01252 711244 |

GDPR: Positive data management for charities

18th October 2017

GDPR: Positive data management for charities

There’s a lot of chatter across all sectors about the forthcoming change to data protection – the General Data Protection Regulation (GDPR) – which comes into force next May.

Whilst professional services advisers are helping their clients to be clear about their responsibilities, it’s easy to get distracted by scary headlines and outlandish claims. Of course, charities may have to change the way they do things, but as long as you keep in mind that the new regulations are about protecting rights and encouraging transparency, rather than about imposing unwanted burdens and huge fines, you should be able to plan for and manage the changes effectively.

A recent blog from the UK Information Commissioner, Elizabeth Denham, states pretty clearly that fines are the last option, not the first. What the Office wants to ensure is that organisations collect and use data responsibly and are transparent about how and why they do it.

“Issuing fines has always been and will continue to be, a last resort. Last year (2016/17) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned,” she writes.

The lawful basis for processing data

Under GDPR, there will be six legal ways in which you can process information. These different pathways exist because organisations need and want to collect and process data for different reasons. The legal ways are:

  • Consent of the data subject;
  • Where processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract;
  • Where processing is necessary for compliance with a legal obligation;
  • Where processing is necessary to protect the vital interests of a data subject or another person;
  • Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
  • Where processing is necessary for the purposes of legitimate interests pursued by the controller, or third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

There are also conditions for special categories of data, which can be found at the Information Commissioner’s Office website – www.ico.org.uk.

For most charities, the first lawful basis is the most likely to be relevant. You must ensure that consent is informed and actively given, rather than assumed, and that the consent is separate from any other terms and conditions. Someone who consents to your holding their data should be able to remove that consent easily.

For many charities, GDPR represents an opportunity to ensure you are being transparent and putting your supporters, fundraisers and other stakeholders first. It shouldn’t require a lot of additional expense or worry, but do contact your solicitor if you need to know more.


Wise & Co have always met our requirements in an efficient but friendly manner.
Not-for-profit client


Wise & Co. tax app

All the latest tax rates, tips and calculators at your fingertips.

iOS Android