Data Protection and GDPR for Charities in an AI Enabled World

Data protection and GDPR have always been challenging for charities and the explosion in the use of AI brings very real new and additional data protection and UK GDPR risks for charities.  There are the immediate and perhaps more obvious data protection risks in people using AI such as ChatGPT but arguably bigger and less obvious risks that will arise as charities connect AI to their CRM, client and other data sets.

This AI data protection checklist for charities will enable you to assess what you need to do, whether you are buying, building or commissioning/funding a charity AI system.  The FAQs at the end explain some of the technical terms used.

We have published a suite of free charity AI services, tools and frameworks, insight briefings, guides and training, which you can find here, including our Charity AI Design Guidelines.

Data Protection for Charities - What Are the AI Risks?

The AI data protection risks will obviously depend on your charity, the AI system it will use and what and how these will be used.  However, the data protection risks for charities, in connecting AI to their data, include ensuring compliance with UK GDPR regulations, identifying and addressing potential biases in datasets, maintaining data accuracy and integrity, and fostering diversity and inclusion in data representation. Here are the 2 key risks we think most charities should consider.

• Data Protection Compliance.  The integration of AI with charity data, in CRMs and other systems, increase charities' risks in complying with the UK Data Protection Act.
• Bias and Fairness.  AI algorithms are susceptible to bias, which can perpetuate or exacerbate existing inequalities and charity data sets may include biases that could lead to unfair outcomes or discrimination.

If you wish to consider the wider risks AI creates for charities, here's our Charity AI Risk Register. The next sections provide a range of AI data risk management actions your charity may wish to consider.

Data Protection for Charities - AI Checklist

• How Do We Ensure Existing Data Collection Is GDPR Compliant?  Review the types of data your charity collects from various sources, such as donor forms, participant registrations, and feedback surveys. Assess the relevance and necessity of each to ensure data protection compliance.  In particular, review your consent procedures to ensure these reflect the purposes to which sensitive personal data will be put and with whom it may be shared.
• How Do We Identify Potential Biases in Data?   Examine your data collection methods to identify any potential biases that may skew the representation of certain groups or overlook others. For example, if your charity primarily collects data from specific demographics, such as age or income brackets, it may not accurately reflect the diversity of your target audience. Be mindful of inclusivity and consider ways to capture a more representative sample.
• Why Should We Consider Data Cleansing and Compliance?  Consider data cleansing to remove duplicate entries, correct inaccuracies, and standardise formats. Ensure that your charity's data management practices are Data Protection Act compliant.
• How Do We Carry Out Anomaly Detection and Accuracy Testing?  Utilise statistical techniques or data visualisation tools to identify anomalies or outliers in your data set. Anomalies could indicate errors or irregularities that need to be addressed to maintain data accuracy.  You can find a whole range of free data visualisation tools using our Data Finder directory.
• What Is A Data Diversity and Inclusion Check?  Evaluate the diversity and inclusivity of your dataset to ensure that it adequately represents the individuals and communities your charity serves. Consider factors such as gender, ethnicity, age, and socio-economic background to ensure a balanced representation. The UK Data Protection Act emphasises the importance of fairness and transparency in data processing, requiring charities to consider the impact of their data practices on different groups.
• Why Carry Out External Data Validation?  Validate your data against external sources or industry benchmarks to verify its accuracy and reliability.
• What Data Protection Guidelines Are There?  The UK Information Commissioner's Office (ICO) provides guidance and resources to help charities comply with data protection regulations. Familiarise yourself with ICO guidelines and best practices for data management to ensure alignment with regulatory requirements.
• What About Expert Consultation?  For large charities, engage with internal and external experts, including data protection officers, legal advisors, and privacy specialists, to assess potential risks associated with your data processing activities.
• Should We Conduct a Data Protection Impact Assessment (DPIA)?  Carry out a DPIA, as required, to help to identify and mitigate risks early in the project lifecycle, ensuring compliance with regulatory standards.
• Why Are Continuous Monitoring and Compliance Updates Important?  Implement regular monitoring and review processes to assess your data management practices and ensure ongoing compliance with data protection regulations. Stay informed about updates to the UK Data Protection Act and ICO guidelines, and adjust your data management policies and procedures accordingly.

Additional Actions - AI Systems

• Algorithm Transparency and Explainability. 
  • Ensure transparency and explainability in AI algorithms to foster trust and accountability.
  • Document the decision-making process of AI models, disclose potential biases or limitations, and provide explanations for outcomes to stakeholders.
• Bias Mitigation Techniques.    
  • Implement bias mitigation techniques, such as algorithmic fairness measures and diversified training data, to reduce the risk of biased outcomes.
  • Regularly audit AI systems for biases and recalibrate algorithms as needed to promote fairness and equity.
  • Collaborate with experts in AI ethics and fairness to develop robust mitigation strategies tailored to the charity's specific needs.

Additional AI Data Protection Actions For Charities

• Staff Training and Awareness. 
  • Provide training to staff and volunteers on data protection regulations and, if needed, AI ethics, and bias mitigation strategies.
  • Foster a culture of data literacy and ethical AI usage within the charity to empower people to make informed decisions and contribute to responsible AI deployment.
  • Regularly update training materials to reflect evolving best practices and regulatory requirements.
• Stakeholder Engagement and Transparency. 
  • Engage with stakeholders, including donors, beneficiaries, and community partners, to solicit feedback and ensure transparency in AI initiatives.
  • Communicate openly about the charity's AI strategies, data practices, and ethical considerations to build trust and foster collaboration.
  • Incorporate stakeholder input into decision-making processes to align AI initiatives with the charity's mission and values.

You can download 40+ charity policies by logging in and chatting to the in-system AI bunny.  Our policies have been updated to reflect the impact of AI.

Data Protection - Emerging Technologies

The ICO Tech Horizons Report looks at emerging technologies over the next 2 to 7 years to help  developers to identify and manage data privacy issues when designing these systems.  The ICO believes that the following may have a particularly significant impact on the UK: genomics, immersive virtual worlds, neuro-technologies, quantum computing, commercial use of drones, personalised AI, next-generation search and central bank digital currencies.

AI Data Protection and UK GDPR for Charities - Regulatory Guidance

• Charity Commission E&W and other charity regulators - none as yet.
• ICO - Data Protection Impact Assessments (DPIAs).
• ICO - Artificial Intelligence (AI).
• ICO - Generative AI second call for evidence: Purpose limitation in the generative AI lifecycle.
• ICO - Generative AI first call for evidence: The lawful basis for web scraping to train generative AI models.

Everything You Need For Your Charity

A registered charity ourselves, we provide 8 online health checks, the huge information hub, Quality Mark and 3 online directories. It works for any non profit, not just charities.

• Funding Finder - with categories for Core Cost Funding and Small Charities & Community Groups.
• Help Finder – find anything for free, including companies that make financial donations and raffle prizes.
• Data Finder – for fundraising bids & research, impact reporting, planning and campaigning.

Plus, 100+downloadable funder lists, 40+ policies, 8 online health checks and the huge resource base.

Quick, simple and very effective. Nearly half our ratings are 10/10.

Find Funding, Free Help & Resources - Everything Is Free.

Register Now!

Data Protection for Charities AI Risks - FAQs

• What are anomalies and outliers in a dataset?  Anomalies or outliers in a dataset are like the odd ones out. They're data points that are very different from the rest.  These can sometimes be mistakes or errors, so it's important to decide if they're important or if these are errors that need to be corrected to ensure that data is accurate.
• What is AI algorithm transparency and explainability?  Algorithm transparency and explainability mean making it clear how an AI system (algorithm) works and why it makes certain decisions.  Transparency helps people trust the algorithm, and explainability helps them understand why it did what it did.
• What are AI algorithmic fairness measures?  Algorithmic fairness measures are like rules or checks used to make AI systems (algorithms) treat everyone fairly and equally.  These measures help to identify and remove any unfairness that might sneak into the decisions made by an AI system.
• What is AI bias mitigation?  AI bias mitigation is the process of reducing unfairness or discrimination in AI systems. It involves identifying and addressing biases that might exist in the data or algorithms used by AI systems.
• What is a data protection impact assessment (DPIA)?  A DPIA is process designed to help systematically analyse, identify and minimise the data protection risks of a project or plan. It is a key part of your accountability obligations under the UK GDPR, and when done properly helps you assess and demonstrate how you comply with all of your data protection obligations.
• What is data protection high risk?   The UK GDPR is clear that whether something is high risk, or not, depends on both the likelihood and severity of any potential harm to individuals. ‘Risk’ implies a more than remote chance of some harm. ‘High risk’ implies a higher threshold, either because the harm is more likely, or because the potential harm is more severe, or a combination of the two.

This Article Is Not Professional Advice

This article was created, in part, using ChatGPT.  It is for general interest only and does not constitute professional legal or financial advice.  I'm neither a lawyer, nor an accountant, so not able to provide this, and I cannot write guidance that covers every charity or eventuality.  I have included links to relevant regulatory guidance, which you must check to ensure that whatever you create reflects correctly your charity’s needs and your obligations.  In using this resource, you accept that I have no responsibility whatsoever from any harm, loss or other detriment that may arise from your use of my work.  If you need professional advice, you must seek this from someone else. To do so, register, then login and use the Help Finder directory to find pro bono support. Everything is free.