GDPR for Small Organisations

Small organisations don’t need to apply a sledgehammer approach

GDPR for Small Organisations

In the final run-up to the 25 May deadline most of us now receive multiple GDPR emails on a daily basis, reflecting the fact that many organisations have opted for ‘consent’ as the lawful basis for processing personal data. Consent is a conservative option because it is clearcut and provides an organisation with more leeway in how it uses the data. However, consent is only one of six lawful bases for processing personal data under GDPR. If your organisation holds data as part of a contract for core services and does not use the data for other purposes, you may not need to rely on consent.

The downside of consent is that it involves sending out a consent request, usually via e-mail, to everyone whose personal data you hold. This is fine if you have a current database and direct mail application such as MailChimp, but not so good for organisations that are more manually based.

Clubs and societies, for example, generally only collect personal information when someone joins as a member and pays a subscription, and use the information in connection with membership activities, hence in our opinion the ‘contract’ basis of lawful processing is likely to be applicable. This avoids the organisation having to separately contact all individuals to obtain additional consent. Taking a common sense approach, membership is in effect a form of contract, and it would be unworkable for an association not to keep a record of its members.

A final point on exemptions. Large organisations are required to appoint a Data Protection Officer; in most cases this does not apply to clubs and societies. Additionally, under the Data Protection Act 1998 individuals and organisations that process personal data need to register with the Information Commissioner’s Office (ICO). Under GDPR, it’s likely that the exemption that applies to not-for-profit organisations that processes personal data solely for membership purposes will still be valid (see

In summary, to be compliant with the GDPR legislation, as a minimum a small organisation needs to: publish a Privacy Policy, which outlines the extent of personal data collected and how it is used; adopt a high-level set of Procedures and Controls; and review its activities from time to time (eg annually) to confirm compliance.