Tag Archives: Data Analytics & Insight

Think customer, not data

Quite rightly, when we think about data, the first thing we think about is data protection.  Security. The laws and regulations which govern how we store and secure customer details, compliance with laws, directives and regulation – or the codes of best practice – that we use in storing and securing customer details.

Add a few strong passwords, find an organisational data protection officer, add a dose of corporate responsibility and the right personal approach and you’re safe.  Phew!

But as other more erudite articles on this theme show, it’s not *quite* as easy as all that.

We’d like to add another dimension to the debate.

Data = customer

Data is the word mentioned first in the phrase data protection.

We think it’s because it’s the most important part. But where does it come from?

Data comes from our customers.

Data is about customers.

How we treat data, and our responsibility to it, is a reflection of how we treat our customers.

Data – and data protection – is as much about user experience and customer care as it is technical systems and compliance.

You may call the people in your organisation different things – customers, partners, prospects, stakeholders …. The words don’t matter. The sentiment does.

Surely this is all just semantics? 

It’s much easier to be animated, interested and excited about people than it is about data.   It’s easier to think about data protection if you are applying people to the process – this is about our customer, what’s the right thing to do for them?

And as for doing the right thing by them – here’s our 5 point roadmap to help you keep on top of your data

Silo the data silos

At the risk of sounding patronising, it’s really hard to look after data when it’s all over the place.  Data silos are common in organisations – donations and enquiries in one place, website and social media date elsewhere, perhaps even data about members and their registration data kept somewhere else.  Never mind our personal preferences for spreadsheets a plenty.

Part of your organisations roadmap should include integration of data.  This may not happen overnight but it should be a priority for many reasons.

The very first of these is that you cannot properly manage and use your organisations data – or support your customers – if information about them is in multiple places.   The second of these is that you’re not using a full 360 view of your stakeholders to make decisions if your data is not integrated.  You may be missing key changes or trends.

If it’s not on your list, chances are it won’t happen

Data needs to be looked after.  There are tasks to be done to keep it clean and in tip top condition, useable, current and informative. Let’s be very realistic, unless you’re some kind of Super-Manager, it’s very hard to keep on top of absolutely everything, and inevitably some of the tasks which are not seen as urgent or vital to move forwards, will move down the priority list.

I’d urge you to make weekly, monthly, quarterly and annual tasks relating to your data a priority.  A very simple reason is that the time it takes to do the task will become greater the longer you leave it.

If someone has been making a basic data entry error for 6 months, that’s a lot more knitting to unpick than a month’s work.

Pragmatically, for many of us while we know data is important, data tasks could be some of the little jobs that make our heart sink (all jobs have them) and don’t fill us with excitement.  All the more reason to deal with it when it’s small!  Make sure your data tasks are on your priority list.

Be on hand to help, monitor and manage

There are those of us that get excited about databases and systems.  Then there are the rest of the organisation who kind of know there’s a system, might have to interact with it but are not quite sure of what it is or why.

Sharing insight across the organisation helps everyone understand the relevance and importance of what’s in the system and how it can help you with your shared vision.

It also highlights you to the organisation as the person who carries the mantle for it and people can approach you for guidance more easily.

A champion is also useful for new starters  helping them get started and look after data in the right way, right from the beginning.

Stay enthused

The landscape we work in changes all the time – new tech, new programmes, new opportunities.  Not all of these will be relevant to you, but it’s important to keep an eye on the trends, innovations and updates that take place.

Find a blog you trust (this one is a great start!), and just scan it every week or so.

Keep in touch with your implementation partner or vendor – some may offer ongoing training or updates for clients.

Find ways to keep up with the new, fresh and exciting so you maintain your enthusiasm data, your systems and approaches and it isn’t something else ‘to do’ but is something else to grow and develop.

Health checks

Just as you will occasionally seek medical advice if there’s something wrong, you can do the same with your CRM.  If you have an issue, call the partner who helped you install it – you may have sensibly bought some after sales support from them, or they may be able to offer this to you on an ad hoc basis.  Healthcare is about prevention as well as cure.

An investment in the health of your system will help keep it working smoothly – and if you don’t have the time or expertise to manage it in house, you will need to recognise and allocate an ongoing sum to seek the help you need.

You’ve invested a lot of time and money in the system; don’t forget to protect your asset.

Find out more

Purple Vision offers health-checks for Raiser’s Edge and Salesforce as well as support with data, analytics and CRM.  Contact us to find out more.




Why you should know what the GDPR is – and what you can do NOW!

Be a fundraising GDPR superstar!

Dawn VarleyGuest blog by Purple Vision Associate Consultant, Dawn Varley – a self-professed ‘data geek’ and all round fundraising super-star – with a special interest in making data approachable and manageable.




On 14 April, European Parliament finally voted to accept the new rules and regulations that will shape data protection within the EU from 2018 onwards. We now have confirmation of what the much-talked about ‘changes to EU DP law’ – the General Data Protection Regulation (GDPR) look like, and can work to ensure they are adequately planned for.

The core components of consent, compliance and security shouldn’t come as any surprise – as these form the bedrock of the current EU, and corresponding UK, legislation.

That said, there are some key changes to be aware of, and whilst 2018 seems like an age away now is the time to get moving.   We all want to ensure not just compliance with the law, but to adopt best practice over and above it as a means of delivering excellent fundraising, and corresponding customer service to your supporters.

The time-frame also offers a great opportunity to incorporate a review of,  and plan of action for, the wider regulatory changes that have already or are due to come into effect in the next year.

But for now, let’s look at the core elements of the GDPR.


Consent remains very much a hot topic within the wider fundraising furore that has plagued the sector for the last year or so. But at its heart it could be argued to be very straight forward.  Existing Data Protection Act (DPA) and Privacy and Electronic Communications Regulations (PECR) laws focus on this, and the GDPR serves to reiterate the 4 conditions that need to be present in order for consent from supporters to be valid:

  1. Freely given – the person must give their consent without force, ie they have a choice, and do not have to give unnecessary details to undertake the transaction
  2. Informed – it must be clear to the person exactly what is being asked, why, and how they opt-in or out. Plain English is key.
  3. Specific – related to condition 2, the consent given will be specific to the processing stated at time of consent, and cannot unreasonably be changed later without further consent
  4. Positive action to indicate consent – the person must be required to do something to confirm they consent, ie by submitting a form or ticking a box. The absence of action cannot be used here.

A ‘right to be forgotten’ and a ‘right to object’ is also available for the supporter to invoke, and business processes must be able to recognise these rights, and cater for the subsequent removal of consent. Existing consent obtained from supporters will still be valid as long as the 4 conditions above are deemed to be met, so there is no starting point of a need to reconfirm with people to get consent.


Thinking again of the traumatic year that charities have had, compliance has been highlighted as a key area where lack of attention has caused major problems.  It is not enough to state that you comply with the DPA in the data protection statements you use – you must understand what it is, what is requires you to do – and then do it. Likewise the Institute of Fundraising Code of Fundraising Practice – it is not enough to simply be a member and the ethos of the Code must be present in all you do.

The GDPR brings in changes to compliance at two key levels:

  • Firstly, by rolling out the need to comply with regulations at data processor as well as data controller level, which means a charity using the services of a supplier must ensure they comply with regulations in the same way the charity does. One way to do this is to ensure this is contractually stated, and then checked on, by the charity.
  • Secondly, stricter financial penalties will apply, with much steeper fines available to punish failure to abide by the GDPR. Up to 4% of annual turnover could be at risk at the top end of the scale.


‘Privacy by design’ should be embedded in all business processes which collect and manage data, and also in the systems that store and process it. Security cannot be an afterthought retrospectively applied to a process or system, and so a culture change as to how data management is approached may be required.  The transfer of data outside the EU, and ensuring that supporters are adequately aware of where  their data will be managed, and why, receives more emphasis, and so attention to what suppliers are doing, how and where, is again highlighted.

What should non-profits do now?

Although the GDPR won’t come into effect until 2018, the two years from now until then should be looked at as a great opportunity for audit, review and process change.

As such, organisations need to look at a project team of the right people to review this across the organisation – data protection officer, fundraising, IT, data teams, communications and marketing, operational teams who use data, perhaps even HR and finance.

Most organisations will be best placed to start with an audit across all their data (where, who, how, when, why?) and build a plan of action to consider these new elements and how they’ll respond.

We consider the key areas of this may be:

  • Logistics of consent – from ask to coding and storage, to how it is accessed for selections and suppressions. CRM is going to be critical to this and recording response sign up, storage and in making selections, too.
  • Compliance with compliance – where are the gaps in your team considering what you know now? There will be more to come but do you need to look at a data champions programme, formal training, internal comms programmes or another route to ensure you all know what you need to know and can comply
  • Security review – what existing processes are in place, what needs to be in place and when, and how will you enact that plan?

Also key to success with this transition is understanding that the project will end, but the principle doesn’t – embed respect for consent, and understanding for it, in your organisation. Training, refreshers, documentation and champions can all ensure you stay ahead of the game, and do build in a bi-yearly review to check on any issues/concerns.

Don’t lose sight of why

The principle of why this is being done and new regulation is required is important – it’s easy to get bogged down in the day to day and lose sight of why.  This is about data protection and fundraising being trusted by individuals, supporters, clients, staff and constituents.  It’s in all our best interests to comply, not least because fines are more punitive than in previous regulatory cycles.   In the bigger picture, this is a recognition for all of us as consumers that the world we live in now is fast moving and ever changing – we shop across borders, travel across borders, donate across borders – and having multiple data rules in different jurisdictions which are hard to enforce is not in our best interests.

Keep it simple, superstars! 

Employ the KISS principle and do keep it simple in terms of the matter at hand, and your response. The main issue for fundraising is consent, and this is about treating people, and their data, fairly and securely, and as a two way relationship. Put yourself in your supporter’s shoes –  how would you want your data to be treated?

The GDPR gives a great starting point. If you look to review how you stack up to that now, work towards it, and come 2018 you’ll be in a great place. Build in the requirements of the existing and emerging fundraising regulations, and you’ll stay well ahead of the game. And if you’re wondering if all this will be relevant if Brexit becomes a reality, then yes, it will, as the UK will want to match EU requirements to stay in the trade game, so don’t use the forthcoming referendum as an excuse to do nothing.

How Purple Vision can help

Purple Vision can help with every aspect of a project like this – from leading the project for you, to offering specific advice and consultancy services on data, systems and other factors.  Drop us a line via email ([email protected]) or via 0845 458 0250 and ask us more.

The Grand GDPR Resource Library

The following links cover the wider legal and regulatory framework at play, as well as the GDPR developments:


EU/US Safe Harbor ruling and what it means for you

EU/US Safe Harbor ruling

First things first.  For those concerned with proper use of the English language, I must apologise.  The ruling we refer to is widely  (and legally) known as the Safe Harbor.  I’m itching to add the missing ‘u’, especially since it affects ‘you’ and nobody loves a bad joke like that more than the team at Purple Vision.

Itchy red pen issue dealt with, what we have to say next also does not relate to the image that the phrase safe harbor creates in our minds – calm seas, perhaps the wind gently whistling through the rigging of sailing boats … Safe harbor relates rather less prosaically to the issue of transferring data between the EU and US.

Why would you want to transfer data between the US and EU?

There are hundreds of reasons you might want to transfer data between the EU and US.  I might want to send an bank transfer to my best friend in California for Christmas.  If I worked for a multi-national company, I might transfer an active customer service case to be handled or processed between countries as the world passes through its rhythm of night and day.

In most cases, unless we get very geeky about small print, we might not even know that data is being transferred between the two locations.

The example that is being used widely in the media is about Facebook, because this is what has sparked the ruling. Handily it’s something most of us relate to as an example, too.

Facebook is an US owned site.  We’re using it in the UK (or across the EU).  Facebook crunches data algorithms to develop products and make startling insights about us (like my memory of the day from 5 years ago, or a compelling video of my 10 years on Facebook).  The main people that do this ‘magic’ might be in the US, but if our data is the EU and there are rules about data protection, how do I get the data between two places?

The safe harbor agreement – or to give it the full title International Safe Harbor Privacy Principles*  – provided a simple framework of self-regulation for US based companies to comply with the much more stringent EU data protection rules.

For the past 15 years, we have been able to sleep easy at night, knowing our data is being handled professionally, safely and with the respect demanded by anything which has the very bossy title ‘Directive’.

What’s changed? 

On Tuesday 6 October the European Court of Justice issued a ruling on the Safe Harbor pact.  This basically changes what has been the ‘established agreement’ on data and requires addendums – further additional protections.

The reason – quite simply, data may not be safe from US snooping.

As a result of Edward Snowden’s revelations (remember him, now lives in Russia after revealing secrets about US security operations and having them published in the Guardian?), an Austrian lawyer took Facebook to court in Ireland (their EU HQ), over the fact that data was stored in the US.  It’s not so much the fact it was being used in the US, as the way the data was being used – for example stuff he’d deleted was being kept over there.

If Snowden’s allegations are correct the US National Security Agency are snooping on the data and able to use it. You could argue they can see my holiday snaps on Facebook anyway (they’re welcome, I offer slideshows for the slow-to-say-no, too), but of course, it’s the principle that is the issue here.

The ruling basically states that “The United States … scheme enables interference, by United States public authorities, with the fundamental rights of persons…”

After years of happy compliance by thousands of companies it’s fair to say this was a bit of a surprise.

Yes, yes, yes, but what does it mean for ME?

Well for you personally, it might mean lots of things. But we’re primarily concerned with what this means for charities and organisations we work with, and the tools they use.

Number 1: Not everyone will be impacted. Remember this applies to companies who move data between the EU and US.  In many cases, providers use data centres in the countries they serve to avoid having to worry about things like this.

Number 2: In most cases where data is transferred its usually for a reason or a purpose which is clear. And most of us have nothing to fear from the NSA or other alleged agencies which may allegedly (see what I am doing here … ) ‘snoop’ on the data.

Number 3:  There is always a period of compliance with changes in Directives like this.  This period will start now and so this won’t, for many, be something that is solved overnight.

If you use Salesforce, it’s pretty easy to deal with

Salesforce is one of the organisations that relies on this agreement for some areas of its work.  Salesforce are one of the companies that have acted *super* quickly (to use an Americanism).  They have already been in touch with users with their immediate response and actions that you need to take.

Their email notes:

At Salesforce, trust is our #1 value and nothing is more important than the success of our customers and the privacy of our customers’ data. In light of the ECJ’s decision regarding the EU-US Safe Harbor Framework, Salesforce is immediately making available a data processing addendum that incorporates the European Commission’s standard contractual clauses, commonly referred to as “model clauses”.
The addendum ensures customers may continue to validate transfers of personal data under EU data protection laws.

They’ve issued a tool-kit of what to do, and it’s easy as 1, 2, 3

  1. Download the data processing addendum with the model clauses – handy link here to this data processing addendum
  2. Complete and sign
  3. Return to dataprocessingaddendum [at] salesforce [dot]com

They’ve also set up an FAQ page, which is sure to be one to watch with responses over the next few days.  There’s already handy info on the page (again, with the handy linky thing)

Our advice for other tools  and services

If you’re not a Salesforce user, what then?   The advice is really quite simple.

If you’re concerned about your CRM or other platform providers – do they have operations in the US?  If no, there’s no reason to worry.  If they do, watch your inbox.  If you want to be act now while you’re thinking about it, check their website and if there’s nothing there get in touch with your account manager to ask if there is an impact for you – they will likely tell you that something will follow shortly when they’ve had time to respond.  This will be soon.

But its not just CRM.  Check the digital tools you use.  Social media management platforms, email providers etc may all be US based or work with this pact.  Equally, they may not.  In this instance, we’re suggesting that you wait for an email from the provider.  You may also see a a notice or flash warning when you log into the site.  Read it and take the necessary action.


  • * EU Directive 95/46/EC for those of us who like to be really, really specific and look things up. Read all about it via Wikipedia (with all the usual caveats related to the use thereof), just like I did
  • Articles in The Guardian and via the BBC  News website are a good place to start for more information