On this page we’ve put together a set of resources about GDPR (General Data Protection Regulation). We’re doing this so that those in the charity sector – and interested parties outside it – can learn about the practices by which the sector complies with these regulations.
We begin with some general information on GDPR.
We follow with the ways GDPR relates to fundraising, and then prospect research.
After this, we have a section listing resources on privacy impact assessments.
Finally we have a section on privacy notices.
We hope this list of resources is useful – if you have any questions or comments for us relating to GDPR, or any recommended resources, please get in touch.
- Factary: Data Protection, Consent and Prospect Research
This blogpost provides a brief history of data protection and prospect research, including the 2015 Etherington Review, which outlined recommendations for the future of fundraising. (Please note this post is from 2016 when ‘consent’ was being pushed as the only option for lawfully processing data.)
- Factary: Prospect Research and Legitimate Interests
In this paper we address the confusion and uncertainty for prospect researchers and fundraising teams owing to the lack of non-profit-specific guidance on GDPR. We clarify both Consent and Legitimate Interests, the relevant conditions to be relied upon for processing data. We especially concentrate on Legitimate Interests, which has been overlooked by many sources in favour of Consent. We hope this paper will help non-profits decide which approach is best for them.
- Factary: Guide to GDPR compliant wealth screening (PDF)
This paper is intended to outline how best to approach planning for a wealth screening under GDPR. We refer specifically to third party screening – that said, the information and processes outlined can also be applied to other forms of prospect research.
- Factary: Why Factary is GDPR compliant – a one-page summary
This one-page document summarises why Factary’s screening process is GDPR-compliant.
- Information Commissioner’s Office: GDPR guide
“The Guide to the GDPR explains the provisions of the GDPR to help organisations comply with its requirements.”
- Information Commissioner’s Office: GDPR guide for charities
“We have issued guidance for not-for-profit organisations, which aims to answer questions regularly raised by charities and voluntary organisations.”
- Information Commissioner’s Office: Direct Marketing Guidance
“This is part of a series of guidance to help organisations to fully understand their obligations and to promote good practice.”
- Information Commissioner’s Office: PECR Guide
“PECR are the Privacy and Electronic Communications Regulations.”
- Official Journal of the EU: The GDPR in full (PDF)
“Regulation (EU) 2016/679 of the European Parliament and of the Council.”
- Charity Finance Group: GDPR: A guide for charities
“A guide enabling charities to understand and improve on data protection policies.”
- Institute of Fundraising: GDPR Essentials
“What’s going to be different about the new rules that are coming in?”
- Institute of Fundraising: GDPR Webinar Series (requires payment)
“This practical and interactive on-demand webinar series is designed specifically with fundraisers in mind.”
- Institute of Fundraising: GDPR at a Glance
“GDPR – what you need to know”
- Fundraising Regulator: Guidance on ‘Consent, Purpose and Transparency’
“The purpose of this guidance is to help charities and fundraisers better understand their responsibilities…”
- Tim Turner at at 2040 Training: Fundraising and data protection survival guide
“Data Protection law itself isn’t that complex. It is based on a set of common sense principles…”
- Information Commissioner’s Office: Fundraising and Regulatory Compliance Conference paper
This paper was produced by the ICO for to the conference they held in February 2017 for fundraising charities – please note that there was a strong focus on consent for data processing relating to fundraising at the time of the conference.
- Adrian Beney: Legitimate Interest vs Consent; What should a charity do?
“A discussion about whether or not organisations should, or are compelled to, adopt an ‘opt-in only’ mode for managing their databases.”
- Adrian Beney: Is Consent all it’s cracked up to be?
Is consent the safest option? “Consent can’t be assumed under GDPR, and if a data controller chooses to use consent, GDPR requires them to be able to prove they have consent.”
- Adrian Beney: Guidance on Fundraising Regulations
“We look at the changing fundraising regulations and provide answers (where we can!) to some of your most common questions.”
- Adrian Beney: Public Authorities and Legitimate Interest
A thorough overview of the legalities of using the Legitimate Interest condition by Public Authorities.
- Adrian Beney: Prospect Research and Companies House data
“This is a post about one particular source of public domain data – data obtained from Companies House.”
- IoF & Beth Breeze: Good Asking Report
“The Institute of Fundraising has launched Good Asking – a report on why charities research and process supporter information.”
- Charity Commission: Chapter 2 of the Compliance Toolkit (for Due Diligence)
“Trustees must carry out due diligence checks on donors, beneficiaries and local partners and can also monitor end use of funds.”
- National Audit Office: Guidelines on due diligence
“A summary of the issues faced and best-practice examples of how to manage the risks.”
- Information Commissioner’s Office: Privacy Impact Assessment Code of Practice
“The time now seems right to update our guidance [on PIAs] and to formalise it into this Code of Practice.”
- Data Protection Network: Legitimate Interests Guidance and Toolkit
“Guidance on Legitimate Interests under the the EU General Data Protection Regulation.”
- Information Commissioner’s Office: Notice Code of Practice
“Being transparent and providing accessible information to individuals about how you will use their personal data is a key element…”
- Information Commissioner’s Office: website information on privacy notices
“The EU General Data Protection Regulation includes rules on giving privacy information to data subjects in Articles 12, 13 and 14.”