Data privacy considerations for the Not for Profit sector

12 August 2021

The UK GDPR is a regulation, not a project. Three years on from the UK enshrining GDPR into UK law as the Data Protection Act 2018, many not for profit organisations are reviewing current levels of compliance. Whilst a considerable amount of work was completed across the sector in the lead up to the GDPR ‘go-live’ date in May 2018, there is a requirement to demonstrate continued compliance with its regulatory requirements. But what does this mean in practice? 

This article sets out key considerations for the sector to ensure that you remain up to date with continued data privacy compliance requirements:

  1. Has your Article 30 Record of Processing Activity (ROPA) been recently reviewed and updated, to accurately reflect data processing activity? The ROPA forms the foundation of your GDPR governance and compliance, and should be regularly reviewed and updated to reflect changes in data processing activity, and demonstrate accountability and oversight of data processing at your organisation.
  2. Have privacy notices been updated to reflect changes in the ROPA? Transparency is a key principle of GDPR, and data subjects have the right to be informed about the collection and use of their personal data. If privacy notices are not regularly reviewed and updated to reflect changes in data processing, then organisations are unlikely to be accurately communicating data processing activity to data subjects.
  3. What are the levels of employee awareness of GDPR requirements? Whilst a lot of work was done in 2018 to deliver GDPR awareness training to employees, staff training should be periodically refreshed and updated, to ensure that they are familiar with key internal processes, especially where strict time limits apply, i.e. data breaches and subject access requests. In addition, data protection is a constantly evolving field, so employees need to be aware of relevant recent developments, for example in relation to international data transfers. 
  4. Do you have full oversight of data protection risk in the supply chain risk? Sharing personal data with third parties, inevitably exposes organisations to risk. This is why it remains crucial for organisations to maintain full oversight of data processors and joint controllers, and crucially, their location to ensure that appropriate data processing provisions are written into contracts, and both parties are clear about their responsibilities in the event of a subject access request or data breach. Recent changes in data protection law including the invalidation of the Privacy Shield, has meant that organisations need to seek an alternative safeguard in relation to transfers of personal data to processors located in the US, so it remains important to be aware of which Non EU/EEA countries you may be sharing personal data with. 
  5. Do you have full oversight of data processing, which relies on consent or legitimate interest as the lawful basis for processing? Are consent management arrangements in line with GDPR requirements? Remember, individuals have the right to withdraw consent at any time, at which point the data processing should cease. If organisations are relying on consent as the lawful basis for processing then there should be internal infrastructure in place to support this. Have legitimate interest assessments (LIAs) been completed for data processing activity which relies on legitimate interest? 
  6. Are key data protection policies and procedures regularly reviewed and updated to accurately reflect current processes? To demonstrate continued compliance with GDPR requirements, it is really important to ensure that key policies and procedures are regularly reviewed and updated to ensure that they remain up to date and reflect current practice.
  7. Have Data Protection Impact Assessments been embedded into centralised processes? The GDPR requires organisations to embed data protection by design and default, to ensure that data protection risks associated with new projects and high risk data processing activities are identified and mitigated. Are data protection considerations (and the requirement to complete a DPIA) highlighted as part of the project development process? 
  8. What insights can you obtain from your data breach register? Organisations are required to maintain a record of all data breaches, regardless of whether or not a breach is sufficiently serious to warrant reporting to the Information Commissioner’s Office (ICO) and/or the data subject. But it’s also worth noting that the register can also provide useful insights regarding the nature and frequency of data breaches and highlight specific areas where additional controls and/or training may be required to reduce the risk of breaches reoccurring.

The themes highlighted in this article are based on our experience working in the sector and changes in the European data privacy landscape. If you would like to find out more, or discuss any of the topics highlighted in this article, please contact our Data Privacy Practice or get in touch with Christopher Beveridge, Director and Head of Privacy & Data Protection or Louise Sadler, Privacy Specialist.