Tag Archives

Preparing for GDPR and Data Protection Reform

As of 25th May 2018, every organisation that holds personal client data must become compliant with the new GDPR regulations. We know that understanding how these new regulations will effect your organisation’s processes can be difficult, but NCVO have helpfully compiled a ’12 Point Plan’ (based on the ICO guidance) to assist you in adopting these new regulations into practice.

1 – Make sure the right people in your organisation know this is coming
Your trustee board and senior staff should be aware that the law is changing.  They need to know enough to make good decisions about what you need to do to implement GDPR. They need to be aware that implementation may take considerable time and effort and add data protection to your risk register if you have one.

2- Identify what data you hold and where that data came from
If you don’t know what personal data you hold and where it came from you will need to organise an audit of your different systems and departments to find out. This means all personal data including employees and volunteers, service users, members, donors and supporters and more. You should document your findings as GDPR means you must keep records of your processing activities.  You should also record if you share data with any third parties.

3 – Update your privacy notices
You must always tell people in a concise, easy to understand way how you intend to use their data. Privacy notices are the most common way to do this. You may well already have privacy notices on your website for example but they will all need to be updated. Under GDPR privacy notices must give additional information such as how long you will keep data for and what lawful basis you have to process data. The ICO has guidance on GDPR compliant privacy notices.

4 – Check your processes meet individuals’ new rights
GDPR will give people more rights over their data. For example GDPR gives someone the right to have their personal data deleted. Would you be able to find the relevant data and who would be responsible for making sure that happened? Get to know the eight rights and have the systems in place to be able to deliver on each of them.

5 – Know how you will deal with ‘subject access requests’
Individuals have the right to know what data you hold on them, why the data is being processed and whether it will be given to any third party. They have the right to be given this information in a permanent form (hard copy). This is known as a subject access request.  Your organisation needs to be able to identify a subject access request, find all the relevant data and comply within one month of receipt of the request. The ICO gives guidance on handling subject access requests.

To read the full article from NCVO please click here.

GDPR: Charities Encouraged to Deepen Their Understanding

Is it time to develop your GDPR understanding beyond a few top tips? Charity CRM software partner, Blackbaud, has had its legal team condense 88 pages of complex law into just five.

No-one in our sector is in any doubt now as to the importance – and the imminence – of GDPR.

Not only is there an individual acceptance that every level of role across a range of departments needs to understand the implications, but senior stakeholders are now putting pressure on their teams to truly understand the operational impacts.

To provide charities with a solid understanding of the key implications of GDPR without undertaking a law conversion course, charity CRM software partner, Blackbaud, asked its own legal counsel and Data Protection Officer to wade through all 88 pages of legislation and create a summary document that gives proper detail beyond all the ‘10 top tips’ infographics online.

Not only will this guide help you understand the law yourself, but it’s the perfect document to hand to your CEO, trustees and other stakeholders when they come to you asking, “How will GDPR affect us?”

Click here to see Blackbaud’s report on the operational impacts of GDPR.

Source: Charity Digital News

SCVO Briefing Session on General Data Protection Regulations

Does your organisation collect data on (European) citizens?
(Hint…if you’re based in the UK and working in your local community then the answer is going to be a resounding ‘YES’)

Do you know what’s happening on 25th May 2018?

Does the phrase “General Data Protection Regulation” mean anything?

Whatever your answers to the above questions, come along to this Free lunchtime briefing session where you’ll hear information about the General Data Protection Regulation, which comes into force on 25th May 2018. Book your place via Eventbrite by clicking here.

The briefing session is being held on:

Wednesday 13th September 2017, 11.45am

at SCVO Offices, 1st Floor Lanchard House, Victoria Street, West Bromwich, B70 8ER



Charities: Subject Access Requests and the GDPR

The General Data Protection Regulation (GDPR) comes into force 25 May 2018 and will introduce the greatest changes to data protection legislation in over 30 years. In this blog Val Surgenor, charity law specialist at MacRoberts LLP, looks at subject access requests (SARs) under the GDPR and what changes this will bring. There is less than a year to go now before the GDPR comes into force, therefore you should act now to make sure you are GDPR compliant!

What is a SAR?
A SAR is a request for personal information that your Charity may hold about a data subject i.e. an individual. If an individual wishes to exercise their subject access right, the request must be made in writing. The purpose of a SAR is to make individuals aware of and allow them to verify the lawfulness of processing of their personal data. Under the GDPR and the current Data Protection Act (DPA), individuals have the right to obtain confirmation as to whether personal data about them is being processed by your Charity. If personal information is being processed, they are entitled to access:

• the reasons why their data is being processed
• the description of the personal data concerning them
• information about anyone who has received or will receive their personal data
• details of the origin of their data if it was not collected from them

Charities need to be mindful that the rules on subject access apply to any individual.  Charities are likely to hold and process personal data about its trustees; its employees; service users; members; donors, volunteers and many others.  Each category will have the same access rights.

Key Changes to SARs under GDPR
Under the GDPR, the procedure for making a SAR is similar to the procedure under the DPA. However there are some key changes your Charity needs to be aware of which may require you to make changes to Charity’s procedures:

• Fees:
Under the DPA, your organisation can charge up to £10 for a SAR. Under the GDPR, a request for personal information is free unless the request is ‘manifestly unfounded or excessive.’ Your organisation can charge a ‘reasonable fee’ for multiple requests.

Impact: This may have a significant effect on your organisation where you receive large volumes of requests and this may result in an increase in administrative costs on your organisation. At present there is insufficient guidance on what is meant by “manifestly unfounded or excessive” and therefore your organisation should approach this with some caution.

It should also be recognised that the £10 fee may have acted in the past as an impediment to making a request and as a result charities may see an increase in requests as a result.

To read the full Charity Digital News article click here.

New Code Says Large Charities Need Governance Review Every Three Years

The Charity Governance Code, published 13th July 2017, replaces the Code of Good Governance.

Larger charities will be expected to submit to external governance reviews every three years under the new Charity Governance Code, published today.

The revised code, previously called the Code of Good Governance, was put out for consultation between November and February after its first overhaul since 2010 and is available in two versions: one with guidance for large charities and another tailored to the needs of smaller charities.

The new code requires charities to consider mergers with other organisations that have the same aims and says they should impose a nine-year maximum term on trustees unless there is a good reason not to. Both of these measures appeared in the draft version of the guidance.

The final version also calls on trustees to publish on their charity’s website and in its annual report the amount paid to senior staff and the process for setting pay.

The new code will, in effect, replace the Charity Commission’s Hallmarks of an Effective Charity guidance, which the regulator withdrew as a gesture of support for the code and to encourage charities to use it.

Rosie Chapman, chair of the steering group developing the code, told Third Sector that the final version of the code had been altered to include elements of the commission’s defunct guidance that were not in the consultation version.

She said the code’s recommendations had also been “beefed up”, and now called for charities to go above and beyond the legal minimum in ensuring diversity.

The new version of the code, Chapman said, was “as much about behaviours as it is about mechanical practices, but it also has some clear suggestions of what good practice looks like”.

But she said she believed the code should be reviewed much more frequently than it had been in the past.
The bodies involved in developing it welcomed the code, saying it was important for charities to focus on governance and the new code would help them do it.

Sarah Atkinson, director of policy and communications at the Charity Commission, said: “The Charity Governance Code represents a standard of good governance practice to which all charities should aspire. We encourage all charities to use it, following and applying its principles proportionately to their circumstances.”

“It’s also important for boards not just to assess and understand impact, but to take appropriate action on the basis of the findings.

Source: Third Sector

Employee IT Behaviour Highlights GDPR Compliance Risk

A large number of UK organisations are at risk of huge financial penalties, as employees ignore company policies around confidential data, according to new research from Sharp.

The electronics company identified that 1 in 12 office workers (8%) has had access to confidential information that they should not have had, and nearly a quarter (24%) admit to storing work information in the public cloud even though they are not permitted to.

File sharing and taking confidential data out of the office were also widespread with nearly a quarter (23%) using public file sharing sites without business approval, and a third (31%) ignoring office protocol by taking work home to complete. Even the rule makers in HR are flaunting IT policy, with 30% of respondents who work in HR departments admitting to storing information in the public cloud, potentially jeopardising personal data.

With the General Data Protection Regulation (GDPR) coming into force in May 2018, organisations will be subject to large maximum fines for certain data protection breaches, making the adoption of robust data protection policies and practices a priority.

Stuart Sykes, Managing Director at Sharp Business Systems, said: “It is up to organisations to find the right balance between modern ways of working and secure data sharing. When you also consider that 75% of the workforce is now mobile and 81% of employees access work documents on the go, businesses need to do more to keep up with their workers.”

Security and privacy expert Dr Karen Renaud said that the results showed a need for organisations to provide better support for employees: “As long as businesses continue to require or implicitly overlook insecure behaviours, security will always be sacrificed.”

Risks were not limited to digital information; two thirds of workers (59%) reported that colleagues leave printed pages in the printer tray, significantly increasing the chances of documents being seen by the wrong person in the office.

Sharp has produced a free guide including advice from Dr Renaud on improving data security, available from

Source: Charity Digital News

Charity Governance Code

The updated version of the Charity Governance Code has been published, setting out higher standards and urging larger charities to carry out external reviews every three years.

Other key recommendations include increasing diversity on boards, a limit of nine years for trustee terms unless a good reason is given, more oversight of subsidiaries and a stronger emphasis on the role of the chair. Full details of the code are available on a new website.

The code is overseen by a steering group of charity umbrella bodies comprised of the Association of Chairs; Acevo; ICSA: The Governance Institute; NCVO; the Small Charities Coalition; and the Wales Council for Voluntary Action, and with an independent chair, Rosie Chapman.

Consultation on changes to the code, which was previously called the Code of Good Governance, began last year and received over 200 responses. Work on the code was funded by the Barrow Cabury Trust and the Clothworkers Foundation.  The Charity Commission has withdrawn its Hallmarks of an Effective Charity guidance in favour of directing people to the new code.

Chapman said: “The code for the first time sets out clear aspirations for a charity board to meet. This code is a great stepping off point to help charities navigate the changes. It will be an essential tool for charities to use and will greatly assist them to develop and grow in their effectiveness.”


Read the full article

Ten Tips to Stop Your Charity Breaking the Law

From 25 May 2018, thanks to new laws under General Data Protection Regulation (GDPR), the consent of your supporters to receive updates and information on your latest campaigns etc., will need to be freely given, specific, informed and unambiguous; given by way of a statement or clear affirmative action to be lawful. But what does that actually mean in practice?

Here are 10 things you need to know about consent:

1. You will no longer be able to bundle consent requests within wider terms and conditions. A request for consent to receive marketing materials should be separate from terms and conditions and should not be a precondition of the provision of a service unless it is necessary for that service.

2. Pre-ticked opt in boxes or opt-out boxes will no longer be valid. You must now use an un-ticked opt-in box or similar opt-in method that allows choice.

3. Requests for consent should be broken down into different categories where possible to allow your supporters to consent separately.

4. Your charity must be named along with any third parties (e.g. fundraising partners or agents) who will rely on the consent.

5. You must keep good records allowing you to show: who has consented, to what they consented, when and how they consented.

6. You must tell supporters that they have a right to withdraw their consent at any time, and you must tell them how to do this. The process for withdrawing consent cannot be more difficult than it was to give the consent in the first place!

7. Supporters have the right to object to direct marketing and your charity must bring this right explicitly to the attention of supporters from the start.

8. There is no set time limit for how long a person’s consent lasts but the Information Commissioner’s Office recommends refreshing it every two years.

9. If you ignore the new law not only do you risk reputational issues but you could be fined up to €20m or up to 4% of your turnover.

10. You should have started to prepare by reviewing the data you currently hold; assessing the reliability of the consent; and think about whether you have told your supporters of the changes being forced.

Luckily for charities two pieces of recent guidance on the subject have been issued by key data protection players in the third sector. The Fundraising Regulator issued guidance earlier this year on fundraising which makes reference to upcoming changes expected by GDPR and the e-privacy regulation. The ICO has also issued draft guidance on consent under the GDPR.

Source: Charity Digital News

Less Than 1% Of UK Charities Are Protected Against Email Fraud

Fewer than 1% of UK charities are adequately protected against the risks of being targeted by fraudulent emails and phishing attacks, according to the findings of a new report published by platform-as-a-service provider Red Sift.

The organisation analysed more than 78,000 email domains of UK charities to establish how many of them implement email authentication protocols to protect their organisations and their donors from cyber-attacks. Overall, under 1% of them have implemented email authentication with DMARC – Domain-based Message Authentication, Reporting & Conformance.

The Top 100 Charities showed a slight increase in adoption (5%), however, none were blocking unauthorised email. The finding follows the recent publication of a UK Government report which found that fraudulent emails (72%) and phishing attacks (27%) were amongst the most common types of breaches suffered by UK businesses, further highlighting the huge risks posed to the £70bn UK charity sector and the 67% of the UK population who engage with it.

Rahul Powar, Red Sift CEO, commented: “Fraudulent emails and phishing attacks pose a serious risk to businesses and the data that they hold. As such it is very concerning that UK charities, that make huge social and economic contributions despite often working with limited resources, are so exposed to these potentially hugely damaging attacks.”

To read the full Charity Digital News article click here

Guide to Employing and Insuring Volunteers

Volunteers play an important part in most charities but without the right practice in place things can go wrong. This article looks at what a charity should consider when employing volunteers.

Is there a guide for best practice and legal requirements?
Volunteering England have a 10 step quality standard. They are an independent charity and membership organisation, committed to supporting, enabling and celebrating volunteering in all its diversity. The NCVO (The National Council for Voluntary Organisations) also publish useful guidance on their website.

What should a volunteer agreement include?
Some organisations use volunteer agreements to ensure separation from employment contracts. These are helpful to define what you would like a volunteer to do and set boundaries of expectations, but avoiding terms implying contractual obligations.

Managing a volunteer’s enthusiasm and directing their energy in the desired way does require skillful oversight, either by an employee or an experienced volunteer with a demonstrable track record.

People do sometimes get carried away or make mistakes. When recruiting volunteers it is advisable to set out what the parameters of the role will be. This needs to be recorded in writing, agreed with the volunteer and preferably signed and dated.

Having this documented record will help your insurer defend your position should an incident arise where a volunteer is injured and it involved activity outside the agreement.

Do we have to get volunteers DBS checked?
In general, providers and managers of regulated health, child and adult social care services have to ensure that all staff (including volunteers) who come into contact with children or vulnerable adults, have a satisfactory DBS check. More information on DBS checks can be found on the website.

Do we have to insure volunteers?
Legally speaking you don’t have to. However, doing so can offer the volunteer the same protection as one of your employees should a claim be made involving the volunteer, as well as protect you if the volunteer brings a claim against you.

Despite your best efforts to keep the distinction clear between employees and volunteers there can be situations where the law regards a volunteer as an employee. This can be complicated and lead to disputes with insurers so it is always best to have volunteers included within the policy definition of employees.

Most liability policies extend to protect employees against claims made against them whilst working for you (in the same way as you would be if the claim was made against you). Including volunteers within the policy definition of employee’ ensures that they have the benefit of your policy cover should they have the misfortune to have a claim made against them whilst volunteering for you.

The same applies where you arrange other covers for the protection of your employees, for example assault or personal accident cover, including volunteers within the definition ensures that they get the benefit of cover under the policy.

Check your policy wording, particularly if you have more than one insurer covering your liabilities, and to ensure that such covers dovetail together (a specialist charity insurer will usually be able to provide such cover within one comprehensive policy).

Source: Third Sector

Page 1 of 4123...Last