Fraser Nicol, partner at Scott-Moncrieff chartered accountants, looks at what charities need to do to ensure they meet the new legal requirements

On the 25 May 2018, the EU General Data Protection Regulation (GDPR) comes into force and brings with it a significant change to the UK’s data protection laws.

Additionally, the Information Commissioner’s Office (ICO) will be empowered to impose fines of up to 4% of global revenue or 20 million euros for breaches to the new guidelines.

As a result, charities need to work quickly to confirm that they understand, and comply with, the new law.

What does this mean for charities?

GDPR represents a serious challenge for many organisations, particularly charities that are dependent on their donor databases and hold large amounts of sensitive information on vulnerable individuals.

Recent breaches of data protection have resulted in eye-watering fines for the organisation at fault. In April 2017 alone, 11 charities were fined between £6,000 and £18,000 each for breaches of the Data Protection Act. Fines were imposed for activities such as sourcing information on donors to ‘fill in the blanks’ for any information they didn’t provide or illegally sharing information on donors with other charities, no matter what the cause and with no record.

Under the Data Protection Act, the current limit for ICO fines is £500,000, however, this will increase to over £17.5 million or 4% of global revenue under GDPR. Trustees and executive leadership are accountable for compliance with the new law and it is critical that they take steps now to ensure their organisations are ready ahead of May.

What do charities need to do to comply?

Compliance with GDPR requires you to be able to understand and record what personal data you gather, why you gather it, how you handle it, where you hold it and how you share it.

Processes should be put in place to ensure that permission is obtained when necessary to gather data and that data subjects are aware their information is being gathered and what it will be used for. The data obtained should also be proportionate, kept up to date and accurate, and only held for as long as it is required. For many charities, this will mean developing a raft of new processes and policies in order to ensure compliance.

In addition, GDPR introduces new rights for data subjects, such as the right to be forgotten and the right to move data held on them to another provider (data portability). It also introduces important changes to how and why consent to obtain data can be gathered and how this consent can be used.

GDPR also makes certain activities mandatory, for example:

• Appointing a data protection officer;
• Providing new and existing staff with suitable training and awareness, as well as additional sources of guidance and support when required;
• Conducting data protection impact assessments (DPIA) to design data privacy into any new systems and processes. This is of particular importance if new technology is being deployed, where there is processing on a large scale of the special categories of data, or if profiling operations are being performed which are likely to have an impact on individuals;
• Notifying the ICO within 72 hours of a data breach.

With some new elements and significant enhancements being introduced by GDPR, it is essential you start planning for this now. At Scott-Moncrieff, we are working with a range of charities to help them attain GDPR compliance.