GDPR Small Charities Policy Template
GDPR has significant implications on charities, especially when it comes to data on your clients, donors, and employees or volunteers. Each of these groups have its own set of privacy concerns, which must be addressed in your data handling procedures and security measures.
What is the General Data Protection Regulation (GDPR)?
In fact, the GDPR went into effect in the European Union on May 25th, 2018. It tells any organisation, even charities, how to handle data, and it is at the centre of Europe’s digital privacy laws.
It began as a law of the European Union. However, after the Brexit transition period was over, it became part of the UK’s data protection law. It is a law that protects the personal information of EU and UK citizens. It also affects charities that deal with personal information. Because of this, if your charity asks for, gets, or stores personal information from people in the EU or UK, these laws will apply.
Chiefly, GDPR is not just a legal requirement. Instead, it gives charities the chance to gain people’s trust and confidence, become more resilient as an organisation, and get more value out of their data.
GDPR small charities policy Template
1. Select your industry sector
2. Confirm your business processes
3. Generate your Privacy Policies
4. Our updates keep you in the green
Firstly, let’s look at what you would need to include in your GDPR small charities Policy template.
Even though charities don’t collect personal information for profit, they are still vulnerable to data breaches and privacy violations, just like any other organisation.
Understanding the people’s rights under the GDPR
Under the GDPR, people whose personal information is being used, processed, or stored by public bodies and other private organisations, like your charity, have the right to ask how their information is being used, processed, and stored.
One of these rights is the ability to find out how their personal data is being used, and to access that information.
- Change any wrong or outdated personal information
- Ask you to erase any information you have on them
- Stop or limit the processing of their personal data
- Allow them to receive or transmit their data
- Object to how you might use and process their data
They also have rights to object if you use their data for any of the following purposes:
- Automated decision-making (without human involvement)
- Profiling that can be used to forecast their behaviour or interests
What are the 7 most important GDPR principles, to be aware of?
The General Data Protection Regulation (GDPR) is based on seven principles, and is meant to give people more control over their personal data.
- Lawfulness, fairness, and transparency: All organisations must be open and honest with people about how they collect, and use, personal data.
- Limiting the use of personal information: Personal information can only be used for certain clearly stated goals.
- Integrity and privacy: Organisations are responsible for keeping personal information safe. Illegal processing, loss, or damage to, or destruction, of data are all risks that need to be carefully looked into.
- Data minimisation means that organisations should collect as little data as possible, and only keep the data they need to run their business. All the collected information should be kept and stored safely. Also it should be enough and confined to a single purpose.
- Storage Limit: There are many ways in which data can help charities, but only if it is useful and of good quality. Personal information shouldn’t be kept for longer than necessary.
- Data Accuracy: Organisations should do everything they can to make sure that people’s personal information is correct. Therefore, they shouldn’t be afraid to remove, or correct, wrong information.
- Accountability: Such organisations are responsible for following GDPR, and they must be able to show that they have met all applicable requirements.
Understanding the basics of GDPR for Charities
Even though the GDPR may seem challenging at first, especially for smaller charities that don’t have a DPO (data protection officer), it can be easy to follow. If you have the right policies and procedures in place, it shouldn’t create any problems. Therefore, check some examples of what you can do to help your charity become GDPR-compliant:
- Get consent: Give people a clear choice about what information they want to share with you, and make it easy for them to change their minds. Being clear and brief can go a long way towards making people trust charities.
- Communicate purpose: Be clear about why you want to gather information. Be open and honest about how your business handles data, whether it’s for operations or marketing.
- Keep information safe: Only people who have a good reason, should be able to see personal information. Use strong passwords and safe processes, like encryption, to protect important data sets and documents.
- Document everything: Lastly, write down every step you take to follow GDPR, and update regularly. In the event of a breach, these documents will show that your data protection policies and procedures are in line with the law.
Who are data processors and controllers in charities?
A “data controller” is an organisation that processes data, and is in charge of deciding how, and why, that data will be processed. A “data processor” is an organisation that is hired by a data controller to handle data on their behalf.
Even if you are a charity or non-profit organisation, you have to follow GDPR, if you handle personal information. In your database, you can find information about your employees, clients, suppliers, and people who give you money. Under GDPR, you are required by law to respect, and protect, the data you process.
The charity could process some, or all of this data, itself, making it both a controller and a processor, or it could hire a third party to do so.
In any case, the data controller is in charge of making sure GDPR is followed, and they must be sure that third parties have enough data protection measures in place.
The person who owns the data, and the person who processes it, should agree in writing on how the data will be used and kept safe. If one of these rules is broken, it could cause a breach for a third party.
Third Parties: Data Protection Officers
A DPO is a specialist who works outside an organisation, and is in charge of keeping an eye on how it protects personal information.
Therefore, you must name one, if you are a public authority or organisation, that regularly and systematically monitors data subjects, or if you process large amounts of special categories of personal data.
Many experts recommend hiring a DPO because it can be helpful in a number of ways, such as being able to communicate with data subjects and supervisory authorities, in a way that is efficient and legal.
Basically, you can hire a DPO from inside or outside your company.
How does the GDPR affect your Charity?
The law applies to all organisations that could be considered data controllers and processors. This includes charities and other non-profits.
GDPR will apply to any personal information about your users, donors, employees, and volunteers that you collect and store. We suggest that any organisation, not just nonprofits, start getting ready for GDPR, by finding out what personal data they handle.
If you keep someone else’s information, you will have to explain why you do so. For example, if you know someone’s full name and address, can you explain why you know it? You might have a good reason to store their full name, but you might have to explain why you want their home address. Under GDPR, you must say why it is legal for you to process data.
Protecting Personal Data under GDPR for Charities
You will also need to make sure that the personal information you are working with, is safe. If you keep someone’s personal information, you are responsible for it, and must keep it secure. You need to take steps to keep the data you process protected and secure.
When proving that they have a “legitimate interest” to process personal data, charities must show that they have a clear, and specific, goal or benefit in mind.