GDPR and Irish Charities

Irish charities need to ensure they are compliant with GDPR, in order to secure and maintain the support of their communities.?This article will clarify what is required and how this can be managed.

The importance of protecting personal data cannot be overstated, especially for those organisations that rely on financial donations from the public.?Failure to ensure adequate protections can leave charities susceptible to malicious intent, particularly in terms of unauthorised access or abuse of data. A recent increase in regulatory oversight and compliance checks also increases the risk of reputational damage and subsequent damage to donor relationships if the charity is found not to be protecting the data entrusted to it.

As a charity board member or staff member of an organisation in receipt of public funds, you will need to know about the regulation and the implications it may have on you and your organisation. You will also need to know how your organisation can comply with GDPR, as well as what rights individuals have regarding their data.

As stated in?Article 30 of the GDPR?"The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary in relation to the purposes for which they are processed are?processed".?In this instance, the charity collecting stakeholder (e.g. donor, staff, patient, family, etc.) information would be the controller. Regardless of the size of your organisation or budget, this legislation requires you to invest time and resources to ensure the protection of personal data.?

Many organisations, including charities, need to review their policies and procedures in order to comply with GDPR.?The main aims are to increase transparency and accountability when it comes to issues surrounding personal data.?

What Are The Key Highlights For Charities?

Under GDPR, there is a higher standard of transparency and accountability for the personal data collected from donors, volunteers and beneficiaries.?This is also true when it comes to processing the personal data of vulnerable persons, such as minors or people with mental health issues. As an example, if a charity aims to collect sensitive information about members of its community (including ethnic background, religious beliefs, medical condition, or sexual orientation), it must tell the individuals concerned (i.e. the data subjects) why they are collecting that information. The charity has to inform them?what the data will be used for and how it will be protected. The charity should also be able to provide if requested,?information about their most recent data protection audit, as well as details on any security breaches, which would include the types of personal information accessed.

Another requirement is to ensure data subjects (individuals) have more control over their personal data. They are able to make requests for their data to be corrected or erased if it is incomplete or incorrect.?Charities should be aware that they will not be able to store any data without a valid reason, which they must be able to articulate and justify (i.e. a legitimate purpose).

Under GDPR, charities are not allowed to keep personal data longer than what is required by the charities stated legitimate purpose.?Charities should also have processes in place to ensure that all records containing personal data are deleted when your relationship with the individual ends (such as a donation or membership cancellation).?They also need to have clear procedures in place to make sure all personal data is erased and disposed of safely.

How Can Charities Achieve GDPR Compliance?

In?over 90% of cases,?GDPR compliance can be achieved by regularising and automating many of your data-handling procedures.?This will require that you review current information security policies and practices.?Improvements may include being able to identify how personal data is processed, including where it is stored, when it is accessed or transmitted, as well as who has access to the data.?This means you have to be able to account for the collection, storage and sharing of personal data.?The audit trail should include information on who is processing the data, as well as where and how it is processed.

GDPR compliance requires that charities implement and record a?Data Protection Impact Assessment?(DPIA) if their normal security procedures, policies and practices may cause a high risk to the privacy of data subjects.?For example, if IT systems are outdated or are not fully compliant with current Irish legislation on security standards and training. This requires that the charity performs comprehensive vulnerability testing of both physical and administrative access controls. Such testing ensures that personal data is protected at all stages, including in storage.?It also requires that you implement a business continuity plan to minimise the damage caused by any security breach.

The ability of a charity to manage personal data must be proven before it is deemed GDPR compliant. This requires constant monitoring and any vendor which processes data on the charities behalf must also ensure they are demonstrable compliant with GDPR.

In Summary,?the requirements of GDPR do necessarily change the way charities collect or use personal data, but it does give individuals more control over their data and greater access to information about how their data is processed and used.?It means that any charity processing the personal data of EU citizens must implement the necessary safeguards to protect the data at all times.?

Achieving GDPR compliance is an ongoing challenge for charities, as it requires significant investment in both time and money.?Every charitable organisation should have a plan in place to be able to demonstrate GDPR compliance. Failing to do so could represent an existential threat as donor funding is diverted to those with a better record of compliance.

[END OF ARTICLE]