The new General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, marks a significant change in the EU data protection regime, with an increased emphasis on transparency and accountability in the way in which organisations (including charities) gather, store and use people’s personal information.

It is vital that charities act now to ensure that they are compliant before the implementation date. While all aspects of the new regime require careful analysis, some of the new requirements are likely to affect the charities sector more than others, and will, therefore, warrant special consideration.

How Will the GDPR Affect on Charities?

Legal bases for processing

The GDPR sets out a range of valid legal bases (which are unchanged from the legal bases set out under current legislation)

 for processing personal data, including for the purposes of fulfilling a legal obligation, to protect the vital interests of an individual and the administration of justice.

Most charities, however, are likely to process personal data on the basis that the individual has consented to the processing, entered into a contract (or wishes to) with the charity or on the basis of the legitimate interests of the charity.

Where a charity seeks to rely on consent as the legal basis for processing personal data, the charity must ensure that the consent obtained is freely given, specific, informed and has been given by way of an affirmative action.

 GDPR raises the bar for the consents which organisations obtain and your charity will need to understand  the increased requirements for consent that the GDPR introduces.

For example, tick-the-box type consent forms covering all forms of data processing are unlikely to be sufficient. In its fundraising activities, for instance, your charity will need to ensure that consent has been obtained for the specific purpose of fundraising. If your organisation works with vulnerable persons, your organisation will also need to consider how it can validly obtain consent from these individuals.

If your charity seeks to process personal data on the basis of a “legitimate interest”, it will be necessary to carry out an assessment to determine, whether a legitimate interest in fact exists, whether you need to process the data, and whether, balancing the interests of the data subject and the charity, you ought to process the data. 

Examples of legitimate interests include, among others, processing data to determine your charity’s ability to assist a beneficiary or to monitor and optimise your charity’s services.

Data retention periods

Even where your charity has processed personal data lawfully, the length of time you retain the data will require careful consideration.

 The retention periods for different categories must each be considered separately, rather than applying a blanket policy for all data held and you must ensure that you have a justification for retaining personal data. 

Proper GDPR training and management for volunteers is also vitally important in order to ensure that personal data is processed in line with the GDPR. 

In addition, your charity will have responsibility to ensure third-party contractors and processers, such as recruitment agencies also meet the GDPR requirements.


Increased data protection obligations and tough sanctions for those failing to comply mean that establishing a carefully tailored GDPR implementation plan is a must for your charity.

While the areas outlined above may affect the charities sector in particular, other aspects of the GDPR regime should not be overlooked. A structured, well-planned approach to implementation will reduce the risk to your organisation.

Now the question is:
«How Can Iranian Charities Run GDP?»

By answering this question, please help WikiNiki to complete this article.

Source: mhc Website

Persian Version of this article