General Data Protection Regulation (GDPR)

What is the GDPR?

You may have heard of the GDPR, and may have questions about what this means for your organisation.

GDPR stands for General Data Protection Regulation. The GDPR is EU legislation that will provide a single data protection law for all EU countries. GDPR will come into effect for the UK on 25th May 2018. GDPR will replace the Data Protection Act, and may represent a significant change for organisations that hold and process personal data.

GDPR is intended to update data protection laws, ensuring they are responsive to the more recent threats of the internet age, in order to prevent the loss of personally identifiable information in the case of security breaches and cyber-attacks. Charities will have to comply with GDPR just as businesses will. If your organisation holds personal data, such as contact information, bank account or credit card information, information about ethnicity or religious belief – then the new regulations will apply to you.

GDPR Basics

Under GDPR, charities must be able to clearly explain why they are collecting personal data, and what they are going to do with it. Simply including a privacy policy on your website is not sufficient. You may need to ask for consent for data you already hold. Individuals will also be able to access the personal data you hold on them at any time. They will also have a ‘right to be forgotten,’ where they may request for their personal data to be removed.

Non-compliance with GDPR may result in serious consequences – organisations may be fined up to 4% of their turnover or up to £17 million, depending on the severity of the breach. Organisations will be obliged to inform the Information Commissioner’s Office (ICO) of any breach that is likely to result in a risk to the rights and freedoms of individuals within 72 hours of the organisation becoming aware of it.

Direct Marketing

GDPR applies across the board, but one area of specific concern to many charities is direct marketing, which includes fundraising. There are different legal conditions for communicating by different channels.

For instance, you need consent to be able to send direct marketing by email or SMS, or to make phone calls to individuals on the Telephone Preference Service (TPS). For post or live calls to phone numbers not on the TPS, you may send direct marketing if your organisation has a legitimate interest in contacting them, and they have not opted out of receiving this kind of communication from you.

Legitimate interest enables you, in certain circumstances, to be able to send direct marketing to an individual without having their prior consent. You must consider what the individual would have reasonably expected their personal information to be used for at the time they provided it. If they would not have reasonably expected the information to be used for direct marketing, you cannot rely on the legitimate interest condition.

The individual’s right to not be contacted is paramount – if they have indicated that they do not wish to receive a specific kind of communication from you, or any communication at all, you must respect this and not contact them in this way.

GDPR does not require that all direct marketing is ‘opt in’ – but this will be the case for email or SMS communications. This could be a tick box approach, where people show their consent by ticking a box, or choosing between a yes/no option. Consent does not have to be in writing – it can be given verbally. Individuals must take a positive action in order to give consent – silence or pre-ticked boxes do not count as valid consent. Where ‘opt in’ consent is not necessary (e.g. where there is a legitimate interest and you are contacting an individual by post or phone and they are not on the TPS), you must provide the opportunity for the individual to opt out of receiving future direct marketing, e.g. through an ‘opt out’ tick box.

Where communication is for genuine administrative purposes, unconnected with direct marketing, the rules for direct marketing do not apply.

Data Protection Officer

Any organisation is able to appoint a Data Protection Officer (DPO), but the majority of small and medium-sized charities will not be obliged to appoint one. You must appoint a DPO if you:

A Data Protection Officer can be a current staff member or a contractor, but the role must be designated on the basis of professional qualities and expert knowledge of data protection laws. The responsibilities of the Data Protection Officer are to:



VAS will be holding a GDPR workshop later this year – we will keep you posted via VAS id.

See All News