GDPR – areas for the not for profit sector to improve upon

Published on 8 October 2018

Share this article

It seems like ages ago that entities around the UK were reviewing and discussing at great length about the introduction of General Data Protection Regulation (GDPR) and gearing up for the big switch in May 2018. But that time has come and gone and now many entities are getting on with everyday life, and dare we say putting GDPR down on the list of things to do.

In April, just prior to GDPR being introduced, the Information Commissioner’s Office (ICO) released a report detailing their findings following some risk reviews at 8 charities in the UK. The reviews were focussed on the previous Data Protection Act (1998) but included GDPR recommendations where long-term actions were appropriate.

The report provides an opportunity for not for profit entities to reflect upon their current policies and procedures to ensure that they are promoting good practice in this sensitive area. Below we highlight some of the key areas for improvement detailed in the report.

Policies and procedures

The report identified that not all entities visited had ‘information governance’ policies in place. In addition where policies were in place, they were not reviewed regularly nor had documented a review schedule to take place.

In addition, where policies were in place, the communication of these to staff and volunteers was inconsistent. Entities should have a requirement for staff to read these policies as part of their induction and sign to say they have read and understood them.

Monitoring and reporting

The report highlighted that many entities have not included a review of compliance checks within their internal audit programme. Furthermore, routine compliance checks on data processors are not always in place.


Most entities do not have in place annual refresher training for staff and volunteers. They also often don’t receive any data protection training before being allowed to access or process personal data.


Most entities use data processors to carry out certain tasks. However, more often than not, these entities do not have contracts in place or where they are in place, they are not adequate and do not include relevant data protection clauses.

Incident reporting

Not for profit entities should maintain an incident log which should be comprehensive and used consistently. Each incident should have an appropriate risk rating assigned to it. Too many incidents pass by without a risk rating being attributed which can lead to confusion as to whether the incident should be reported to the ICO or not.

Retention of data

Every entity is different and therefore consideration must be made as to how long personal data should be retained for. The ICO feel that too often personal data is being retained for far longer than necessary which arises due to poor record keeping management.

Furthermore, where data is “deleted”, entities have not reviewed their IT systems to ensure that they allow for permanent deletion of records. This can lead to entities not complying with an individual’s “right to erasure” under GDPR.

Finally, contracts should be in place where confidential waste companies are used and the contracts should include a right for the entity to carry out compliance checks.


Now that GDPR has been introduced, it can all too easy to stop looking to improve systems and procedures connected to this legislation. The above highlights should act as a reminder to not for profit entities to ensure that consistent monitoring is in place.

The report also contains examples of good practice being implemented across the sector. Therefore we would recommend entities read the report and consider what changes they should be looking to implement as soon as possible.

After May 2018, the ICO have continued to issue further guidance. This includes their own Legitimate Interest Assessment sheet and their views on how to deal with Subject Access Reports. As incidents are reported to the ICO we are learning what expectation the ICO have in many areas – this being far more stringent than many commentators had previously aired.

Make sure you download your complimentary copy of Kreston’s Academies Benchmark Report 2019 here:

This year the report includes over 350 Trusts representing nearly 1000 schools and is based on those Academies that prepared financial statements for the period ended 31 August 2018 and which were audited by member firms of Kreston UK.

Share this article

Subscribe to our newsletters

Our complimentary newsletters and event invitations are designed to provide you with regular updates, insight and guidance.

    • Business, finance and tax issuesPersonal finance, tax, legal and wealth management issuesInternational business issuesCharity and not-for-profit issues

    • Academies and educationAgricultureFinancial servicesLife sciencesManufacturingProfessional practicesProperty and constructionTechnology

    • yes I agree I have read and accept the privacy policy and am happy for Kreston Reeves email communications I have selected above

    You can unsubscribe from our email communications at any time by emailing [email protected] or by clicking the 'unsubscribe' link found on all our email newsletters and event invitations.