Be a fundraising GDPR superstar!
On 14 April, European Parliament finally voted to accept the new rules and regulations that will shape data protection within the EU from 2018 onwards. We now have confirmation of what the much-talked about ‘changes to EU DP law’ – the General Data Protection Regulation (GDPR) look like, and can work to ensure they are adequately planned for.
The core components of consent, compliance and security shouldn’t come as any surprise – as these form the bedrock of the current EU, and corresponding UK, legislation.
That said, there are some key changes to be aware of, and whilst 2018 seems like an age away now is the time to get moving. We all want to ensure not just compliance with the law, but to adopt best practice over and above it as a means of delivering excellent fundraising, and corresponding customer service to your supporters.
The time-frame also offers a great opportunity to incorporate a review of, and plan of action for, the wider regulatory changes that have already or are due to come into effect in the next year.
But for now, let’s look at the core elements of the GDPR.
Consent remains very much a hot topic within the wider fundraising furore that has plagued the sector for the last year or so. But at its heart it could be argued to be very straight forward. Existing Data Protection Act (DPA) and Privacy and Electronic Communications Regulations (PECR) laws focus on this, and the GDPR serves to reiterate the 4 conditions that need to be present in order for consent from supporters to be valid:
- Freely given – the person must give their consent without force, ie they have a choice, and do not have to give unnecessary details to undertake the transaction
- Informed – it must be clear to the person exactly what is being asked, why, and how they opt-in or out. Plain English is key.
- Specific – related to condition 2, the consent given will be specific to the processing stated at time of consent, and cannot unreasonably be changed later without further consent
- Positive action to indicate consent – the person must be required to do something to confirm they consent, ie by submitting a form or ticking a box. The absence of action cannot be used here.
A ‘right to be forgotten’ and a ‘right to object’ is also available for the supporter to invoke, and business processes must be able to recognise these rights, and cater for the subsequent removal of consent. Existing consent obtained from supporters will still be valid as long as the 4 conditions above are deemed to be met, so there is no starting point of a need to reconfirm with people to get consent.
Thinking again of the traumatic year that charities have had, compliance has been highlighted as a key area where lack of attention has caused major problems. It is not enough to state that you comply with the DPA in the data protection statements you use – you must understand what it is, what is requires you to do – and then do it. Likewise the Institute of Fundraising Code of Fundraising Practice – it is not enough to simply be a member and the ethos of the Code must be present in all you do.
The GDPR brings in changes to compliance at two key levels:
- Firstly, by rolling out the need to comply with regulations at data processor as well as data controller level, which means a charity using the services of a supplier must ensure they comply with regulations in the same way the charity does. One way to do this is to ensure this is contractually stated, and then checked on, by the charity.
- Secondly, stricter financial penalties will apply, with much steeper fines available to punish failure to abide by the GDPR. Up to 4% of annual turnover could be at risk at the top end of the scale.
‘Privacy by design’ should be embedded in all business processes which collect and manage data, and also in the systems that store and process it. Security cannot be an afterthought retrospectively applied to a process or system, and so a culture change as to how data management is approached may be required. The transfer of data outside the EU, and ensuring that supporters are adequately aware of where their data will be managed, and why, receives more emphasis, and so attention to what suppliers are doing, how and where, is again highlighted.
What should non-profits do now?
Although the GDPR won’t come into effect until 2018, the two years from now until then should be looked at as a great opportunity for audit, review and process change.
As such, organisations need to look at a project team of the right people to review this across the organisation – data protection officer, fundraising, IT, data teams, communications and marketing, operational teams who use data, perhaps even HR and finance.
Most organisations will be best placed to start with an audit across all their data (where, who, how, when, why?) and build a plan of action to consider these new elements and how they’ll respond.
We consider the key areas of this may be:
- Logistics of consent – from ask to coding and storage, to how it is accessed for selections and suppressions. CRM is going to be critical to this and recording response sign up, storage and in making selections, too.
- Compliance with compliance – where are the gaps in your team considering what you know now? There will be more to come but do you need to look at a data champions programme, formal training, internal comms programmes or another route to ensure you all know what you need to know and can comply
- Security review – what existing processes are in place, what needs to be in place and when, and how will you enact that plan?
Also key to success with this transition is understanding that the project will end, but the principle doesn’t – embed respect for consent, and understanding for it, in your organisation. Training, refreshers, documentation and champions can all ensure you stay ahead of the game, and do build in a bi-yearly review to check on any issues/concerns.
Don’t lose sight of why
The principle of why this is being done and new regulation is required is important – it’s easy to get bogged down in the day to day and lose sight of why. This is about data protection and fundraising being trusted by individuals, supporters, clients, staff and constituents. It’s in all our best interests to comply, not least because fines are more punitive than in previous regulatory cycles. In the bigger picture, this is a recognition for all of us as consumers that the world we live in now is fast moving and ever changing – we shop across borders, travel across borders, donate across borders – and having multiple data rules in different jurisdictions which are hard to enforce is not in our best interests.
Keep it simple, superstars!
Employ the KISS principle and do keep it simple in terms of the matter at hand, and your response. The main issue for fundraising is consent, and this is about treating people, and their data, fairly and securely, and as a two way relationship. Put yourself in your supporter’s shoes – how would you want your data to be treated?
The GDPR gives a great starting point. If you look to review how you stack up to that now, work towards it, and come 2018 you’ll be in a great place. Build in the requirements of the existing and emerging fundraising regulations, and you’ll stay well ahead of the game. And if you’re wondering if all this will be relevant if Brexit becomes a reality, then yes, it will, as the UK will want to match EU requirements to stay in the trade game, so don’t use the forthcoming referendum as an excuse to do nothing.
How Purple Vision can help
Purple Vision can help with every aspect of a project like this – from leading the project for you, to offering specific advice and consultancy services on data, systems and other factors. Drop us a line via email ([email protected]) or via 0845 458 0250 and ask us more.
The Grand GDPR Resource Library
The following links cover the wider legal and regulatory framework at play, as well as the GDPR developments:
- EU Reform of EU data protection rules
- ICO guide to Data Protection Act
- ICO Direct Marketing guidance
- ICO – DP Reform
- ICO charity-specific resources, including ‘Top 5 tips’ and a ‘Charity Sector Toolkit’
- Etherington Review
- IoF Code of Fundraising Practice
- IoF ‘treating donors fairly’
- Charity Commission ‘Charities and Fundraising (CC20)’ – Note – currently under review following consultation and a new version due Spring 2016
- Fundraising Regulator
- Fundraising Preference Services – no specific resource/website as yet. Watch sector press for developments