10 Tips for Charities to Manage GDPR Consent
As a charity, you are very much aware of the General Data Protection Regulation (GDPR) that came into effect on May 25th, 2018. This regulation is designed to protect the privacy of individuals and gives individuals more control over their data. To comply with GDPR, charities must obtain consent from individuals before collecting, using, or sharing their data.
Here are 10 tips for charities to manage GDPR consent:
Consent request
1. Get explicit consent. Make sure that you have genuine consent from individuals before collecting, using, or sharing their data. Ensure your consent form is easy to read and use tools such as pre-ticked boxes to opt in. Any consent requests should be prominent and separate from other terms and conditions.
When you seek consent keep your request brief and to the point. Avoid using jargon or long, confusing sentences, seek vague or blanket consent and provide a genuine choice. Be clear about how you intend to use personal data before collecting it. Include a list of specific purposes. Provide peace of mind to those giving consent.
Storing consent
2. Keep records of consent. It's good practice to keep records of when and how you obtained user consent from individuals. This will help you to prove that you have access to the consent form from the data subject if there is ever a question. You may wish to keep physical and digital copies of both the consent form and consent request.
Once you have obtained consent, it is your responsibility to keep the personal data of individuals secure at all times. This means ensuring that it is stored in a secure location and only accessible by authorised personnel.
Manage consent
3. Keep valid consent up to date: Keep freely given consent up to date by regularly asking individuals at appropriate intervals if they still agree to have their data collected, used, and shared so that you may refresh consent records.
You should only collect the data that you need for the specific purpose for that you have obtained consent. Do not collect more data than is necessary. It is your responsibility to keep the personal data of individuals accurate and up to date.
Withdraw consent
4. Individuals should be able to easily withdraw consent at any time if they feel that they are no longer valid. Make sure that you have a process in place for individuals to do this with clear opt-out boxes. It's vital to share your organisation's contact details at all times in your marketing material and marketing emails.
Legal obligations
5. Remember that individuals have the right to access, rectify, and delete their data. It is your legal obligation to honour these requests promptly.
It is best practice, and in the public interest, to provide a specific statement outlining how you meet the GDPR's requirements.
Processing personal data
6. Personal data must be kept secure at all times. Be sure to put appropriate security measures in place to protect personal data. Privacy policies should also be updated to reflect GDPR compliance.
Be extra careful when collecting children’s data: parental or guardian opt-in consent is required for processing the personal data of children under the age of 16. When seeking consent from parents or guardians, be clear about the specific purposes for which you are collecting, using, and sharing the child.
Personal data should only be shared with third parties if the individual has given explicit consent. This includes sharing data with service providers such as IT companies, email marketing platforms, and cloud storage providers.
Legitimate interests
7. Personal data must not be sold under GDPR. If you receive a request to do so, you are legally required to decline.
You must not use personal data for direct marketing purposes unless the individual has given explicit consent. This includes sending emails, text messages, or calling individuals for marketing purposes.
You may need to obtain separate consent from individuals before collecting, using, or sharing special category data such as health data, religious beliefs, or political opinions. You must not use personal data for automated decision-making, including profiling.
Affirmative action
8. Individuals have the right to know how their data is being used. Be sure to be transparent about your use of personal data, data processing, your processing activity and consent practices.
You must keep individuals updated on changes to your privacy policy and terms of use. This includes informing them of any changes to the way their data is being used.
GDPR compliant
9. Make sure that you comply with all aspects of GDPR consent. This includes obtaining consent, keeping personal data secure, and being transparent about your processing purpose.
Information commissioner's office
10. There are several ways that charities can use the ICO to help them with managing consent. The ICO provides guidance on best practices for collecting, using, and storing personal data. They also offer a toolkit that helps organisations to self-assess their compliance with data protection laws. Charities can also contact the ICO directly for help and advice on specific issues. By utilising the resources and expertise of the ICO, charities can ensure that they are properly managing consent and protecting the personal data of their donors and beneficiaries.
Following these tips will help you to comply with GDPR, employ reliable consent mechanisms and protect the personal data of individuals.