparency: Tell people in plain language how their data is collected, used, and shared. No jargon – just clear, honest information.Accessibility: Make sure your privacy policy is on your website and easy to find for anyone who wants to read it.

3. Obtain and Manage Consent Properly:
   • Review Consent Mechanisms: Make sure people actively agree (e.g., opt-in boxes). GDPR doesn’t allow for assumed consent.Regularly Update Consent: Re-confirm consent if a supporter hasn’t been active in a while to make sure your list stays compliant.

4. Data Minimisation and Retention Policies:
   • Limit Data Collection: Ask only for what you truly need. It keeps data management simple and lowers risk.
   • Define Retention Periods: Set clear rules on how long data is kept and when to delete it.
5. Strengthen Security Measures:
   • Access Control: Limit data access to those who need it – nothing more.
   • Secure Storage: Encrypt sensitive info and store it safely, whether in digital or physical form.
   • Incident Response Plan: Have a plan for breaches, including notifying those affected and reporting to regulators.

6. Provide Training for Staff and Volunteers:
   • Regular Training: Make GDPR training part of staff and volunteer onboarding so everyone knows their role. This is so important today as most breaches are down to Human error of which many can be prevented through the use of technology, but at a cost. Training is the best solution and so should become a regular activity for any charity.
   • Practical Guidance: Use everyday examples so everyone understands how GDPR applies to their work.

When Can Charities Use Legitimate Interest to Process data?

1. Clear Purpose: The processing must have a clear purpose that supports the charity’s aims. For example, reaching out to previous donors, analysing fundraising effectiveness, or managing memberships could fall under legitimate interests.
2. Balancing Test: The charity must conduct a “balancing test” to ensure that its interests don’t override the rights and freedoms of individuals. This involves evaluating how the processing affects people and whether their privacy is respected. If the activity is likely unexpected, like using data for a new purpose, legitimate interest may not apply.
3. Transparency: Individuals must be informed about the processing, including the use of legitimate interest as a basis. The privacy notice should clearly outline this to meet GDPR’s transparency requirements.
4. Opt-Out Option: While not as strict as consent, people should be able to object or opt out easily from processing based on legitimate interest.
5. Documentation: The charity needs to document its assessment to justify using legitimate interest. This includes the balancing test, purpose, and measures taken to protect individuals’ data rights.

Examples of Legitimate Interest for Charities

1. Sending newsletters or updates to previous donors about ongoing or similar campaigns.
2. Processing data for event invitations related to the charity’s purpose.
3. Analysing supporter data to improve fundraising strategies (as long as this doesn’t involve sensitive data or unexpected uses)

Possible changes on the Horizon: What’s Next for GDPR and Charities?

Data regulations are constantly evolving, and there are a few changes on the way that could affect charities in the near future:

1. Stricter Consent Standards: GDPR is moving toward explicit, specific consent, especially for vulnerable groups like children and the elderly. Charities may need to update their consent processes to ensure everyone’s properly informed.
2. Increased Accountability Requirements: Charities might soon have to demonstrate their GDPR compliance more actively. This could mean regular privacy impact assessments and possibly even a dedicated Data Protection Officer (DPO) to oversee compliance.
3. Cross-Border Data Rules: Many charities operate internationally, which complicates data handling. Changes in cross-border data transfer laws may affect how charities store and process donor and partner data, especially in situations where new frameworks, like one to replace the EU-US Privacy Shield, come into play.
4. Enhanced Security Standards: With cyber threats rising, charities might need to invest in stronger digital protections, like encryption, two-factor authentication, and even more staff training on data handling.

What are the risks of non-compliance?

The ICO has the power to issue a monetary penalty for infringement of some provisions of the Act. If there is an infringement of provisions such as administrative requirements of the legislation, the standard maximum amount could apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

However, saying that, the regulator (the ICO) does not like having to fine charities and has shown in many cases a reprimand is given rather than a financial fine. Bear in mind though that all fines and reprimands are put up on the ICO’s website for all to see and read.

These developments mean that staying proactive and informed is essential for charities in the coming years. Not only does it keep them compliant, but it shows supporters they’re serious about data protection and privacy. Hopefully this blog has highlighted some of the challenges all charities face when it comes to Data Protection and it’s best to consider the use of a professional to ensure as a business you are held accountable.

Charities like businesses have the option to use the soft-opt in option and legitimate interest to process their customer data. The data protection framework and PECR are very clear how this should be used in each case.

Contact Eastside People via button below or email [email protected] if you would like more clarity and information about what you can and cannot do as a charity or would like to request a Data Protection Audit to identify any gaps or compliance risks and to build an action plan.