A worrying number of UK charities are yet to take any steps to prepare for the new UK law on data protection.
Our survey of more than 300 UK charities shows that most are taking action to prepare for the new general data protection regulation (GDPR), which comes into effect in May 2018, with major new requirements for how organisations process personal data. Steps already taken include training and recruiting staff; discussing data protection with their board; reviewing and updating privacy policies; and undertaking audits. This all shows that charities are taking seriously the need to reach the right standards for data protection.
However, and not surprisingly, some organisations are finding it a challenge to get ready for these new legal changes. A fifth of respondents – 22% – said they had not yet taken any steps to get ready for GDPR. The vast majority of those organisations are smaller charities, with a turnover of under £1m. But compliance and GDPR is not optional – so we need to ensure that everyone in the charity sector is ready.
The biggest challenge reported in our survey, cited by 72% of respondents, is a lack of clear guidance. The Information Commissioner’s Office (ICO) has not yet published its final guidance on consent, but the law is written and final and the commissioner has put out a range of resources for all organisations to think about the new law. There is also guidance from a range of organisations including ourselves, the Fundraising Regulator, and others.
At the same time, we also believe there is a need for government action. That’s why we’ve written to the digital minister, Matt Hancock, asking him to work with charities, regulators and sector bodies on a new strategic intervention to help the sector prepare for these changes.
As part of this, and based on the responses to our survey, we would like to see a targeted grant scheme set up to support charities who need to update their databases. We also want to see a coordinated campaign to raise awareness across the sector about the changes and guidance on offer. While the government already provides limited but very welcome support in building fundraising skills and capacity through the provision of subsidised training programmes, this should be complemented with an additional programme on data protection, and a hotline for charities with advice and information.
We know money is tight; if direct funding is not available, the government should use its convening power to identify and coordinate funding bodies that could support charities.
Meeting the new requirements in data protection will affect all charities and it is the right thing to do for charity service users, volunteers and supporters.
But our research shows that for some there is still a long way to go before the charity sector as a whole is fully prepared. With May 2018 getting ever closer, the time for action is now.
Talk to us on Twitter via @Gdnvoluntary and join our community for your free fortnightly Guardian Voluntary Sector newsletter, with analysis and opinion sent direct to you on the first Thursday of the month.
Looking for a role in the not-for-profit sector, or need to recruit staff? Take a look at Guardian Jobs.