If you work in the third sector, you're probably aware that on 25 May, 2018 the toughest privacy law in European business history - the General Data Protection Regulation (GDPR) - comes into effect. There has been a great deal of misinformation published online about how certain aspects of the GDPR will - and importantly won't - affect not for profit organisations, but charities have to comply with the new data legislation just as businesses will.
Managing concerns around data protection and marketing consent is nothing new for not for profit organisations. But, once the GDPR comes into force, breaking the data protection legislation carries much stricter and higher financial penalties from the Information Commissioner's Office (ICO), in the range of €20 million or 4% of total worldwide annual turnover. Charities shouldn't just be concerned with the fines, however. If they fail to handle personal data correctly and a breach occurs, charities risk harming their relationships with supporters, which could lead to long term reputational damage and lack of trust from the donors they rely on.
With the goodwill of donors critical to fundraising, and many high-profile charities having come under fire for their questionable use of data previously, not for profit organisations need to get GDPR compliance right. Supporters certainly won't want to see their donated funds used to pay fines which could have been prevented, but compliance is also key to providing donors with a great experience when engaging with their cause, communicating the work of the charity to galvanise future support.
Building and maintaining a GDPR compliant fundraising database
The GDPR requirements will be felt throughout an organisation, affecting everything from marketing, volunteer management, campaigning, fundraising and keeping details of service users on file - in short, anything which involves storing or processing the personal data of individuals (donors, employees, volunteers etc.). Large charitable organisations are therefore dealing with potentially hundreds of thousands of records, and these are arguably a NFP's most valuable asset, if managed correctly.
Here are a few things to be aware of when establishing and managing a GDPR compliant database:
- Despite several sources suggesting otherwise, explicit consent is required for all ongoing fundraising activities with existing and prospective donors. This means it's essential for charities to immediately undertake an active campaign to ensure explicit consent is achieved from Data Subjects. This consent has to be clear, unambiguous and consistent. Equally, the charity needs to be fully transparent around the intended processing of the data, such as what data they require, why, for how long and with whom they will share.
- Opt-in has to be entirely explicit, namely an empty box to be ticked, with wording stating that you wish to receive marketing material. Consider a separate tick box where you intend to share data with third parties.
- Opt-out remains the same. Following any form of communication, the Data Subject should always be given the ability to opt-out. Keep in mind that this opt-out must be designed to negate everything they opted-in for originally. So, if you have multiple brands, but one opt-in, then the opt-out must be for all brands as well.
- All not for profit organisations will also need to develop ongoing processes and ensure adequate functionality is in place to manage these preferences in the long term, especially for those who no longer wish to be contacted.
- Currently, NFPs need to communicate once every 12 months with people on their database, but further guidance is expected with regards to the GDPR. A safe bet would be to communicate once every 6 months.
- In the past, data sharing between charities has been used to market to potential and actual charitable donors. This is something which has been frowned upon for a while now, but data sharing is going to be a major problem post May 2018. Any form of data sharing with other charities will have to be carried out within the explicit consent model.
- Charities will need to develop an organisation-wide approach, with the strategy agreed at board level and implementation of policies filtered through the senior management team, trustees, IT and marketing departments and volunteers. Suitable training should be provided with support for all employees involved, including volunteers, as the ICO treats them as employees from a Data Protection perspective.
- Even with the correct policies and procedures in place, it's clear that it's going to be virtually impossible to entirely avoid a breach. Should a breach occur, it's important to be proactive in reporting an incident to the ICO, and be able to demonstrate that your organisation has taken steps to mitigate risk at all points.
Anyone operating in the third sector should keep a very close eye on the ICO's website for further guidance over the coming months.
How will the GDPR impact the Fundraising Preference Service?
Created by the Fundraising Regulator - the independent regulator of charitable fundraising, established in 2015 - the Fundraising Preference Service (FPS) gives the public choice and control over the communications and fundraising requests that they receive from charities. Under the GDPR, the FPS will effectively allow charities to validate consent against a pre-existing database. All charities in the UK will be obliged to check if an individual has given consent to receive marketing material from that charity. Of course, there are very specific challenges from a records-keeping perspective when someone opts-out of communications from a charity directly. How this will be updated and managed on the FPS system is yet to be seen.
Finding the opportunities
Having a huge impact on all systems and processes which are core to the running of a charitable organisation, it's not surprising than many working in this sector with responsibility for data compliance feel daunted by the task ahead. But, the opportunities presented by this change shouldn't be overlooked. By acting now and having a compliant approach to consent and data protection, and clearly articulating this to existing and potential supporters, charities can help to re-build the trust that may previously have been damaged.
Looking for a way forward?
Sytorus is one of the leading firms in data protection advice, working with NGOs and charities globally. We have experience of working with the top 20 NGOs in the world, and have dozens of UK and Ireland charities as active clients, currently rolling out large-scale GDPR programs for five leading not for profit organisations.
Sytorus provides lifecycle support, from assessing the current situation, identifying needs and - via our cloud-based SaaS product, Privacy Engine - managing the ongoing process of identifying and mitigating risk. Our approach is designed to specifically drive a working framework to rapidly get an organisation up to a level where they can achieve all the above in a practical and efficient manner.
If you’d like to find out how our lifecycle approach can help you to identify and manage risks across your organisation and provide a simple way of managing and mitigating these risks on an ongoing basis, contact our Dublin team on +353 (0)1 683 3314 or email firstname.lastname@example.org or contact the London team on 0207 936 9442 or email email@example.com.