Compliance with new privacy laws could prove costly for small charities

The European Union’s General Data Protection Regulation (GDPR) comes into effect on May 25, leaving just a few more days for Charities to understand the new client privacy laws.

However, the risks involved in complying could prove costly and drive smaller Charities into bankruptcy whilst also putting their clients at risk.

Compliance with the GDPR means Charities with connections to the EU will need to reanalyse the way they work and handle data. Non-compliance could be worse if the organisation is found to have breached duty of care and ethical responsibilities.

The Conversation article by Shamal Faily, Senior Lecturer in Systems Engineering at Bournemouth University, analysed the effect the GDPR could have on Charities as they meet “the new, higher standards of this new European privacy law.”

“For Charities, the duty of care they have for both their vulnerable client base and their donors is so strong that a culture of cost-cutting has formed,” Faily said. “Because Charities lack the expertise to understand the risk they face, they may wrongly believe they are avoiding risks, or accept risks without understanding the implications.”

The GDPR will analyse and enforce the way organisations store and use personal data of their clients and donors to ensure complete privacy. Losing or misusing the data can affect trust, but often Charities will find themselves in a grey area.

The GDPR requires that personal data be “collected for specified, explicit and legitimate purposes,” and “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing.”

Europe has been undergoing a two-year transitioning period from its 1995 Data Protection Directive into the GDPR, which will come into effect on 25 May this year. In a speech to Charities attending a Funding and Regulatory Compliance conference in the UK last year, Information Commissioner, Elizabeth Denham, said the GDPR would not stop Charities from doing their jobs.

“The Data Protection Act is a principles based law. It doesn’t address the legality of particular activities. You won’t find a clause that says wealth screening is against the law, for example. But you will find principles that say data must be processed fairly.”

Denham said “ignorance is not bliss” and pushed for charities to understand consent in their sector and to ensure complete privacy of their clients and donors.

UK Charities RSPCA and the British Heart Foundation, among others, have been fined under the GDPR by the Information Commissioner’s Office (ICO) for wealth screening and the selling of donor data following a Daily Mail investigation.

Simon Gillespie, Chief Executive of the British Heart Foundation, said: “There is no suggestion that we lost or sold any personal data, but rather the ICO considered the information we gave to supporters on how their personal data would be used was inaccurate. There has been one acknowledge contravention, through an inadvertent error, which we ourselves brought to the ICO’s attention.”

Faily poses the question of what incentive Charities have to invest time and money if the new guidance laws will fail to recognise their own risks.

“What Charities need are less platitudes on what they should be doing and more advice on how to do it, given the very particular challenges they face.”