Meritgates Consultancy Ltd provides certified and experienced Data Protection Officers (DPOs) to support charities and not-for-profit organisations in meeting their data protection obligations. We understand the unique challenges faced by charitable organisations when handling personal data, donations, and volunteer information. Our team ensures you remain compliant with GDPR while maintaining the trust of your supporters and beneficiaries.
We currently provide discounted DPO services for numerous charities, offering flexible contract terms and tailored support. Our services include DSAR management, data breach response, and compliance risk reduction. Charities can benefit from up to 30% off our standard monthly subscription, helping you stay compliant without straining your resources.
A DPO’s role includes the review and on-going monitoring of compliance with the data protection legislation.
This typically means that the DPO will complete an annual audit of the organisations compliance and develop and maintain a Privacy by Design Plan.
As part of the compliance monitoring activities the DPO will review how Privacy by Design is implemented into the organisations operational processes and procedures.
This is a specific requirement under Article 25 and must be in place to be compliant.
The DPO should act as the central point of contact for any data breach that occurs within the organisation (assuming this involves personal data).
The DPO should have the experience needed to follow the legal and best practice methodology for managing incidents. They will provide advice and guidance and ensure that the correct steps are taken to minimise risk.
Note – they will also be the point of contact with the associated Information Regulator (e.g. the UK’s Information Commissioners Office).
The DPO is required to keep an up-to-date record of the processing (ROPA) of the personal data that the organisation processes as a Data Controller and Data Processor.
The ROPA is a legal requirement under Article 30.
Data Subject Access Requests (DSARs) are commonly requested by individuals (i.e. the Data Subject) when exercising their rights under data protection legislation.
The DPO must ensure that the requests are appropriately managed in accordance with the legislative requirements.
A DPO should provide training to all staff on matters of both data protection and information security awareness.
There are specific legal requirements to train staff (under both Articles 5 and 32) so the DPO must ensure that this is in place and is fit for purpose.
Article 27 of the EU and UK GDPR requires that organisations provide a geographically located representative for citizens of the EU and UK.
UK Representative
This applies when an organisation is based in one region (i.e.the EU) and they process UK citizens data.
In this case, the UK representative must have an office in the UK.
EU Representative
This applies when an organisation is based UK and they process EU citizens data.
In this case, the EU representative must have an office in the EU.
So, in the case of education establishments, this applies if you have staff or students that reside for at least part of the year inside the EU.
Note – We have offices in both the UK and EU and can support this requirement.
All charities have significant challenges in securing donors and sufficient revenue for their charitable activities.
Marketing is a major part of this challenge and data protection is also a considerable factor in the overall process.
We are specialists in reviewing legal basis for processing of donor details and also working with charities to ensure that they follow the regulations of the PECR and obviously the UK and EU GDPR.
Education establishments have many different software requirements, all of which need to conform with data protection.
Systems such as:
The use of the above software will need to have the appropriate risk assessments and compliance measures in place.
All education establishments have to process sensitive (special categories) data about their staff and students etc.
Typically, this is done under safeguarding requirements but the correct legal basis for processing and other requirements need to be followed.
In terms of data protection, children under the age of 13 have to be treated differently than those aged 13 and over.
This causes significant complexity for some education establishments (e.g. Nurseries and Schools) and the way that the legal basis for the processing is obtained must be in compliance with the legislation.
There are crucial rules to follow with regards to how schools communicate and manage the legal the basis for processing in areas such as:
Education establishments process personal data of a wide variety of individuals also known data subjects.
These include:
There are numerous policies and procedures that must be in place in order for the establishment to be compliant.
Also, these documents must be broadly communicated, understood and implemented to demonstrate compliance.
All education establishments must be doing everything they possibly can to secure the integrity, confidentiality and availability of personal data.
This requirement is complex and must be fully assessed as to what is required for compliance.
There are some useful guidelines on the basics of data protection and how organisations need to comply with this during their fundraising activities.
Refer to: Institute of Fundraising
Outsourcing your Data Protection Officer (DPO) function to Data Privacy Services is an affordable and cost-effective way to stay compliant without increasing overhead costs. Our certified DPOs help you avoid conflicts of interest — a common issue in education settings where roles like governors or headteachers cannot legally act as DPOs.
Since the DPO role is rarely full-time, outsourcing allows you to engage a qualified, part-time DPO on flexible terms while still benefiting from expert guidance. You’ll also gain access to additional resources, including our wider team of consultants, staff training, Dark Web monitoring, and cybersecurity solutions — ensuring complete protection for your school or institution’s data.
