The General Data Protection Regulation aims to harmonize and streamline the privacy regulations throughout the EU. Supervisory authorities in every EU member state will monitor compliance and serve as a contact point for companies and organisations.
The GDPR covers not only for-profit businesses, but also non-governmental organisations such as charities, associations, and even political parties. The rules are the same for everyone – no matter how complex they might seem.
The End Doesn’t Justify the Means
The GDPR treats any fundraisers and other charitable causes akin to companies doing business, and that usually makes sense. The GDPR is not about what is ‘good’, charitable and noble. The Regulation is all about protecting the individuals’ personal data and their rights – something which holds true whether they give out their data to business or charities.
Even if you righteously feel your actions could bring immense benefits to the community as a whole, breaking the law – in this case, privacy law – is still forbidden.
It is worth to enact the good practices from the GDPR even if it results in additional administrative burden and, in the case of charities, loss of support money. Create solid foundations for data processing and then build upon them. Do not look at other charities and NGOs and do as they do, since we expect plenty to ignore this advice.
Keep data up to date, but delete it when it no longer serves its purpose. You must enact appropriate safeguards, both technical and organisational, particularly when handling sensitive data. Privacy professionals can help in this regard – and are sometimes required. If you process sensitive personal data, you must appoint a data protection officer (DPO), who should be a professional that can advise you in this kind of situations.
Consent is one of the conditions for data processing you will use the most. Ensure you receive the individuals’ consent for the data you capture. You must notify them precisely of what you intend to do with the data and whether you want to share this data with third parties.
They must ‘opt-in’, pre-ticked boxes on websites do not work. Communicate the individuals’ rights in clear, plain language. Tell them as much as you can while keeping it simple. Keep in mind that just because a person has signed up for something or donated, it does not give you a permission to do with their data as you please. You cannot keep pestering them with marketing and fundraising activities, unless they are very occasional.
Keep your consent records up to date, especially in the case of opt-outs. The more serious and sensitive the data, the more safeguards you should use. The processing of sensitive data requires explicit and unambiguous consent.
As stated in the previous section, certain occasional communication can be considered as legitimate interest, since it can be reasonably expected that you will contact someone after they have donated (and ask them whether they would like to do so again).
This is in your legitimate interest and does not present huge burden and risk to the individuals’ freedoms. You will have to assess, objectively, the level of your interest and the risk to the individuals’ privacy rights and freedoms every time you intend to use legitimate interest as a basis for processing.
In plenty of cases this will overlap with consent as you must have been given some kind of consent if you have obtained the data from the person (unless obtained from a third party, but this is something you must notify the individual of as well).
You are not allowed, however, to perform profiling (based on wealth, for example) unless given consent after notifying the individuals concerned. Otherwise you risk objections from individuals. They can object to your processing in all cases, and you must stop unless you can demonstrate the necessity of your processing. For direct marketing, if a person asks you to stop, you must stop immediately. You cannot demonstrate legitimate interest in this case.
In other words, cold calls are likely fine even under the GDPR, but do not overdo it and stop when asked. Check the ‘no-call’ lists beforehand. We advise against sending e-mails without consent.
Individuals’ data can be legally processed if it is necessary for performance of a contract (services, sales, etc.), if you have a legal obligation to do so, if such processing is in public interest, or if it is necessary in order to protect the individuals’ vital interests.
You can find more detail about the conditions for processing in our other articles.
Just because they are doing something for free, it does not mean they can do a shoddy job. The GDPR treats volunteers the same as employees regarding data handling and good practices, so make sure you educate them well.
They should have some knowledge of best data handling practices, and you should enact access controls and regular refresher courses. They should be able to evaluate impact and seriousness of data, at least on a basic level. You should introduce quality security policies and review them often, and acquaint the volunteers with them.
Major transgressions can carry a fine of up to EUR 20 million or 4 percent of the organisation’s global turnover, whichever is higher. These fines will only be used as a last resort, but there is no need to take such risks.
If in doubt, always follow the applicable guidance from your local supervisory authority. If the regulators find certain irregularities, they likely won’t fine you right away. They will allow you ample time to rectify the situation, but repeat offenders will be shown ‘no mercy’. Deliberate breaches are highly frowned upon, so expect a fine right away if the breaches are deemed as such.
Even though they seem onerous at times, the data protection rules of the GDPR are in fact logical and common-sense, even though enacting them can be significantly more complex. It will take some time and expense to ensure compliance, but it will be worth it in the end. It should be in your best interest — you will have a safer way of handling personal data and your members and backers will be safe knowing their data is in capable hands.