Roythornes Banner Image


Avoiding Data Breaches

Like it or not, all charities must comply with the GDPR, there are minimal carve-outs for the not-for-profit sector. Therefore with GDPR now in full operation, it is important to be aware of the duty of care charities owe in relation to their donors’ data and put steps in place to stop breaches from happening wherever possible.

How can charities avoid a data breach?

Firstly, the phrase prevention is better than the cure is one that should be remembered when considering how to best protect your data and avoid any nasty surprises. It is important to be as transparent as possible with your supporters and inform them of how their data will be used and stored whilst providing them with the option of a quick and easy opt-out should they change their mind about hearing from you. The key is to have in place a simple and easy-to-read Privacy Notice available for review.

Also, ensure that all your software is kept up to date and your firewalls are secure, so should a breach occur you can provide evidence to demonstrate that you took all necessary precautions.  

All of your staff, volunteers and contractors should be clear as to how you expect data to be managed and protected, and so you should communicate your expectations via a detailed internal Privacy Policy available to anyone engaged in your charity’s operations.

Managing Subject Access Requests within the law

If you receive a subject access request you are legally obliged to respond within one month of receiving it. As an organisation, it should be made as simple as possible for an individual to submit a request and you should categorise data in such a way that makes it straightforward to provide the individual with all relevant information your organisation holds on them.

If you have taken the steps to organise your data sufficiently and responsibly this won’t be an issue.

A few extra points to note when processing a subject access request are:

  • Blank out all exempt/irrelevant information where necessary
  • Verify the identity of the individual
  • Do not disclose anything that could be classed as confidential

Contacting individuals lawfully by electronic means

Remember that due to the fact that supporters and donors are not usually purchasing products or services from a charity, charities can rarely rely on the ‘soft opt-in’ right to make contact/follow-up with individuals electronically. Therefore, even if the individual that you would like to contact by electronic means is considered to be an active supporter of your charity, sending a simple newsletter is something that could require consent because it could fall into the category of direct marketing.

Get in touch with our charities solicitors

For further information about our charities services, get in touch with our team in AlconburyBirminghamNottinghamPeterborough or Spalding.