The rules on Data Protection apply to all organisations, big and small, commercial, public sector and voluntary sector. But to be honest they have been drawn up more with the larger organisations in mind, so it’s sometimes hard to apply the rules properly, but sensibly, in small organisations, and particularly in charities and other non-profit settings.
What difficulties do these organisations most often face?
1. Communications with beneficiaries and supporters
One of the objectives of the General Data Protection Regulation (GDPR) is to shield people from being pestered with unwanted marketing communications (including fundraising appeals). Which is laudable. But when does a communication count as marketing? The rules don’t always seem to apply to non-profit scenarios – especially because there is an additional set of rules when the communications are by phone, email or text.
Much of the time the solution can be found by following two principles:
- Make sure that people know how and why you want to contact them.
- Give them as much choice as possible: if they don’t want to hear from you, or don’t want a particular kind of contact, you would have to have a very strong justification for not allowing them a choice or for going against their wishes.
You can spend a lot of time debating whether the choice should be opt in (we need you to say ‘yes’) or opt out (you can say ‘no’), and the rules can seem a bit complicated. But at the end of the day if you behave reasonably and treat people the way you would like to be treated no one is likely to complain.
2. Staff and volunteer training
If anyone – staff or volunteer – gets it wrong in how they handle data about the people you are in contact with it’s the organisation that gets the blame. We could be talking about using the data in unapproved ways, sharing it when it shouldn’t be shared, taking insufficient care of the data when they are working from home or out of the office, or making mistakes in what they record and how they record it.
There is lots of scope for error.
Small organisations don’t have a lot of time or money for training staff, let alone for training volunteers, especially when there are lots of people all doing small amounts of work, and possibly with a high turnover.
But enforcement action has been taken by the Information Commissioner against charities for failing to train volunteers appropriately, so the risk is real – including the possibility of significant fines.
Even a volunteer-run HIV support group was fined £250 when they sent out an email to their several hundred group members that contained the private email addresses of everyone in the group.
Your volunteer code of conduct probably talks about confidentiality already, but as a minimum it should also address key Data Protection matters, and all volunteers should be reminded of their responsibilities from time to time.
3. Subject access
People are gradually becoming aware of their right of ‘subject access’ – in other words to have a copy of the information that any organisation holds about them. For a small organisation it can be quite a scary event if someone puts in a subject access request.
Again, the rules can be complicated: potentially you have to go through all your records (including, for example, emails) to find any reference to the person who has made the request and then go through all the material to decide which information does have to be disclosed (most of it) and which should be withheld, perhaps because it breaks the confidentiality of someone else.
The rule here is not to panic.
It’s better to get it right, even if you have to tell the person that it might take longer than the month you are allowed. This is one area where it’s definitely worth looking on the Information Commissioner’s website for guidance on how to proceed.
There are other rights that people might try to exercise: the ‘right to be forgotten’ (which isn’t as drastic as it sounds) and the right to have incorrect information corrected (which is one you would definitely want to comply with.
Again, don’t panic.
Get your staff and volunteers to pass the request to someone who can look into it properly rather than trying to sort it out just because they are the one who received the request.
4. Collaborative working
Lots of collaboration takes place within the voluntary sector, which is a good thing. We could be talking about anything from a one-off joint event to a long-term programme where the same clients or beneficiaries receive a range of services, each provided by a different organisation.
When any collaboration involves sharing data about individuals, things can get a bit complicated. Different organisation have different recording systems, and probably slightly different approaches to how they use and look after people’s data.
Given goodwill on all sides, reaching agreement on how to manage these differences shouldn’t be a problem – but it’s something you must think about, and preferably before your collaborative activity takes place.
It’s not just a ‘nice-to-have’.
GDPR says you must do this (mainly so that you avoid anything falling down an unexpected gap, but also in case anything goes wrong and you need to know who to blame).
You love getting money from funders, right? Do you also love the funding agreement they make you sign? Many voluntary organisations find that their funding agreement contains provisions about the handling of personal data which either don’t make sense legally or impose impossible conditions.
Getting technical for a moment: it is usually wrong for a funder to state that they are the data Controller and the funded organisation is a Processor. That would only be true if the funder actively tells you how to manage the data you collect, and if the data belongs to them at the end of the project. It’s much more likely that the funded organisation is a Controller, possibly a joint Controller with the funder.
If any funder puts forward a funding agreement that seems wrong, or that you don’t understand, it is worth taking advice. You might be able to get this advice for free from the Information Commissioner’s Office, or you might have to ask a friendly lawyer.
The thing about Controllers and Processors shows that although the fundamentals of Data Protection are pretty straightforward and sensible, the detail can get complicated. This is especially so because you may have to consider at least three pieces of legislation:
- The General Data Protection Regulation (GDPR)
- The UK’s Data Protection Act 2018, which puts GDPR into UK law, and makes some UK-specific provisions (this is a long and complex Act, but important)
- The Privacy & Electronic Communications Regulations 2003, which have a section in them about direct marketing by phone, email or text (these Regulations may soon be replaced by a new ePrivacy Regulation)
Get help if Data Protection is worrying you
Don’t be afraid to ask for support if you find that things are getting complicated.
The Information Commissioner’s helpline (0303 123 1113) is, understandably, very busy at the moment, but if you really aren’t sure about something it’s a very useful resource.
For further information about the General Data Protection Regulation and key areas it covers including personal data; legal basis for processing; the six principles and compliance - have a look at my The Elements of GDPR resource.
This blog has been produced as part of our Digital Leadership 101 series of training and advice for CEOs and trustees of small charities, funded by the Department of Digital, Culture, Media and Sport and run in partnership with The FSI, NAVCA and London Plus.