Stratford upon Avon T: 01789 293259
Henley in Arden T: 01564 792261
Cheltenham T: 01242 228370
Birmingham T: 0121 200 0890

General Data Protection Regulation (GDPR) – Plan of Action for charities

Lodders Solicitors - Charity Law

Following recent news that both the RSPCA and the British Heart Foundation have contravened the Data Protection Act, it is extremely important for charities to be aware of their responsibility to protect donors’ personal data. Lodders’ Charity Law specialist Mark Lewis discusses the new Act and outlines a plan of action for charities.

The GDPR comes into force on 25th May 2018. These regulations are wide ranging and aim to put the rights of individuals at the centre of data protection law. There have been changes to the following four key areas, meaning that the way charities operate will be affected:

  • Scope has widened;
  • Rights of individuals have been increased;
  • Obligations have expanded; and
  • Enforcement has become stricter with fines greatly increasing.

One of the most important changes relates to consent. Going forward, a more active form of consent is required; currently, this can be inferred from silence, pre-ticked boxes or inactivity. An individual’s consent must be given freely, be specific, informed and unambiguous and the organisation must be able to evidence it.  Therefore, current data processes need to be reviewed to determine exactly where changes need to be made.

A further important change is that the Information Commissioner’s Office needs to be notified of data breaches within 72 hours, and in some cases the data subjects involved will also need to be notified. This means that systems must be in place so that any breach can be dealt with efficiently.

In order to be prepared for these new changes, it is recommended that the following five steps should be taken by charities as soon as possible:

  1. Collect information
    • What data do you hold?
    • Where do you receive data from?
    • Who do you share data with and why do you share it?
    • How do you store data?
  1. Determine whether you have any gaps in the data you do hold
  1. Review your Privacy Policy
    • Do you have one?
    • Is this comprehensive?
  1. Review internal data protection practices
    • Is an Incident Response Plan in place to be able to respond to any breaches of regulation?
    • Do you have a Privacy Impact Assessment procedure?
    • Is training provided for staff/volunteers on data protection? How often?
  1. Identify key members of the organisation who will organise and ensure implementation of the necessary changes.

 For further help or advice on the new Data Protection Act or other aspects of Charity Law, please contact Mark Lewis on 01789 206135 or by email.

Lodders retains highest rankings in legal guide
Posted on 16th October 2019 in Press News
Read full article
Lodders Life Issue 6
Posted on 31st July 2019 in The Lodders Blog
Read full article
Increase in small donations limit for Gift Aid and the ...
Posted on 27th February 2019 in Legal Updates
Read full article

If you’re a journalist looking for more information about Lodders, or to discuss a press release, please contact:
Diane Wood, V Formation on 07887 794507 or by email

Get in touch

 For further help or advice on the new Data Protection Act or other aspects of Charity Law, please contact Mark Lewis on 01789 206135 or by email.