Data protection is rising to the top of the priority list for many charities. Regulations and reputation mean it’s essential that charities manage supporter data in a responsible manner.
Are charities a special case? No - in fact non-compliance by charities is increasingly being punished. April 2017 alone saw eleven different charities fined by the ICO for not complying with existing UK frameworks around handling donors’ personal data. According to the ICO the only special treatment charities are getting is the size of the fines, compared to those handed out to for-profit organisations.
The General Data Protection Regulation (GDPR) will fully come into law in May 2018. This means more stringent rules around handling donor data and a requirement for charities to be fully compliant or be faced with fines and lawsuits.
Coupled with that, the Fundraising Regulator is putting the finishing touches to the Fundraising Preference Service - an extra layer of protection for donors. FPS is significantly watered-down from its initial vision, but charities will be required to toe the line or face the consequences.
What is the GDPR?
The new General Data Protection Regulation (or GDPR for short) is basically broad legislative guidance for EU organisations around good ‘data hygiene’.
This means knowing what data you collect, knowing how you and your partner's use it, and ensuring you’re doing the right things with that data - and not using it in ways that someone hasn’t given consent to.
Although it’s an EU framework, the UK government has confirmed that the roll-out of this new regulation will still affect UK-based charities even with the UK’s departure from the EU, meaning that all organisations that work with the personal data of any EU residents will need to overhaul their data collection and handling processes to avoid the risks of violating the key provisions of the GDPR.
The UK government has also suggested they will provide an updated framework that mirrors the GDPR at such a time when the UK has formally finished the departure process from the EU.
GDPR is essentially about reinforcing the human right to privacy, and putting control back in the hands of citizens to understand who has data on them and how they’re using it.
What’s the risk for charities?
Enforcement of the GDPR will be robust and the fines will be severe. For companies, non-compliance with the GDPR could mean to 4% of your global annual turnover. For charities, certain aspects of the regulation prove to be a grey area, but it’s important to get prepared nonetheless.
Rigorous requirements for obtaining consent for collecting personal data
Raising the age of consent for collecting an individual’s data from 13 to 16 years old
Requiring a charity to delete data if it is no longer used for the purpose it was collected
Requiring a charity to delete data if the individual revokes consent for the charity to hold the data
Requiring charities to notify the relevant data protection authority of data breaches within 72 hours of learning about the breach
Establishment of a single national office for monitoring and handling complaints brought under the GDPR
Increased fines for non-compliance
All of which puts pressure on charities’ CRM systems.
What can charities do to prepare for GDPR?
We’ve compiled these tips for charities to begin preparing for the new law ahead of the compliance deadline of May 2018.
1. Don’t put anything in small print - clearly ask for data consent
The GDPR requires for the collection of all personal data to have "unambiguous" consent. This means adjusting your web and print forms to ensure boxes are “actively ticked” (no pre-ticked boxes) and that consent for processing (or re-using or passing on) personal data is asked in a clear and concise way (not just in small print at the bottom), rather than assuming that certain use of this data is okayed by the donor based on assumption.
This focus on clarity and consent ensures that vulnerable people are protected.
For charities who are fundraising with various methods, tools and teams, it’s important to take time to be introspective. Work with your team to audit all of your activity and map out every area in which you will be collecting personal data and ensure all methods, all websites and all forms have language this is fully compliant to the best of your ability.
Additionally, “consent will not be considered to be freely given if an individual has no genuine or free choice, although there remains some uncertainty around [ongoing] consent that is given when a donation is collected.” says law firm Farrer & Co.
This grey area around donations and data brings us to our next points: protecting the and organising donor data you actually do collect.
2. Review your CRM / donor database / fundraising software today
This is one area where your CRM needs to earn its living. Tracking consent, respecting the rights to erasure, providing data to donors on request, respecting consent when sending out communications, providing an easily accessible preference centre, securing donor data: your CRM is a key tool for compliance. If it doesn’t provide the features to enable you to comply with GDPR (and FPS when it arrives), change it.
At Donorfy we’re holding consultations between our software developers and our clients to make sure everyone knows how to be compliant.
Your CRM won’t make you compliant, but it must provide the tools to enable you to be compliant. So become familiar with the requirements of the regulations, and take an honest look at whether your CRM and your processes measure up.
If not, take a look at your options, including Donorfy. Remember, you’ve got to have it in place by 25th May 2018.
3. Understand the importance of properly organising data
Under the new GDPR framework, an individual can ‘withdraw consent’ at any time, and it must be extremely easy for them to do so. This means someone can request that his or her personal data must be fully erased by the charity and no longer used, a so-called ‘right to be forgotten’.
If a charity isn’t dutifully and regularly updating donor data, merging donor data and keeping it will organised, this part of compliance will be a major issue. If an individual requests that their data be removed and they still continue to receive comms from your charity based on unorganised or replicated donor data, that would be a non-compliance issue.
Charities must ensure that donors data be fully erased if requested or that they must be able to opt-out of direct marketing without “undue delay”.
4. Stop exchanging sensitive information on unsecured platforms
If you’re regularly using unsecured, unencrypted platforms to exchange personal details with donors, now would be the time to strategise new methods of communications.
Think about the processes you currently have in place: rather than using Twitter direct messages to conduct conversations with sensitive data (where potentially many people in your company have the password), consider switching to a secure donor management platform or customer service platform.
A full overview of the GDPR can be found on the ICO website here.
Do you have questions about how to better protect your donor data using Donorfy? Get in touch and book a one-to-one demo with us so we can talk you through it.