Dandelion in breeze

Non Profits: General Data Protection Regulation

Dandelion in breeze
What your charity should be doing now to prepare for May 2018

On 25 May 2018, the General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998 (DPA). This will change the way you can collect, store and process personal data.

Most charitable organisations hold vast amounts of personal data (from HR details for staff to donor databases). The definition of ‘sensitive personal data’, a term familiar from the DPA, remains broadly unchanged.

Download [pdf]

Key principles of the GDPR

  • Fairness
  • Lawfulness and transparency
  • Purpose Limitation
  • Data minimisation
  • Data quality
  • Security
  • Integrity and confidentiality

Notable changes - DPA (1) overview

  • Stricter criteria for consent
  • Additional details specifically in reference to children's consent
  • The accountability concept
  • The right to be forgotten
  • Other enhanced rights
  • Cross border transfer

Notable changes - DPA (2) Consent

  • The data subject must have the right to withdraw consent
    at any time, and it must be as easy to withdraw as it is to
  • Consent mechanisms will need to be genuine and granular: 'catch-all' consents will likely be invalid.
  • The individuals must take affirmative action to provide
    their consent, such as signing a form or ticking a box.

Notable changes - DPA (3) further key changes

  • Transparency
  • Children and consent
  • Regulated Data
  • Data Processors
  • Accountability
  • Enhanced rights for individuals
  • Reporting requirements
  • Cross border data transfers

Why is this a priority

  • Most charitable organisations hold vast amounts of personal data, such as names and addresses of donors, supporters, and beneficiaries. Many also hold sensitive personal data such as racial or ethnicity details, information regarding religion, physical or mental health conditions, or criminal record details.
  • The charity sector has significant legal and moral obligations to protect this data from harm.

Prepare now for GDPR

  • The principles of the new GDPR legislation are familiar from the DPA, but the obligations in some areas are more extensive.
    Charities need to ensure their internal processes and IT systems will be able to cope with the new regulation from May 2018.

How can Crowe support you

Working with us gives you access to a team of specialists, who can:

  • map your current systems and controls operating to protect your data
  • review procedures in place within your organisation
  • assess the design and effectiveness of your key controls
  • identify weakness in your systems and put forward recommendations
  • help your team prioritise actions into urgent, important and non-essential
  • raise the profile of compliance within the operational team.

If your organisation predominantly holds data electronically and relies heavily on your IT infrastructure and web based systems, Crowe can also support you and your organisation to:

  • identify strengths, weaknesses and potential gaps in IT controls based on internal and external threats
  • identify where controls could be developed
  • compare your system and procedures against best practice for:
    • network security (including firewall and network setup, vulnerability testing, remote access, and email security)
    • computer security (covering anti-virus, patching and removable devices)
    • user access security (covering user management, administrators, passwords and physical access)
    • ICT Management and User Awareness (covering policies and procedures, user training, third party management and incident response)
      data management (covering data ownership, data protection, and data processing)
    • change management procedure
    • disaster recovery procedures.

Contact us

Naziar Hashemi
Naziar Hashemi
Head of Social Purpose and Non Profits