The GDPR has had a major impact on many charities and not-for-profits.

For charities, the change with GDPR meant ensuring people have a clear choice about the information that is held about them and how it is used. Procedures had to be altered to give users more of a say and CRM systems had to be reviewed and updated to ensure data was handled securely.

The criteria for a mandatory DPO under GDPR is as follows:

  • You are a public authority (except for courts acting in their judicial capacity)
  • You carry out large-scale systematic monitoring of individuals.
  • You carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.

Not all charities meet the criteria for a mandatory DPO, but the charity commission recommends it as being advisable. This is because data is fundamental to many charities and appointing someone responsible for data protection can help monitor compliance.

There are many important data protection considerations that charities and not-for-profits need to consider such as:

  • Marketing and Fundraising
  • Staff and Volunteers
  • Governance and the trustees
  • Administration
  • Policies and agreements

Charities have been in the spotlight over the past year as targets for cybercriminals. The Governments Cyber Security Breaches Survey 2021 highlighted that 26% of charities reported having cybersecurity breaches or attacks in the last 12 months, emphasising the importance of securely processing data.


What does a Data Protection Officer do?

The main purpose of a DPO is to act as an independent advisor within the organisation. Their primary role is to protect the rights and freedoms of the people’s information that you are processing.

They should advise the organisation of the processing activities that they are carrying out and ensure they are compliant with the law.

A DPO will act as a contact point for data subjects and the Information Commissioner’s Office (ICO) as well as providing advice regarding Data Protection Impact Assessments (DPIAS).


What are the benefits of hiring an outsourced DPO?

Fresh Pair of eyes 

The first benefit is that a DPO gives you that extra set of eyes. They provide a different perspective and outlook on the activity that is being considered. They are almost sitting on the side-line absorbing and understanding what it is that you want to achieve and then offering advice and feedback in line with how it can be compliant. Having someone within the organisation to carry this out is beneficial but you must ensure that there is not a conflict of interest.

The role of a DPO can be complicated in the sense that the organisation wants to meet their commercial needs but also looking to protect the needs and rights and freedom of the individuals you are working with. Therefore, an outsourced DPO can be beneficial as their primary focus will be on ensuring the activity proposed is compliant without the clouded judgement of the organisation’s commercial needs.


The second benefit to having an outsourced DPO is the level of independence and the ease of management. You do not need to worry about your organisational structure and understanding where the role should fit, this can be a challenge as it cannot be constrained by line management.

Having someone on the outside allows the role to be completed more freely, offering guidance in the best possible mindset.


Your organisation may have faced financial constraints especially in the past year due to the pandemic, fundraising activity may have been put on hold and you might not be able to justify paying for a full-time role for a position that does not generate income. By opting for an outsourced provider, you can reduce your annual cost while still maintaining regulatory compliance. The cost saved by having someone in-house can be put towards activities that are important in keeping the charity going and giving you better control.


Finally finding a DPO with the right level of experience to join your team can be time-consuming and, in most cases, you might not need to have someone operating in a full-time capacity. If you are looking for advice and guidance on a particular project or activity, having an outsourced DPO means you can contact them as and when you need them. You can spread this time over a month dedicating small pockets of time to different activities, helping you maintain focus on what you do best.


About iSTORM® Privacy – Security – Pentesting

Here at iSTORM® Privacy – Security – Pentesting our network of handpicked, highly experienced DPO’s not only meet the requirements as defined under article 39 of the GDPR, but they also understand that compliance is about risk management and have the experience and knowledge to advise businesses then they need it most.

For more information on how iSTORM® Privacy – Security – Pentesting can support your charity with a DPO service click here.