We speak to Mandy Johnson, Chief Executive of the Small Charities Coalition, who explains the challenges around DPOs, training and fundraising presented by the new legislation...
How will GDPR impact small charities?
It is impossible to run an organisation without coming across someone’s personal data, so GDPR will impact all small charities in some way. Whether that be the sign-in book for volunteers, the health problem of a beneficiary, or the email address of a donor – we all capture data regularly. For many small charities, this data can be all over the place; on trustees’ personal laptops, in a manager’s notebook, or kept in a spreadsheet.
It is vital that trustees are aware of their responsibilities under the new legislation. They need to put compliant policies in place, ensure that they are adhered to and make sure that other volunteers and/or members of staff have the appropriate training to handle people’s data legally.
In your experience, are small charities prepared for the incoming legislation?
We receive daily enquiries from small charities who are preparing for the incoming legislation; we know that it is on the radar of many of our members.
To get an idea of the full picture, the Small Charities Coalition supported the Institute of Fundraising in carrying out a survey in September 2017 to assess whether small charities felt ready for the incoming legislation. The results showed that nearly half of small charities did not have the right level of internal skills or expertise in data protection and a third had not done anything to review data protection or get ready at all. In response to this we have launched a new toolkit to guide our members through the process of becoming GDPR compliant.
What are the most challenging elements for small charities?
The most challenging part of the new legislation is that there are so many grey areas; it is difficult to provide a ‘yes or no’ answer to so many of the questions that small charities have about what they can and cannot do. The ICO has provided some useful guidance which provides a good starting point but ultimately, it’s difficult to do it alone without professional advice from an expert.
Another element of the new legislation that some of our members have found challenging is in relation to the requirements around Data Protection Officers (DPOs). Some small charities will be required to have a DPO but the legislation disqualifies any of their staff or volunteers from taking up this role, meaning they are forced to appoint externally at their own cost.
Will GDPR bring an added cost burden?
It is likely that, no matter what approach small charities take to GDPR, the minimum that they can invest in order to ensure compliance is time and energy. Charities need to ensure that volunteers and staff are trained, policies are in place, and that these policies are being followed. All of this will take time and charities may also have to spend money on making sure that training and policies are up to scratch.
When we built our GDPR toolkit, we negotiated as much as possible to keep prices low for our members but we have still had to charge a three-figure amount, which is the most we have charged our members for anything over the past 10 years.
Is GDPR likely to negatively impact small charities’ fundraising?
For the small charities that do raise money from the public, it is likely that they see this income drop as they lose the ability to contact everyone on their database. I am aware of one small charity that has spent over £10,000 on becoming compliant and they know that their income will drop as a result. It’s a double-edged sword – lack of compliance opens charities up to fines and full compliance may result in less income.
Is the ICO likely to be more lenient for charity compliance failures than for the corporate sector?
I don’t think we can guess the future but what we have seen from the past is that the ICO been less lenient for charities than it has been for profit-making organisations.