Tag Archives: Regulation & Compliance

Get ready, get set, GDPR

Getting ready for GDPR

Ready, set, GRPR

I recently wrote a piece for the Just Giving blog called 4 lessons for charities as we prepare for GDPR  in which I presented four lessons we can learn from the recent (March 2017) fines imposed on two businesses for data breaches as they made their own preparations for GDPR.

My four lessons were based on Honda and Flybe, who were caught out trying to prepare themselves for GDPR (the irony!), but who ignored the rules of PECR (Privacy and Electronic Communication Regulations) in the process.  Essentially, they emailed to ask if they could stay in touch or if the details were correct.

My four lessons were:

Lesson 1: if you don’t have permission for a channel, you can’t ask for permission via that channel (so if you don’t have permission to email, you can’t email to ask for permission to email; if you don’t have permission to call, don’t call). 

 Lesson 2:  don’t ask for ask for permission from people who have actively opted out of receiving communication via the channel you are using.  While writing to people to ask if you can email them might sound a bit bonkers, if that is the communication approach you have consent for, that is how you must do it.

Lesson 3: be clear about what you have permission to do and what is covered by your permission. As you craft new permission statements, consider what you may want permission to do in the future, as well as what you may want to do now. 

Lesson 4:  Don’t be caught out in a GDPR compliance bubble and forget about other rules and regulations that apply – or about people. Making people-based decisions rather than data-based decisions shows due respect to our supporters and will give them confidence in our integrity as an organisation.

In a short blog for Just Giving you can’t go into the detail that you’d like though, and never short of something to say … I carry on below.

Getting GDPR ready using these lessons.

I think we can look at the case of Honda and Flybe and see how easily this could have been a charity making these errors.  Heck, we can probably even see the thought process in our own organisations looking to make these decisions.

However, we also need to consider that these rules are not just about how we fundraise, they are organisation wide.  They are about how we communicate with our donors, staff, volunteers – everyone who is connected to our organisation.

I think the rules come down to a bigger series of considerations and discussions that you need to have within your organisation about permissions and ‘permissioning’ – which is not an *actual* word but soon will become a big part of the charity management lexicon.

Where & when you ask

If you don’t have permission to email a donor, how can you get permission to email a donor?

There are many legitimate ways you can try and obtain email permission – for example via social media campaigns, sign up links on your website and even via direct mail.  If you have telephone permissions and active calling programme, you could even ask via this means too.  You just can’t ask for permission for that channel (email) via the channel you want to use (email).

If obtaining permission is s a priority for your organisation, ensure that sign-up forms are embedded on every page of your website, on every blog and that you have a regular ‘drive’ to legitimately obtain additional data.

How you ask

Why would your donor give you any details?

How you ask for something that the donor values – their personal data – is critical.  A wrong move could put them off as much as make them want to sign up. On a practical note, there are a range of methods to asking (but take note, massive popups on website screens are off-putting and will earn you penalties in Google and annoy readers by blocking content). [links to Google Webmaster blog]

On a human level, the tone of the ask also needs to be sensitive the channel you are using.  But more importantly, sensitive to your audience. You know all this of course, from your crafting of fundraising messages.  Permission asks aren’t that much different, except the beneficiary is the organisation.

There’s a balance between the timid ‘would you like to sign up’ and the demanding ‘sign up instantly’ that will be right for your charity’s tone of voice.  It is worth split testing some approaches out and changing the messaging to keep things fresh.

The issue of transparency also comes into play for how you ask for permissions – if this were your data, would you be happy that a company is relying on a clause hidden away in a set of terms and conditions to cover what you want to do with your data?

Which leads us onto what we are asking for permission to do.

What are you asking permission for?

This is the nub of the issue as far as our GDPR and PECR regulations are concerned – what are we asking permission for?

‘Sign up for our newsletter’ is a very broad statement. It may as well just read ‘give us your email, we’ll figure out what to do with it later’.

One of the ICO ‘tests’ is to ask the question – what would a person reasonably expect you to do with the data from what you have asked.  Is it clear?  It’s time to get granular – another central theme of the GDPR preparation process.

If you have a great email newsletter list –and that’s what you asked people to sign up to, that is all you can do with their data. You can’t send them a customer service announcement about your charity (here’s looking at you, Honda).

Of course, much can be contained within a newsletter (like your annual review and details of your latest campaign), but you also need to avoid your newsletters becoming cluttered, unfocused and impersonal (back to batch and blast) – and therefore irrelevant and easy to want to unsubscribe from.

One approach could be to consider all the kinds of activities your charity offers and ask for permission for each of them.  A helpful way to start with this can be to look at your departments. Typically, they’ll relate to what your organisation delivers.  Eg HR, fundraising, communications, governance, policy /campaigning.

  • what do they do (or want to do) that you may need permission for?

Another option to consider is what you also want to do with the data that you have.  Several charities recently fell afoul of ICO for using donor data for wealth screening.  

What we have learned from this is like our Honda/ FlyBe lessons.  It is not what they were doing per se that was the issue, it was their permission to do it – would a donor who gave them details have ‘reasonably expected’ to be profiled and screened like this based on what they were told when they signed up?

  • Ask once for now and the future – consider your 5-year plan and what current technology can offer in terms of insight as you craft new plans – even if you are not using technologies to help profile your web visitors now, or wanting to screen donors, or using predictive tools to help prospect for new donors, you may want to do that in 2 years’ time.  And when you want to do it, you will need to have permission to do it.  Machine learning is the way forward – plan for it now even if the reality of it still isn’t clear to you.
  • Third parties – this also brings to bear the point that is raised in GDPR guidelines about how you use data with third parties too, and your need to declare how they will use the data too.  Explore that alongside your permission work here and be as clear as you can.  Third parties are everyone from your mailing house to potential agencies you may send data samples too for segmentation, research, data cleaning and so on.

Where are you storing and recording these permissions?

Should the ICO come a-knocking in the future, after you’ve made them a cup of tea and talked about the weather, the questions will come.  One of the questions they may ask is where you can prove that you had permission to send x y or z person a b or c email/direct mail/text.

The paper trail [ surely a redundant term in our digital age] in an ideal world, would lead to your CRM or database, where you can look this up with ease, and respond confidently.

In your current situation:

  • could you look up where you asked for permission to contact someone and identify the permission that a person gave?
  • could you look up the form they used to sign up and double check the language?

How you are storing your data is one of the fundamental questions that GDPR brings us back to.

It covers the requirement for data to be held securely – which is a separate area of conversation about access to devices, security protocols et al  (and usually ends with a conversation where someone reminisces about leaving a laptop of client data on a train).

For this article, consider these areas.

  • how are you managing your data?
  • do you run on Excel and end up with multiple departmental spreadsheets because that’s the only data you ‘trust’?

Heck, I am sure some people still use a card index or have a special address book.

That’s all data and that’s all covered by this.

How are you going to manage permissions?

A few preference centres are popping up on the market claiming to be the answer to all your GDPR woes.

While they may be part of a solution that works for you, I strongly urge you to think more widely than this before buying a panacea that you may not need.

There are key questions to ask and answer first about how your organisation is going to work together before you get to the technical bits.   Fundamentally, GDPR means it is finally, genuinely, time to say bye bye data silos and say hello to collaborative working with consistent data and access across the organisation.

No preference centre or legacy system is going to make that work for you.  That’s about organisational culture.  So, we need to do the people and process thinking ahead of the technology.

Some questions to help you explore this area and decide how to manage it in your organisation include:

  • Could any user log on and know that they cannot email a donor or beneficiary or that they cannot write to a resident?
  • Where and how will you record when a client, donor or beneficiary decides they don’t want to receive further communications?
  • What if they change their mind about a channel they already gave permission for?
  • If someone unsubscribed from direct mail today, how long would it take for their permission to catch up with data selections you have already made for future campaigns?

There are several creative ways to stick a temporary sticky plaster on any systems you are currently using this while you consider the bigger picture.

Don’t rush straight into more permanent fixes to your systems integrations that will give you the sought-after 360-degree view or more integrated and comprehensive data source – think them through with and beyond GDPR.

Evidence of Permission

If you can’t find evidence that you’ve asked for permission to do something, the safest approach may be to consider that you don’t have permission at all.

This may mean you cannot contact that person.

This is something of a bitter pill for many looking at their database.  It is going to reduce the number of active contacts and the number of people who may support you as a result.

The long and the short of it is that compliance with GDPR is the start of a new road and approach to how we look at our data – and our strategy for managing acquisition will need to adapt accordingly.

A human appeal: people = data

Alongside all this work we must do about data, I’d like to add the human appeal. When we talk about data, we’re talking about people.  We talk about donor journeys and build experiences around them based on things they’ve told us they want to do, what we want them to do (and ideally the two mirror each other).  These journeys are individual’s personal interactions with us.

Some of the GDPR rules you are now considering may worry you because they could (or will) have an impact on the valuable work that you do (for example, if you have a major donor and no contact permission to call, how are you going to move forward?).

Remember too that other charities and businesses up and down the country are having to do the same.  The charity you donate to, the online shop you buy those superb shoes from. They are looking at your data. How do you want them to treat you?

This ‘conscience and integrity’ test is one I find helpful all the time as a reminder that behind that spreadsheet (which is password protected and kept on a secure system, obviously) are real people and real lives, not just unique identifiers and permission sets.

It is easy to forget this.

Authors note:  this article is not intended as legal advice.  Note that this covers the legal basis for consent-based marketing and fundraising. Other legal basis for data processing may apply in your organisation.

Where to get Guidance and Information.      

Need help? 

If you need a data audit, an internal seminar to get your team up to speed with the basics of GDPR and ready to move forward, or need help to adapt your systems to meet your new preference management approach, Purple Vision can help.

Whatever your question, we’re happy to help.   You can

Think customer, not data

Quite rightly, when we think about data, the first thing we think about is data protection.  Security. The laws and regulations which govern how we store and secure customer details, compliance with laws, directives and regulation – or the codes of best practice – that we use in storing and securing customer details.

Add a few strong passwords, find an organisational data protection officer, add a dose of corporate responsibility and the right personal approach and you’re safe.  Phew!

But as other more erudite articles on this theme show, it’s not *quite* as easy as all that.

We’d like to add another dimension to the debate.

Data = customer

Data is the word mentioned first in the phrase data protection.

We think it’s because it’s the most important part. But where does it come from?

Data comes from our customers.

Data is about customers.

How we treat data, and our responsibility to it, is a reflection of how we treat our customers.

Data – and data protection – is as much about user experience and customer care as it is technical systems and compliance.

You may call the people in your organisation different things – customers, partners, prospects, stakeholders …. The words don’t matter. The sentiment does.

Surely this is all just semantics? 

It’s much easier to be animated, interested and excited about people than it is about data.   It’s easier to think about data protection if you are applying people to the process – this is about our customer, what’s the right thing to do for them?

And as for doing the right thing by them – here’s our 5 point roadmap to help you keep on top of your data

Silo the data silos

At the risk of sounding patronising, it’s really hard to look after data when it’s all over the place.  Data silos are common in organisations – donations and enquiries in one place, website and social media date elsewhere, perhaps even data about members and their registration data kept somewhere else.  Never mind our personal preferences for spreadsheets a plenty.

Part of your organisations roadmap should include integration of data.  This may not happen overnight but it should be a priority for many reasons.

The very first of these is that you cannot properly manage and use your organisations data – or support your customers – if information about them is in multiple places.   The second of these is that you’re not using a full 360 view of your stakeholders to make decisions if your data is not integrated.  You may be missing key changes or trends.

If it’s not on your list, chances are it won’t happen

Data needs to be looked after.  There are tasks to be done to keep it clean and in tip top condition, useable, current and informative. Let’s be very realistic, unless you’re some kind of Super-Manager, it’s very hard to keep on top of absolutely everything, and inevitably some of the tasks which are not seen as urgent or vital to move forwards, will move down the priority list.

I’d urge you to make weekly, monthly, quarterly and annual tasks relating to your data a priority.  A very simple reason is that the time it takes to do the task will become greater the longer you leave it.

If someone has been making a basic data entry error for 6 months, that’s a lot more knitting to unpick than a month’s work.

Pragmatically, for many of us while we know data is important, data tasks could be some of the little jobs that make our heart sink (all jobs have them) and don’t fill us with excitement.  All the more reason to deal with it when it’s small!  Make sure your data tasks are on your priority list.

Be on hand to help, monitor and manage

There are those of us that get excited about databases and systems.  Then there are the rest of the organisation who kind of know there’s a system, might have to interact with it but are not quite sure of what it is or why.

Sharing insight across the organisation helps everyone understand the relevance and importance of what’s in the system and how it can help you with your shared vision.

It also highlights you to the organisation as the person who carries the mantle for it and people can approach you for guidance more easily.

A champion is also useful for new starters  helping them get started and look after data in the right way, right from the beginning.

Stay enthused

The landscape we work in changes all the time – new tech, new programmes, new opportunities.  Not all of these will be relevant to you, but it’s important to keep an eye on the trends, innovations and updates that take place.

Find a blog you trust (this one is a great start!), and just scan it every week or so.

Keep in touch with your implementation partner or vendor – some may offer ongoing training or updates for clients.

Find ways to keep up with the new, fresh and exciting so you maintain your enthusiasm data, your systems and approaches and it isn’t something else ‘to do’ but is something else to grow and develop.

Health checks

Just as you will occasionally seek medical advice if there’s something wrong, you can do the same with your CRM.  If you have an issue, call the partner who helped you install it – you may have sensibly bought some after sales support from them, or they may be able to offer this to you on an ad hoc basis.  Healthcare is about prevention as well as cure.

An investment in the health of your system will help keep it working smoothly – and if you don’t have the time or expertise to manage it in house, you will need to recognise and allocate an ongoing sum to seek the help you need.

You’ve invested a lot of time and money in the system; don’t forget to protect your asset.

Find out more

Purple Vision offers health-checks for Raiser’s Edge and Salesforce as well as support with data, analytics and CRM.  Contact us to find out more.

 

 

 

Why you should know what the GDPR is – and what you can do NOW!

Be a fundraising GDPR superstar!

Dawn VarleyGuest blog by Purple Vision Associate Consultant, Dawn Varley – a self-professed ‘data geek’ and all round fundraising super-star – with a special interest in making data approachable and manageable.

 

 

 

On 14 April, European Parliament finally voted to accept the new rules and regulations that will shape data protection within the EU from 2018 onwards. We now have confirmation of what the much-talked about ‘changes to EU DP law’ – the General Data Protection Regulation (GDPR) look like, and can work to ensure they are adequately planned for.

The core components of consent, compliance and security shouldn’t come as any surprise – as these form the bedrock of the current EU, and corresponding UK, legislation.

That said, there are some key changes to be aware of, and whilst 2018 seems like an age away now is the time to get moving.   We all want to ensure not just compliance with the law, but to adopt best practice over and above it as a means of delivering excellent fundraising, and corresponding customer service to your supporters.

The time-frame also offers a great opportunity to incorporate a review of,  and plan of action for, the wider regulatory changes that have already or are due to come into effect in the next year.

But for now, let’s look at the core elements of the GDPR.

Consent

Consent remains very much a hot topic within the wider fundraising furore that has plagued the sector for the last year or so. But at its heart it could be argued to be very straight forward.  Existing Data Protection Act (DPA) and Privacy and Electronic Communications Regulations (PECR) laws focus on this, and the GDPR serves to reiterate the 4 conditions that need to be present in order for consent from supporters to be valid:

  1. Freely given – the person must give their consent without force, ie they have a choice, and do not have to give unnecessary details to undertake the transaction
  2. Informed – it must be clear to the person exactly what is being asked, why, and how they opt-in or out. Plain English is key.
  3. Specific – related to condition 2, the consent given will be specific to the processing stated at time of consent, and cannot unreasonably be changed later without further consent
  4. Positive action to indicate consent – the person must be required to do something to confirm they consent, ie by submitting a form or ticking a box. The absence of action cannot be used here.

A ‘right to be forgotten’ and a ‘right to object’ is also available for the supporter to invoke, and business processes must be able to recognise these rights, and cater for the subsequent removal of consent. Existing consent obtained from supporters will still be valid as long as the 4 conditions above are deemed to be met, so there is no starting point of a need to reconfirm with people to get consent.

Compliance

Thinking again of the traumatic year that charities have had, compliance has been highlighted as a key area where lack of attention has caused major problems.  It is not enough to state that you comply with the DPA in the data protection statements you use – you must understand what it is, what is requires you to do – and then do it. Likewise the Institute of Fundraising Code of Fundraising Practice – it is not enough to simply be a member and the ethos of the Code must be present in all you do.

The GDPR brings in changes to compliance at two key levels:

  • Firstly, by rolling out the need to comply with regulations at data processor as well as data controller level, which means a charity using the services of a supplier must ensure they comply with regulations in the same way the charity does. One way to do this is to ensure this is contractually stated, and then checked on, by the charity.
  • Secondly, stricter financial penalties will apply, with much steeper fines available to punish failure to abide by the GDPR. Up to 4% of annual turnover could be at risk at the top end of the scale.

Security

‘Privacy by design’ should be embedded in all business processes which collect and manage data, and also in the systems that store and process it. Security cannot be an afterthought retrospectively applied to a process or system, and so a culture change as to how data management is approached may be required.  The transfer of data outside the EU, and ensuring that supporters are adequately aware of where  their data will be managed, and why, receives more emphasis, and so attention to what suppliers are doing, how and where, is again highlighted.

What should non-profits do now?

Although the GDPR won’t come into effect until 2018, the two years from now until then should be looked at as a great opportunity for audit, review and process change.

As such, organisations need to look at a project team of the right people to review this across the organisation – data protection officer, fundraising, IT, data teams, communications and marketing, operational teams who use data, perhaps even HR and finance.

Most organisations will be best placed to start with an audit across all their data (where, who, how, when, why?) and build a plan of action to consider these new elements and how they’ll respond.

We consider the key areas of this may be:

  • Logistics of consent – from ask to coding and storage, to how it is accessed for selections and suppressions. CRM is going to be critical to this and recording response sign up, storage and in making selections, too.
  • Compliance with compliance – where are the gaps in your team considering what you know now? There will be more to come but do you need to look at a data champions programme, formal training, internal comms programmes or another route to ensure you all know what you need to know and can comply
  • Security review – what existing processes are in place, what needs to be in place and when, and how will you enact that plan?

Also key to success with this transition is understanding that the project will end, but the principle doesn’t – embed respect for consent, and understanding for it, in your organisation. Training, refreshers, documentation and champions can all ensure you stay ahead of the game, and do build in a bi-yearly review to check on any issues/concerns.

Don’t lose sight of why

The principle of why this is being done and new regulation is required is important – it’s easy to get bogged down in the day to day and lose sight of why.  This is about data protection and fundraising being trusted by individuals, supporters, clients, staff and constituents.  It’s in all our best interests to comply, not least because fines are more punitive than in previous regulatory cycles.   In the bigger picture, this is a recognition for all of us as consumers that the world we live in now is fast moving and ever changing – we shop across borders, travel across borders, donate across borders – and having multiple data rules in different jurisdictions which are hard to enforce is not in our best interests.

Keep it simple, superstars! 

Employ the KISS principle and do keep it simple in terms of the matter at hand, and your response. The main issue for fundraising is consent, and this is about treating people, and their data, fairly and securely, and as a two way relationship. Put yourself in your supporter’s shoes –  how would you want your data to be treated?

The GDPR gives a great starting point. If you look to review how you stack up to that now, work towards it, and come 2018 you’ll be in a great place. Build in the requirements of the existing and emerging fundraising regulations, and you’ll stay well ahead of the game. And if you’re wondering if all this will be relevant if Brexit becomes a reality, then yes, it will, as the UK will want to match EU requirements to stay in the trade game, so don’t use the forthcoming referendum as an excuse to do nothing.

How Purple Vision can help

Purple Vision can help with every aspect of a project like this – from leading the project for you, to offering specific advice and consultancy services on data, systems and other factors.  Drop us a line via email ([email protected]) or via 0845 458 0250 and ask us more.

The Grand GDPR Resource Library

The following links cover the wider legal and regulatory framework at play, as well as the GDPR developments: