Why you should know what the GDPR is – and what you can do NOW!

Be a fundraising GDPR superstar!

Dawn VarleyGuest blog by Purple Vision Associate Consultant, Dawn Varley – a self-professed ‘data geek’ and all round fundraising super-star – with a special interest in making data approachable and manageable.




On 14 April, European Parliament finally voted to accept the new rules and regulations that will shape data protection within the EU from 2018 onwards. We now have confirmation of what the much-talked about ‘changes to EU DP law’ – the General Data Protection Regulation (GDPR) look like, and can work to ensure they are adequately planned for.

The core components of consent, compliance and security shouldn’t come as any surprise – as these form the bedrock of the current EU, and corresponding UK, legislation.

That said, there are some key changes to be aware of, and whilst 2018 seems like an age away now is the time to get moving.   We all want to ensure not just compliance with the law, but to adopt best practice over and above it as a means of delivering excellent fundraising, and corresponding customer service to your supporters.

The time-frame also offers a great opportunity to incorporate a review of,  and plan of action for, the wider regulatory changes that have already or are due to come into effect in the next year.

But for now, let’s look at the core elements of the GDPR.


Consent remains very much a hot topic within the wider fundraising furore that has plagued the sector for the last year or so. But at its heart it could be argued to be very straight forward.  Existing Data Protection Act (DPA) and Privacy and Electronic Communications Regulations (PECR) laws focus on this, and the GDPR serves to reiterate the 4 conditions that need to be present in order for consent from supporters to be valid:

  1. Freely given – the person must give their consent without force, ie they have a choice, and do not have to give unnecessary details to undertake the transaction
  2. Informed – it must be clear to the person exactly what is being asked, why, and how they opt-in or out. Plain English is key.
  3. Specific – related to condition 2, the consent given will be specific to the processing stated at time of consent, and cannot unreasonably be changed later without further consent
  4. Positive action to indicate consent – the person must be required to do something to confirm they consent, ie by submitting a form or ticking a box. The absence of action cannot be used here.

A ‘right to be forgotten’ and a ‘right to object’ is also available for the supporter to invoke, and business processes must be able to recognise these rights, and cater for the subsequent removal of consent. Existing consent obtained from supporters will still be valid as long as the 4 conditions above are deemed to be met, so there is no starting point of a need to reconfirm with people to get consent.


Thinking again of the traumatic year that charities have had, compliance has been highlighted as a key area where lack of attention has caused major problems.  It is not enough to state that you comply with the DPA in the data protection statements you use – you must understand what it is, what is requires you to do – and then do it. Likewise the Institute of Fundraising Code of Fundraising Practice – it is not enough to simply be a member and the ethos of the Code must be present in all you do.

The GDPR brings in changes to compliance at two key levels:

  • Firstly, by rolling out the need to comply with regulations at data processor as well as data controller level, which means a charity using the services of a supplier must ensure they comply with regulations in the same way the charity does. One way to do this is to ensure this is contractually stated, and then checked on, by the charity.
  • Secondly, stricter financial penalties will apply, with much steeper fines available to punish failure to abide by the GDPR. Up to 4% of annual turnover could be at risk at the top end of the scale.


‘Privacy by design’ should be embedded in all business processes which collect and manage data, and also in the systems that store and process it. Security cannot be an afterthought retrospectively applied to a process or system, and so a culture change as to how data management is approached may be required.  The transfer of data outside the EU, and ensuring that supporters are adequately aware of where  their data will be managed, and why, receives more emphasis, and so attention to what suppliers are doing, how and where, is again highlighted.

What should non-profits do now?

Although the GDPR won’t come into effect until 2018, the two years from now until then should be looked at as a great opportunity for audit, review and process change.

As such, organisations need to look at a project team of the right people to review this across the organisation – data protection officer, fundraising, IT, data teams, communications and marketing, operational teams who use data, perhaps even HR and finance.

Most organisations will be best placed to start with an audit across all their data (where, who, how, when, why?) and build a plan of action to consider these new elements and how they’ll respond.

We consider the key areas of this may be:

  • Logistics of consent – from ask to coding and storage, to how it is accessed for selections and suppressions. CRM is going to be critical to this and recording response sign up, storage and in making selections, too.
  • Compliance with compliance – where are the gaps in your team considering what you know now? There will be more to come but do you need to look at a data champions programme, formal training, internal comms programmes or another route to ensure you all know what you need to know and can comply
  • Security review – what existing processes are in place, what needs to be in place and when, and how will you enact that plan?

Also key to success with this transition is understanding that the project will end, but the principle doesn’t – embed respect for consent, and understanding for it, in your organisation. Training, refreshers, documentation and champions can all ensure you stay ahead of the game, and do build in a bi-yearly review to check on any issues/concerns.

Don’t lose sight of why

The principle of why this is being done and new regulation is required is important – it’s easy to get bogged down in the day to day and lose sight of why.  This is about data protection and fundraising being trusted by individuals, supporters, clients, staff and constituents.  It’s in all our best interests to comply, not least because fines are more punitive than in previous regulatory cycles.   In the bigger picture, this is a recognition for all of us as consumers that the world we live in now is fast moving and ever changing – we shop across borders, travel across borders, donate across borders – and having multiple data rules in different jurisdictions which are hard to enforce is not in our best interests.

Keep it simple, superstars! 

Employ the KISS principle and do keep it simple in terms of the matter at hand, and your response. The main issue for fundraising is consent, and this is about treating people, and their data, fairly and securely, and as a two way relationship. Put yourself in your supporter’s shoes –  how would you want your data to be treated?

The GDPR gives a great starting point. If you look to review how you stack up to that now, work towards it, and come 2018 you’ll be in a great place. Build in the requirements of the existing and emerging fundraising regulations, and you’ll stay well ahead of the game. And if you’re wondering if all this will be relevant if Brexit becomes a reality, then yes, it will, as the UK will want to match EU requirements to stay in the trade game, so don’t use the forthcoming referendum as an excuse to do nothing.

How Purple Vision can help

Purple Vision can help with every aspect of a project like this – from leading the project for you, to offering specific advice and consultancy services on data, systems and other factors.  Drop us a line via email ([email protected]) or via 0845 458 0250 and ask us more.

The Grand GDPR Resource Library

The following links cover the wider legal and regulatory framework at play, as well as the GDPR developments:


3 reasons why we’re ramped up to be at the Salesforce World Tour London

“World Tour date is set”, my contact at Salesforce told me.  The first thing I did, aside from promising to write a blog, is tell all my colleagues so we could all get registered.

The Salesforce World Tour is an annual must-attend for the whole Purple Vision team and one of the rare days we’re all out of the office doing the same thing.  We’re interested in what’s new and exciting in Salesforce and checking out the developments, case studies on show and product demos.  We split the sessions between us and make sure we get as much information as possible.  So it’s a day for our learning – personally and for our business too.  Understandable, perhaps, as we’re Salesforce.org Impact Partners so are invested in the community already.

It’s also a great time for us to catch up with our clients and share some time with them. We always invite the non-profits we’re working with so they can catch up with what could be next for them, learn some practical tips and tricks and meet other users.   For our prospects, it’s a chance to learn more about the platform and tools we’re suggesting they adopt and see for themselves why we keep saying ‘awesome’ a lot.  Everyone quickly learns that it’s infectious rather than an affliction.

It’s good to be on hand for clients and prospective clients visiting the World Tour, especially for the first time.  There is so much going on it can feel overwhelming if you’re not just a tiny bit prepared.   So in preparation for preparing our colleagues and guests, I asked some of the Purple Vision team what they were looking forward to this year.

The conclusion is that we’re pretty ramped up to be there, and there are three key reasons why.

2016 SF World Tour graphic

  1. I’ve heard the hype…  One of our colleagues is new and while she’s got the ‘creds’ (Salesforce qualifications are called credentials) has never been to World Tour event before.  She’s heard stories and is keen to see if they match the reality. We’re pretty confident they will.  The all-singing, all dancing keynote, raft of new stuff, presentations and case studies will surprise and delight in equal measure.  And when you need a time out, there’s always a drink somewhere close by (snacks, did I mention snacks yet?).  The challenge as I said up thread is seeing it all.
  2. Introducing the all-new. Our development team are extra keen to see what’s new.  I find it fascinating to see things we’ve been talking about as trends and concepts become real products and tools that we can use (donor journeys are good example here – we used to do these with bits of string, willpower and a spreadsheet, now we can use marketing automation tools like Pardot and the Marketing Cloud Journey Builder).  But it’s not just the shiny and new that’s interesting, it’s the updates and new features to the familiar that matter too.  There’s often a chance to get your hands on tools and have a bit of a play and a look.  And how are other people using the products and tools?  Case studies offer us inspiration that we can take home and apply when we’re back behind the desk.  We’re quite excited by the non-profit stream this year which includes the RNIB talking about how they’re using Salesforce apps in some quite clever, life changing ways.  I heard mention of Augmented Reality ….  I also heard there may be puppies in the keynote, but might have been wishful thinking.
  3. People, people, people. Salesforce community is more than a product. Salesforce attracts great people and you can meet these people – be they Salesforce staff and partners, fellow Salesforce users, people checking it out but not using it yet, super-admins, developers and the tech teams that build and work with the tool.  The enthusiasm you will feel from the community around the cloud will leave you feeling charged up and ready to roll. If the idea of networking gives you a bit of a cold shiver, panic not.  You have never met a friendlier bunch of people and pretty much everyone is up for having a chat.

We’re all registered and ready for May 19th at Excel and looking forward to seeing you there too

Register: https://www.salesforce.com/uk/events/details/london/

Ps One final reason just from me.  Last year, I got to meet SaaSy – the no software cloud – in person. You’ve made it as far as I am concerned when you’ve got a picture with Sassy for your social feed and I need to better last year’s pic !


Trustees with pom-poms

Philip Roethenbaugh, a skilled fundraiser and our expert/go-to Associate Consultant for fundraising services shares his considerable knowledge with fundraisers via a series of blogs. This is the third blog in his series. 

Trustees with pom-poms: How to bring out the best in your ‘overlords’

The last article I read on trustees was a bit like a Spotter’s Guide to Rare Birds.

There were descriptions of the pecking ‘Critic’, the deafening ‘Know-it-all’, the shy ‘Quorate’ (just-making-up-the-numbers) and the ‘looking-backer’ with a memory like an elephant. You get the idea. Lots of fun, but not that helpful really.

Perhaps becoming a trustee myself, a few years ago, changed my point of view.  Suddenly, I became a lot more tolerant and understanding of my own trustees when I was doing my day job.  I now had the advantage of knowing what if feels like having to make life-changing decisions with scant information. Or to be more honest – having scan-read an excellent report by the CEO moments earlier in the car park.

The mode trustees operate in can and should flex from meeting to meeting and moment to moment, based on need.

For example, they may need to play the role of

  • Border Guard – enforcing boundaries
  • Ambassador – pressing the flesh at the gala dinner
  • Inspector – holding the Executive to account.

But the default position, in my view, should be

  • Cheerleader – close your eyes for just a minute and imagine your trustees with pom-poms in hand, going rah-rah-rah on the touchline.  Nice idea, isn’t it?  I am not saying trustees should give the CEO and staff an easy ride and praise them unceasingly. But their highest calling should be to encourage and support.

How do you bring these qualities to the fore in your Board?

What’s the driver?

My key advice is to understand what really matters to them, what motivates them to give up all this time for your cause.

Just like ‘normal people’, trustees have an iceberg quality to them – most of what there is to know is way below the surface. People become trustees for a very wide range of reasons. Getting to know your trustees outside of formal meetings is an essential way to unpack some of that. I don’t mean spending hours in the pub (although there’s nothing wrong with that).  It could be spending time with them, visiting a project. I’ve found in the past that long drives present a great time to talk honestly – in part, because there’s less need for eye contact and it feels less like an interview or confrontation.

Knowing what your trustees really care about helps you to frame your communications with them – written and verbal.  There is little point focusing on an area that means nothing to them – finding shared interests offers them a way to become your supporter.

Managing Expectations

Clearly defining what is expected of trustees also goes a long way to avoiding bad habits developing.  The Charity Commission have some excellent resources on the subject.  Beyond the legal obligations, the battle ground then becomes what sits under the ‘executive’ responsibilities and what sits under ‘governance’.

Sometimes it is black and white, but more often there are shades of grey and collaboration is essential.

NB – I have a useful diagram about that and will send your a copy if you ask nicely.

Read body language and react

This is a really useful bit of advice I have been benefiting from for years.

It’s a tell-tale bit of body language that lets you know someone is flexing their authority – Resting Hands Behind the Head with Elbow Jutting Out.  I call it the ‘Cormorant’ (Google for a picture). It’s usually interpreted as a sign of superiority or big-headedness, but it’s not quite as simple as that. It is certainly more common from middle-aged male chairs than any other category of person I’ve ever met or worked with.  In any case, when spotted, I wouldn’t quite say that you should disregard everything the person then goes on to say, but it certainly should set off alarm bells. If the chair and the CEO start doing it at the same time, it’s best to duck for cover!  And perhaps suggest a quiet drink so you can start the process of assessing interests and areas of activity that will have them waving pom-poms for you rather than causing major issues.

In short, poor relations between the CEO, Executive Team and the Trustees can be the quickest way to ruin an otherwise fantastic organisation – we can all think about organisations where this may be the case – either through direct experience or confidential conversations with charity-based colleagues.

Don’t let things fester.

Get expert support to help build a culture of cooperation and cohesion and have your ‘overlords’ waving pom-poms and supporting you every step of the way.

Some recommended further reading:

For a copy of Phillip’s grey areas diagram (described above) please email [email protected] referencing this blog.

About Purple Vision & Fundraising

Purple Vision has a long pedigree of fundraising – we say it’s part of our DNA.  Our expertise is in the intersection between fundraising and technology – translating both specialist areas into practical solutions.  But behind that is our vision to support charities to set the right direction and strategy to achieve their goals – on a day to day, weekly and monthly basis, as they stride towards achieving the big, hairy, audacious goal that is your vision and mission.   Our fundraising consultancy services cover a wide range of areas from the strategic and visionary to the practical and data driven. Our expert team speak fluent non-profit and are on hand to share their expertise as you need it.  Get in touch if you’d like to know more.