The GDPR applies to organisations and public bodies of all types, that collects and processes personal data belonging to individuals residing in the EU/EEA, charities and NGOs are also obligated to comply with the EU’s privacy regulation. As NGOs and charities handle an abundance of sensitive data, it’s important to take appropriate safeguards in order to avoid GDPR fines and cyberthreats. Numerous research has indicated that the GDPR has helped companies with an increase of consumer trust, but what does this mean for NGOs specifically in terms of potential benefits?
Building further trust through compliance and data protection GDPR compliance in brief and some if its benefits for NGOs
NGO’s, charities and other non-profit organisations tend to work with a wide variety of stakeholders. One of the main goals of an NGO is to further develop rapport with these stakeholders, for instance, donors. According to Jerome Chincarini, the director of Synergic, (analytics software platform provider that works with numerous NGOs around the world), one of the key ways NGOs can develop further rapport with stakeholders is through transparency.
In today’s world where people are more critical about where they submit their data to, transparency should be prioritised by all organisations. Not only can ensuring transparency contribute to GDPR compliance, but it also could also help to create and maintain customer trust and brand loyalty.
In fact, according to the Capgemini 2019 report, organisations that took the adequate measures for GDPR compliance efforts witnessed a significant increase in customer trust. The study had questioned 1,000+ organisations from the EU and the US, and revealed that 92% of GDPR compliant organisations reported a significant increase in brand awareness and also in customer trust. Four out of five compliant organisations involved in the study reported a drastic rise in consumer participation in their loyalty and promotion programs after introducing further GDPR compliant methods and clearly communicating those efforts to their audiences.
Non-compliance with the GDPR and it’s consequences
Non-compliance with the GDPR can have significant consequences for organisations. Within the GDPR’s first full year of enforcement, 281,000+ data incidentes had been reported to data protection authorities from 27 different EU member states, Of which, 89,200+ had been confirmed as data breach reports. The statistics provided indicate that the sizes and sectors of organisations that have been found non-compliant or have been a victim of a cyberattack, varied greatly.
As NGOs handle an abundance of sensitive and valuable information, adequate precaution to protect these data is crucial.
Notable breaches by NGOs
In fact, in September of 2019, a prominent figure in charity and human aid effort, UNICEF, suffered a significant data leak. The incident had left personal information belonging to 8,200+ learners of one of the organisation’s online education platforms, Agora, vulnerable to unauthorised third party access. UNICEF later confirmed that the leak was caused by an error that occured when an Agora user had run a report on the platform, which then leaked private information, such as gender, duties, emails, names, supervisor names, of other users. Another data breach that had been reported the same year, belonged to one of the largest health NGOs in New Zealand, Tu Ora Compass Health. This breach happened due to unrecognised cyberattacks dating back to late 2016. The data breach had left personal health data belonging to 1 million individuals vulnerable to unauthorised third parties. Another impactful case happened in late June 2019, when the ICO had received a report of a data breach from children transgender advocacy charity group, Mermaids: after 1,000 pages containing personal and confidential information of members and patients were made available online due to an internal error, caused by a misunderstanding when setting up a private group email list.
Besides obliging with the privacy regulation, compliance can carry several benefits for NGOs as well. But what should NGOs take into account specifically?
Key things to take into account
Understanding special category data
As NGOs and charities hold a significant amount of personal data in their database belonging to stakeholders, some information can be considered significantly more sensitive than others. Some of this data could be considered special category data. The GDPR describes special category data as personal data that discloses: racial or ethnic origin, political affiliations or opinions, religious beliefs, genetic data, sexual orientation, and biometric data. Special category data are data that are considered very sensitive and personal for individuals, and thus need extra protection.
NGOs and other non-profit organisations have a tendency to handle such information. It's important to note that when it comes to processing such data, the GDPR states that processing of any personal data is prohibited unless a limited number of legal bases (found in article 6(1) apply. Article 9 GDPR lays out additional legal bases you need for processing special category data. These bases are limited however. NGOs might specifically find the bases of processing by not-for-profit bodies, and processing for the protection of data subject’s vital interests (e.g. health) useful. The ICO has also provided a guide to assist organisations further when considering to process special category data.
Gaining an overall scope
In order to have a thorough understanding and overview over your data compliance efforts and practices, conducting a Data Protection Impact Assessment (DPIA) may prove to be beneficial. Executing a DPIA is a vital aspect of an organisation´s accountability under the GDPR. A DPIA is performed to help an organisation analyse, identify, and minimise the data privacy risks of a certain project or plan. Not only does it help point out what could potentially end up as an violation of the GDPR or a risk to the right and freedoms of data subjects, but it also offers a further understanding into what could be changed for future plans.
Embedding a data privacy culture
NGOs tend to have various stakeholders who have unique roles to achieve different goals. It’s important to make sure that all individuals involved are up to par with the latest compliance efforts. This also includes volunteers, as the GDPR usually considers volunteers the same as employees in regard to data handling and data management. Taking the time to further educate on the implications that such actions could result in, and the precautions that members, as well as volunteers, must adhere to, is a stepping stone to consistent data privacy compliance efforts.
Moreover, successfully taking the mentioned aspects into account will help your NGO understand what is needed to keep up with the GDPR´s obligations. As stated above, there are several benefits from GDPR compliance which is not limited to data protection and privacy. For an NGO, shifting current practices to a more data privacy centric method could also mean fighting the likelihood of donor fatigue or dissatisfaction.
Common practices that could be adapted further
Some key aspects to take into account in relation to a few common practices by NGOs:
Surveys and research
Making sure that an appropriate lawful basis is determined for conducting a survey is vital, and a must have, according to the GDPR. Communicating that lawful basis is also a necessity, as the data subject has the right to know where, why, and how their personal data is going to be processed. According to article 13 and 14 GDPR, communicating such information with detail is also an obligation under the GDPR. The articles state that information that is collected from data subjects should be processed in a fair and transparent manner. The type of data being gathered, who processes the data, the storage period of data, and other purposes of processing should be made clear to the audience. Moreover, the data subject should also be provided a way how they can access their data that they have given to you, as according to more rights in the GDPR (Article 15-22).
Article 5 GDPR refers to data minimisation, which indicates that organisations should put an effort to gather and process as little personal data as possible. What this means is that only data that is vital for intended actions or research should be considered. This expectation offers organisations a chance to re-evaluate current gathering methods and readjust them to comply with the GDPR, and to also narrow down information. This opens up the opportunity to be more to the point, and to also to decrease potential problems.
Email marketing is a common method of engagement when it comes to NGOs and their various stakeholders. Email newsletters, for example, provide a strong base of letting the target audience know more about your organisation and your plans. However, it should be noted that the GDPR provides certain obligations that should be met when carrying out email marketing campaigns. The GDPR emphasises on consent, this requires organisations to request for an affirmative opt-in feature to be able to send material. This feature must also be made simple for individuals to easily change their minds and opt-out as a result, and must also not consist of pre-checked boxes.
Offline marketing efforts is also a strong method of gathering more insight into potential customer behaviour and interests. While online marketing efforts may also provide such an overview, offline marketing methods for NGOs are usually more intimate and can directly involve individuals on the spot. NGOs may conduct questionnaires, craft loyalty cards, and even create project schemes that take note of an individual’s purchases or choices. These actions, which involve a significant amount of personal data, can probably be considered profiling. This would mean that you should take adequate measures to protect such sensitive information, and possibly conduct a DPIA to measure the implications of the actions you consider to take.
Taking the right steps in ensuring a more GDPR compliant way of carrying out certain practices not only lessens the chances of a loss of trust or a GDPR fine by suffering a data breach, or for other compliance issues, it also contributes to branding your NGO to cater the needs of your target audience. By obliging to the GDPR, organisations may then respect an individual's rights of privacy and as a result open up the likelihood of more trust.
Compliance and Credibility
NGOs and other non-profit bodies tend to work with highly sensitive information, and in a large number of cases they also work with individuals in precarious and very sensitive situations. Bearing that in mind, it’s important to ensure adequate protection over their data and wellbeing. With the recent surge of fake news, fake charities, and fake aid initiatives, there is a growing distrust amongst the public. By taking the appropriate steps in ensuring transparency and accountability, NGOs can achieve a certain level of trust from the public. Ensuring GDPR compliance does not only lessen the chances of your NGO in receiving a GDPR related fine, but it could also contribute to creating a trustworthy position in the eyes of your audience.
Thinking about the exact steps your organisation can take to be GDPR compliant? Check out our Free Ultimate GDPR Guide where our privacy experts break down the GDPR into walk-through steps to help you.
Explore an efficient way of keeping track of your GDPR compliance efforts through automation.
Grab your 14-Day Free Trial of PrivacyPerfect's ultimate GDPR software.