A lot of businesses are spending a great deal of time and money preparing for the change. But what about small charities (with small budgets) which by their nature don’t have the vast organisation or resources to have someone dedicated to compliance of this sort?
Fortunately, when you look at the detail of the GDPR, a charity doesn’t have to rely just on consent but it must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. So the good news is that charities do not necessarily need to send out the email opt ins we are all receiving (from retailers and other ‘vendors’) but they do need to think about what specific data they hold and why.
Many small charities are run by volunteer trustees who use their personal lap tops to store data. Charities should consider how secure that storage is, whether the charity should insist on a minimum level of security and decide on secure processes for destroying hard copies of documents.
Another area for consideration is how long charities need to retain data – should a charity be keeping data from decades ago or should there be a cut off point for the destruction of the charity’s records? There are going to be different answers depending on the particular circumstances of each charity but charity trustees should consider these issues.
The Charity Finance Group has put together a detailed look at the GDPR considerations for charities, which can be read by following this link