The future is digital – data protection in the charity sector

Surges in demand for community services, drops in fundraising income, cutbacks to staff, and the widespread cancellation of events – just some of the constant stream of crises that many charities have grappled with over the past year. Every challenge leaves room for opportunity however, and the charity sector is nothing if not innovative.

One of the main positive developments of 2020 was the way in which the charity sector embraced digital technology. The past year has seen a surge in charities making use of technology in response to the pandemic, allowing them to find new ways to reach supporters and those they help. Technology has also helped to build relationships across the sector, with a marked boost in collaborations between charities and with local authorities.

When launching new platforms and digital solutions, it is easy to relegate data protection compliance to the back-burner. However, with the rise in cyber-attacks and the potential for significant fines for breaches, building in data protection compliance from the outset can be the difference between success and failure. In this article, we share our top tips for charities exploring digital solutions to ensure compliance with the data protection regime.

Knowledge is power

When considering whether to contract with a new supplier of digital services, it is essential that you do your due diligence. The more your charity knows about your suppliers, the stronger your position will be and the more likely you are to identify (and resolve) potential risks.

In many cases, adopting new technology will involve sharing data (including personal data of your staff, supporters or beneficiaries) with suppliers. As a data controller, your charity is ultimately responsible for ensuring compliance with data protection law within the organisation and in its dealings with other organisations. Before adopting any new technology, you should be satisfied that the supplier understands its own obligations under data protection law (including those that will be owed towards the charity) and has a good track record of compliance.

Consider the risks

Whenever your charity is considering adopting any new digital platform, you must understand the risks involved and take steps to protect personal data. Article 35 UK GDPR states that whenever processing of personal data is likely to result in a high risk to the rights and freedoms of individuals, you must carry out a Data Protection Impact Assessment (“DPIA”).

A DPIA is an exercise designed to help you analyse, identify and minimise the data protection risks associated with a particular project. Carrying out a DPIA creates a clear record of the factors considered when implementing a new project, and is an essential part of your accountability obligations.

Using new technologies / existing technologies in a new way (including artificial intelligence) is inherently risky. For instance, system failures or cyber-attacks could lead to the destruction or loss of personal data. When you are considering an innovative new platform therefore, it is important that you carry out a DPIA, to help identify and mitigate any potential risks and keep personal data safe.

Regularly review security arrangements

Unfortunately, the number of cyber-attacks in the charity sector has increased. As use of new technologies increases and more personal data is being held digitally, it is therefore more important than ever to make sure that security arrangements are appropriate and kept up-to-date.

One of the fundamental principles of the UK GDPR is the obligation to implement “appropriate technical and organisational measures” to keep personal data secure. Effective cyber-security measures will be an important tool in your charity’s data protection toolbox, but it is also important to consider measures you can put in place to instil good practices among staff, volunteers and trustees, such as policies explaining your charity’s approach to data security.

Even if you are satisfied with the level of security in your charity, you must not become complacent. The best security measures are those that are regularly tested and evaluated, and you should consider a review each time your charity decides to adopt new system to make sure that your security processes are compatible with any new technology.

Remember the data subjects

Whenever your charity is considering adopting a new digital solution, you should consider whether this will involve doing something different with personal data. For example, you may need to share personal data with a new type of organisation, or you may be planning a digital fundraising campaign that involves using the personal data of your supporters in a new way.

In line with your transparency obligations, you should consider whether the proposed processing is covered by your privacy notice. In some cases, you may need to update your privacy notice to ensure that any changes are brought to the attention of data subjects, and in some cases to contact individuals to update consents.

In addition, you should also consider how use of the new technology may impact data subjects' legal rights. For example, where an organisation uses automated decision-making (a process where computer software makes decisions about people without any human involvement) data subjects have a legal right to have any such decisions reviewed by a person. If you are considering a new technology that uses automated decision-making (such as a grant application platform) then you will need to make sure that you have appropriate measures in place to allow individuals to exercise their legal rights.

If your charity is thinking of implementing a new digital solution or you have any questions around this topic, a member of our Information Law Team would be very happy to assist.