Implementing GDPR in the Charity Sector: A Case Study

  • Jane Henriksen-BulmerEmail author
  • Shamal Faily
  • Sheridan Jeary
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 547)


Due to their organisational characteristics, many charities are poorly prepared for the General Data Protection Regulation (GDPR). We present an exemplar process for implementing GDPR and the DPIA Data Wheel, a DPIA framework devised as part of the case study, that accounts for these characteristics. We validate this process and framework by conducting a GDPR implementation with a charity that works with vulnerable adults. This charity processes both special category (sensitive) and personally identifiable data. This GDPR implementation was conducted and devised for the charity sector, but can be equally applied in any organisation that need to implement GDPR or conduct DPIAs.


Privacy Case study General Data Protection Regulation GDPR Contextual Integrity Privacy risk Data Protection Impact Assessment DPIA 



This work was funded by the Bournemouth University Charity Impact Funding scheme at Bournemouth University.


  1. 1.
    Bamberger, K.A., Mulligan, D.K.: Privacy on the Ground: Driving Corporate Behaviour in the United States and Europe. The MIT Press/Massachusetts Institute of Technology, London (2015)CrossRefGoogle Scholar
  2. 2.
    Barth, A., Anupam, D., Mitchell, J.C., Nissenbaum, H.F.: Privacy and contextual integrity: framework and applications. In: 2006 Symposium on Security and Privacy [Serial Online], vol. 2006, pp. 184–198. IEEE Xplore Digital Library, Ipswich (2006). Cited by 0
  3. 3.
    Bruner, J.S.: Actual Minds. Possible Worlds. Harvard University Press, Cambridge (1986). [Electronic resource]Google Scholar
  4. 4.
    BS ISO 31000:2009: British standards document BS ISO 31000:2009: Risk management. Principles and guidelines. Technical report, British Standard and the International Organization for Standardization (ISO) (2009)Google Scholar
  5. 5.
    Care Quality Commission (CQC): Care Quality Commission (2018).
  6. 6.
    Conley, A., Datta, A., Helen, N., Sharma, D.: Sustaining privacy and open justice in the transition to online court records: a multidisciplinary inquiry. Maryland Law Rev. 71(3), 772–847 (2012)Google Scholar
  7. 7.
    Darakhshan, J., Shvartzshnaider, Y., Latonero, M.: It takes a village: a community based participatory framework for privacy design. In: 2018 IEEE European Symposium on Security and Privacy Workshops, EUROSPW, pp. 112–115 (2018)Google Scholar
  8. 8.
    Demirci, A.E.: Change-specific cynicism as a determinant of employee resistance to change. Is, Guc: J. Ind. Relat. Hum. Resour. 18(4), 1–20 (2016)Google Scholar
  9. 9.
    European Parliament and the Council of Europe: General data protection regulation (GDPR). Regulation (EU) 2016/679 5419/1/16. European Parliament and the Council of Europe, Brussels, April 2016Google Scholar
  10. 10.
    Grodzinsky, F.S., Tavani, H.T.: Privacy in “the cloud”: applying Nissenbaum’s theory of contextual integrity. SIGCAS Comput. Soc. 41(1), 38–47 (2011)CrossRefGoogle Scholar
  11. 11.
    Hall, D.C.: Making risk assessments more comparable and repeatable. Syst. Eng. 14(2), 173–179 (2011)CrossRefGoogle Scholar
  12. 12.
    Henriksen-Bulmer, J., Faily, S.: Applying contextual integrity to open data publishing. In: Proceedings of the 31st British HCI Group Annual Conference on People and Computers: Digital Make Believe. British Computer Society (2017)Google Scholar
  13. 13.
    ICO: Preparing for the general data protection regulation (GDPR): 12 steps to take now. Technical report, V2.0 20170525, Information Commissioner’s Office, May 2017Google Scholar
  14. 14.
    ICO: Data protection impact assessments (DPIAs) (2018)Google Scholar
  15. 15.
    ICO: General data protection regulation (GDPR) FAQs for charities (2018).
  16. 16.
    ISO/IEC 29100: BS ISO/IEC29100: Information technology – security techniques – privacy framework. Technical report, British Standard and the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) (2011)Google Scholar
  17. 17.
    Krupa, Y., Vercouter, L.: Handling privacy as contextual integrity in decentralized virtual communities: the privacias framework. Web Intell. Agent Syst. 10(1), 105–116 (2012)Google Scholar
  18. 18.
    Mulligan, D.K., Koopman, C., Doty, N.: Privacy is an essentially contested concept: a multi-dimensional analytic for mapping privacy. Philos. Trans. Ser. A Math. Phys. Eng. Sci. 374(2083), 20160118 (2016)CrossRefGoogle Scholar
  19. 19.
    National Drug Evidence Centre: National drug treatment monitoring system (NDTMS) (2018)Google Scholar
  20. 20.
    Nissenbaum, H.: Privacy as contextual integrity. Wash. Law Rev. 79(1), 119–158 (2004)Google Scholar
  21. 21.
    Nissenbaum, H.F.: Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford Law Books, Stanford (2010)Google Scholar
  22. 22.
    NIST: Guide to protecting the confidentiality of personally identifiable information (PII). Technical Report, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, pp. 800–122 (2010)Google Scholar
  23. 23.
    NIST: Guide for conducting risk assessments. Technical Report SP 800-30, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, September 2012Google Scholar
  24. 24.
    Palen, L., Dourish, P.: Unpacking ‘privacy’ for a networked world. In: CHI-CONFERENCE, pp. 129–136 (2003)Google Scholar
  25. 25.
    Rooney, T., Lawlor, K., Rohan, E.: Telling tales: storytelling as a methodological approach in research. Electron. J. Bus. Res. Methods 14(2), 147–156 (2016)Google Scholar
  26. 26.
    Sanchez Abril, P., Levin, A., Del Riego, A.: Blurred boundaries: social media privacy and the twenty-first-century employee. Am. Bus. Law J. 49(1), 63–124 (2012)CrossRefGoogle Scholar
  27. 27.
    Sar, R.K., Al-Saggaf, Y.: Contextual integrity’s decision heuristic and the tracking by social network sites. Ethics Inf. Technol. 16(1), 15–26 (2013)CrossRefGoogle Scholar
  28. 28.
    Solove, D.J.: A taxonomy of privacy. Univ. Pennsylvania Law Rev. 154(3), 477–564 (2006)CrossRefGoogle Scholar
  29. 29.
    Warren, S.D., Brandeis, L.D.: The right to privacy. Harvard Law Rev. IV(5), 193–220 (1890)CrossRefGoogle Scholar
  30. 30.
    Westin, A.F.: Science, privacy, and freedom: issues and proposals for the 1970’s. Part I-the current impact of surveillance on privacy. Columbia Law Rev. 66(6), 1003–1050 (1966)CrossRefGoogle Scholar
  31. 31.
    Data protection act 2018, May 2018.
  32. 32.
    Yin, R.K.: Case Study Research : Design and Methods. SAGE, Los Angeles (2013)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  • Jane Henriksen-Bulmer
    • 1
    Email author
  • Shamal Faily
    • 1
  • Sheridan Jeary
    • 1
  1. 1.Bournemouth UniversityPooleUK

Personalised recommendations