Ready, set, GRPR
I recently wrote a piece for the Just Giving blog called 4 lessons for charities as we prepare for GDPR in which I presented four lessons we can learn from the recent (March 2017) fines imposed on two businesses for data breaches as they made their own preparations for GDPR.
My four lessons were based on Honda and Flybe, who were caught out trying to prepare themselves for GDPR (the irony!), but who ignored the rules of PECR (Privacy and Electronic Communication Regulations) in the process. Essentially, they emailed to ask if they could stay in touch or if the details were correct.
My four lessons were:
Lesson 1: if you don’t have permission for a channel, you can’t ask for permission via that channel (so if you don’t have permission to email, you can’t email to ask for permission to email; if you don’t have permission to call, don’t call).
Lesson 2: don’t ask for ask for permission from people who have actively opted out of receiving communication via the channel you are using. While writing to people to ask if you can email them might sound a bit bonkers, if that is the communication approach you have consent for, that is how you must do it.
Lesson 3: be clear about what you have permission to do and what is covered by your permission. As you craft new permission statements, consider what you may want permission to do in the future, as well as what you may want to do now.
Lesson 4: Don’t be caught out in a GDPR compliance bubble and forget about other rules and regulations that apply – or about people. Making people-based decisions rather than data-based decisions shows due respect to our supporters and will give them confidence in our integrity as an organisation.
In a short blog for Just Giving you can’t go into the detail that you’d like though, and never short of something to say … I carry on below.
Getting GDPR ready using these lessons.
I think we can look at the case of Honda and Flybe and see how easily this could have been a charity making these errors. Heck, we can probably even see the thought process in our own organisations looking to make these decisions.
However, we also need to consider that these rules are not just about how we fundraise, they are organisation wide. They are about how we communicate with our donors, staff, volunteers – everyone who is connected to our organisation.
I think the rules come down to a bigger series of considerations and discussions that you need to have within your organisation about permissions and ‘permissioning’ – which is not an *actual* word but soon will become a big part of the charity management lexicon.
Where & when you ask
If you don’t have permission to email a donor, how can you get permission to email a donor?
There are many legitimate ways you can try and obtain email permission – for example via social media campaigns, sign up links on your website and even via direct mail. If you have telephone permissions and active calling programme, you could even ask via this means too. You just can’t ask for permission for that channel (email) via the channel you want to use (email).
If obtaining permission is s a priority for your organisation, ensure that sign-up forms are embedded on every page of your website, on every blog and that you have a regular ‘drive’ to legitimately obtain additional data.
How you ask
Why would your donor give you any details?
How you ask for something that the donor values – their personal data – is critical. A wrong move could put them off as much as make them want to sign up. On a practical note, there are a range of methods to asking (but take note, massive popups on website screens are off-putting and will earn you penalties in Google and annoy readers by blocking content). [links to Google Webmaster blog]
On a human level, the tone of the ask also needs to be sensitive the channel you are using. But more importantly, sensitive to your audience. You know all this of course, from your crafting of fundraising messages. Permission asks aren’t that much different, except the beneficiary is the organisation.
There’s a balance between the timid ‘would you like to sign up’ and the demanding ‘sign up instantly’ that will be right for your charity’s tone of voice. It is worth split testing some approaches out and changing the messaging to keep things fresh.
The issue of transparency also comes into play for how you ask for permissions – if this were your data, would you be happy that a company is relying on a clause hidden away in a set of terms and conditions to cover what you want to do with your data?
Which leads us onto what we are asking for permission to do.
What are you asking permission for?
This is the nub of the issue as far as our GDPR and PECR regulations are concerned – what are we asking permission for?
‘Sign up for our newsletter’ is a very broad statement. It may as well just read ‘give us your email, we’ll figure out what to do with it later’.
One of the ICO ‘tests’ is to ask the question – what would a person reasonably expect you to do with the data from what you have asked. Is it clear? It’s time to get granular – another central theme of the GDPR preparation process.
If you have a great email newsletter list –and that’s what you asked people to sign up to, that is all you can do with their data. You can’t send them a customer service announcement about your charity (here’s looking at you, Honda).
Of course, much can be contained within a newsletter (like your annual review and details of your latest campaign), but you also need to avoid your newsletters becoming cluttered, unfocused and impersonal (back to batch and blast) – and therefore irrelevant and easy to want to unsubscribe from.
One approach could be to consider all the kinds of activities your charity offers and ask for permission for each of them. A helpful way to start with this can be to look at your departments. Typically, they’ll relate to what your organisation delivers. Eg HR, fundraising, communications, governance, policy /campaigning.
- what do they do (or want to do) that you may need permission for?
Another option to consider is what you also want to do with the data that you have. Several charities recently fell afoul of ICO for using donor data for wealth screening.
What we have learned from this is like our Honda/ FlyBe lessons. It is not what they were doing per se that was the issue, it was their permission to do it – would a donor who gave them details have ‘reasonably expected’ to be profiled and screened like this based on what they were told when they signed up?
- Ask once for now and the future – consider your 5-year plan and what current technology can offer in terms of insight as you craft new plans – even if you are not using technologies to help profile your web visitors now, or wanting to screen donors, or using predictive tools to help prospect for new donors, you may want to do that in 2 years’ time. And when you want to do it, you will need to have permission to do it. Machine learning is the way forward – plan for it now even if the reality of it still isn’t clear to you.
- Third parties – this also brings to bear the point that is raised in GDPR guidelines about how you use data with third parties too, and your need to declare how they will use the data too. Explore that alongside your permission work here and be as clear as you can. Third parties are everyone from your mailing house to potential agencies you may send data samples too for segmentation, research, data cleaning and so on.
Where are you storing and recording these permissions?
Should the ICO come a-knocking in the future, after you’ve made them a cup of tea and talked about the weather, the questions will come. One of the questions they may ask is where you can prove that you had permission to send x y or z person a b or c email/direct mail/text.
The paper trail [ surely a redundant term in our digital age] in an ideal world, would lead to your CRM or database, where you can look this up with ease, and respond confidently.
In your current situation:
- could you look up where you asked for permission to contact someone and identify the permission that a person gave?
- could you look up the form they used to sign up and double check the language?
How you are storing your data is one of the fundamental questions that GDPR brings us back to.
It covers the requirement for data to be held securely – which is a separate area of conversation about access to devices, security protocols et al (and usually ends with a conversation where someone reminisces about leaving a laptop of client data on a train).
For this article, consider these areas.
- how are you managing your data?
- do you run on Excel and end up with multiple departmental spreadsheets because that’s the only data you ‘trust’?
Heck, I am sure some people still use a card index or have a special address book.
That’s all data and that’s all covered by this.
How are you going to manage permissions?
A few preference centres are popping up on the market claiming to be the answer to all your GDPR woes.
While they may be part of a solution that works for you, I strongly urge you to think more widely than this before buying a panacea that you may not need.
There are key questions to ask and answer first about how your organisation is going to work together before you get to the technical bits. Fundamentally, GDPR means it is finally, genuinely, time to say bye bye data silos and say hello to collaborative working with consistent data and access across the organisation.
No preference centre or legacy system is going to make that work for you. That’s about organisational culture. So, we need to do the people and process thinking ahead of the technology.
Some questions to help you explore this area and decide how to manage it in your organisation include:
- Could any user log on and know that they cannot email a donor or beneficiary or that they cannot write to a resident?
- Where and how will you record when a client, donor or beneficiary decides they don’t want to receive further communications?
- What if they change their mind about a channel they already gave permission for?
- If someone unsubscribed from direct mail today, how long would it take for their permission to catch up with data selections you have already made for future campaigns?
There are several creative ways to stick a temporary sticky plaster on any systems you are currently using this while you consider the bigger picture.
Don’t rush straight into more permanent fixes to your systems integrations that will give you the sought-after 360-degree view or more integrated and comprehensive data source – think them through with and beyond GDPR.
Evidence of Permission
If you can’t find evidence that you’ve asked for permission to do something, the safest approach may be to consider that you don’t have permission at all.
This may mean you cannot contact that person.
This is something of a bitter pill for many looking at their database. It is going to reduce the number of active contacts and the number of people who may support you as a result.
The long and the short of it is that compliance with GDPR is the start of a new road and approach to how we look at our data – and our strategy for managing acquisition will need to adapt accordingly.
A human appeal: people = data
Alongside all this work we must do about data, I’d like to add the human appeal. When we talk about data, we’re talking about people. We talk about donor journeys and build experiences around them based on things they’ve told us they want to do, what we want them to do (and ideally the two mirror each other). These journeys are individual’s personal interactions with us.
Some of the GDPR rules you are now considering may worry you because they could (or will) have an impact on the valuable work that you do (for example, if you have a major donor and no contact permission to call, how are you going to move forward?).
Remember too that other charities and businesses up and down the country are having to do the same. The charity you donate to, the online shop you buy those superb shoes from. They are looking at your data. How do you want them to treat you?
This ‘conscience and integrity’ test is one I find helpful all the time as a reminder that behind that spreadsheet (which is password protected and kept on a secure system, obviously) are real people and real lives, not just unique identifiers and permission sets.
It is easy to forget this.
Authors note: this article is not intended as legal advice. Note that this covers the legal basis for consent-based marketing and fundraising. Other legal basis for data processing may apply in your organisation.
Where to get Guidance and Information.
- Fundraising and Regulatory Compliance: https://www.fundraisingregulator.org.uk/2017/02/21/fundraising-regulatory-compliance-conference-2017/
- ICO pages on GDPR and progress of consultations on key issues (eg consent): https://ico.org.uk/for-organisations/data-protection-reform/
- ICO’s excellent ‘12 steps to take now’ diagram is a good place to start https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
If you need a data audit, an internal seminar to get your team up to speed with the basics of GDPR and ready to move forward, or need help to adapt your systems to meet your new preference management approach, Purple Vision can help.
Whatever your question, we’re happy to help. You can