Data Protection and GDPR for Charities – act now

12 January 2018

Charities have always had a heightened awareness of data protection and confidentiality issues, and apart from a privacy policy which is visible to all, best practice has been to have a data protection policy, communicated to all staff and volunteers, and to have a specific named individual who is responsible for ensuring that the policy is fit for purpose and adhered to at all times. The Data Protection Act (DPA) has been with us for 20 years, the law affecting electronic marketing (PECR) changed in 2003, and charities are aware of the fundamental data protection principles.

Now the law is changing to give further protection and control to individuals, and greater transparency. The new General Data Protection Regulation (GDPR) has “evolved from existing law” according to the Information Commissioner (ICO), whose office is charged with ensuring compliance.

In the wake of some highly-publicised cases, GDPR comes into force on 25 May 2018. This applies to all businesses, and there are no exemptions for charities on issues such as security, marketing and the use of volunteers.

You should treat this as seriously as you do your safeguarding policy, which is fundamental to every charity. The privacy rights of individuals are enshrined in law and you must be compliant. Preparation is key, and all charities should ensure that they are ready before 25 May 2018. Some key issues:


The ICO has issued a 12 Steps to take now” checklist and we recommend that it is brought to the attention of all key managers and decision makers as well as the trustees of the charity.


This affects the whole organisation. You must train your volunteers to the same level of understanding as your employees. They must be equipped to handle confidential data and adhere to the rules, so they need clarity on how data must be protected.

The rights of the individual

The GDPR lists eight rights of the individual: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to automated decision-making including profiling. You need systems, procedures and a policy in place which ensures that you can meet all of these rights.

Access and security

Now is the time to review your IT security, to ensure that it is robust and fit for purpose. Does it protect against unlawful or unauthorised processing, and against accidental loss, destruction or damage. The ICO website has more guidance on this.

  • If someone asks to have their personal data deleted, how easy would it be for you to locate and delete it, and who will monitor this?
  • Do you have the right procedures in place to detect, report and investigate a personal data breach?
  • Are you able to carry out a Data Protection Impact Assessment (DPIA)?


This is a key area. You cannot assume consent, and silence from an individual is not consent, nor is unverifiable consent. Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in by the individual. Check out the ICO detailed guidance on this as it vital that you get this right.

Further information

Alex Mendez, co-founder of independent cyber security consultancy Remora, explains the implications of the new data rules in our latest Charity Outlook. Download the Outlook here for his take on the steps you should be taking to ensure your charity is ready for the changes. Alternatively, please contact your usual UHY adviser or nearest UHY charity specialist.