General Data Protection Regulation
Following four years of intense negotiation the General Data Protection Regulation (GDPR) is now due to come into effect May 25th 2018. For charities, as for all other businesses, this updated data protection framework represents both an opportunity and a challenge. The GDPR has been designed to give the public a greater amount of control over their personal data and the manner in which it is collected and used by companies. As such, charities need to be aware that when it comes to fundraising, all data collection and processing activities will soon require more rigorous controls than at present, while potential penalties for non-compliance will be far more onerous. Naturally charities will now have to audit their processes from top to bottom to ensure that they are fully prepared and in compliance pre-2018. No mean feat, yet it is important to remember that the GDPR is, at least in part, a regulator’s answer to an issue that sooner or later all companies, including charities, must face up to: namely, the substantial erosion of public trust.
This lack of trust manifests itself in several ways. In a broader context, it fuels the anti-establishment upheavals that have characterised 2016: Brexit, Trump, and most recently Italy’s rejection of Matteo Renzi’s proposed reforms. In terms of personal data, a raft of data breaches coupled with revelations of mass surveillance programs have left the public extremely wary of the interface between technology and their private information. While in the context of Ireland’s charity sector, a number of well-publicised scandals, though confined to specific bodies, have unfortunately placed the sector as a whole in a critical light, inevitably impacting on public trust.
This is an issue that must be tackled on many fronts, but perhaps the safeguarding of personal data is a good place to begin. Under the GDPR, charities will need to build sustainable measures for ensuring data privacy into all aspects of their operations. They must gain explicit consent from donors before processing their personal data. They will need to clearly inform them of the complaints channel open to anybody unhappy with how their data has been processed. They will need to be responsive: donor requests concerning access to their data must be actioned in a timely fashion, and where a data breach occurs and a donor’s data is clearly at risk, the charity must notify them with all due haste. In addition, they must respect their donor’s right to be forgotten and, upon request, delete any personal data that is not necessary for contractual purposes.
These are only some of the obligations that Ireland’s charities must attend to between now and May 2018. As we said before, no mean feat. However, a positive and energetic engagement with the incoming regulations will greatly benefit the charities in question, sending a clear message to prospective donors that their personal data is highly valued and will be rigorously protected. In the vital effort to rebuild public trust post 2016, this will count for a lot.
To ensure that charities are fully prepared for the GDPR, Charities Institute Ireland will be hosting a professional certificate in Data Protection on February 22nd 2017.