This website uses cookies for anonymised analytics and for account authentication. See our privacy and cookies policies for more information.





The voice of Scotland’s vibrant voluntary sector

Published by Scottish Council for Voluntary Organisations

TFN is published by the Scottish Council for Voluntary Organisations, Mansfield Traquair Centre, 15 Mansfield Place, Edinburgh, EH3 6BB. The Scottish Council for Voluntary Organisations (SCVO) is a Scottish Charitable Incorporated Organisation. Registration number SC003558.

The clock’s ticking for charities to address GDPR

This opinion piece is over 6 years old
 

Kate Wyatt reminds charities that the clock is ticking on GDPR

With new data protection rules due on 25 May, charities’ HR teams have little time to get up to speed on their new obligations. Breaches could expose them to fines and reputational risk.

The new law – the General Data Protection Regulation, or GDPR – involves two tasks for HR teams.

Firstly, they have to deal with data they hold on employees. Secondly, they should train staff to correctly handle data on service users, volunteers, donors, suppliers or others.

Kate Wyatt

There’s clearly a lot to do here, but there’s plenty of help available

Kate Wyatt

Know your data

HR departments generally know what data they hold on people, have rules for managing it, and know how to access it.

Therefore, auditing the personal and sensitive personal data they handle may be an easier task for HR than for other teams.

In our experience, an area where charities’ HR teams have a significant GDPR compliance challenge is their “lawful basis” for holding personal data.

Under the current rules, employers commonly rely on employees’ consent to hold data – probably via a consent clause in their contract. Under GDPR, this is unlikely to be sufficient, and they’ll need to establish new grounds for handling it.

Generally, charities will easily establish an alternative lawful basis for holding employee personal data – for example, to meet their legitimate needs as employer. But they need to review contracts, see if they’re relying on consent, identify a different lawful basis and if so, update contracts.

Personal data held on job applicants will also need to be audited – remembering that the lawful basis for holding applicants’ data is not going to be the same as it is for current employees.

For former employees, HR teams should audit what data they hold, looking at their basis for holding it, how it is held, and for how long.

Staff should be updated on changes to data protection policies – not just to assure them about HR compliance with the GDPR, but to bring them up to speed on their responsibilities when handling other people’s data on behalf of the charity.

Dealing with requests and breaches

Another challenge for charities is going to be the expected spike in “subject access requests” (individuals requesting to know what data is held on them) from 25 May onwards. We recommend developing pro forma responses to streamline the process.

Another process to develop is how to monitor compliance with the new law, and report breaches to the regulator (which will be compulsory within 72 hours of an organisation discovering it).

There’s clearly a lot to do here, but there’s plenty of help available – from online guides to tailored advice on exactly what approach to the new law would work best for your organisation.

We advise most charities to designate a data protection manager – even if a formal data protection officer is not required - someone to drive audits and reviews, galvanise everyone into compliance, and identify what outside help might be useful. You can also refer to this useful checklist.

Daunting this task may be for anyone, but charities will generally benefit from understanding and managing data better, and it will help to safeguard crucial relationships with staff, volunteers, users, donors and other stakeholders.

Kate Wyatt is a Partner in Lindsays Employment Law team.