New regulations affecting fundraising, campaigning and volunteer management come into effect in 2018. Here’s how you can be ready.
Four letters – GDPR – have been imprinted on the minds of fundraisers and charities over recent months. The general data protection regulation (GDPR) is a new EU law that will come into effect on 25 May 2018 to replace the current Data Protection Act. It’s been made clear that all businesses and charities will have to comply.
Fundraisers need to get this right not only to be sure that they’re meeting their legal requirements, but also to give their donors a great experience of supporting charities. So what are the steps charities should be taking now to prepare for the changes?
1. This is not just a fundraising issue
The question of how fundraisers can lawfully contact donors and supporters, or identify and approach potential new supporters, has been the main focus of the debate about data protection so far. We have to be careful not to only see it in this way. The requirements will apply across the board in charities, for campaigning, marketing, managing volunteers and recording information about service users – anything that involves processing an individual’s personal data.
Charities will need to adopt a whole organisation approach, with a strategy agreed at board level. Volunteers are no different to employees; they must be trained and equipped to protect data. Arrange an audit of what personal data you hold, where it came from and who you share it with to get a sense of what you’ll need to do next.
2. Review how you ask for consent
For consent to be valid, it will need to be freely given, specific, informed and an unambiguous indication through a statement or clear affirmative action, such as actively ticking a box.
3. Opt in vs opt out
Organisations don’t need consent for all forms of direct marketing – charities can send direct marketing by post or make calls to numbers not registered with the telephone preference service, provided they can satisfy the legitimate interest condition. Giving people an opportunity to opt out of these will still be acceptable, but that won’t mean a charity has consent – it will rely on legitimate interest and charities have to make sure you get this right.
YOU WILL ALSO ENJOY: GDPR: A quick start guide
4. Provide user access to personal data
One of the other key changes with GDPR is the new emphasis it places on users’ right to access their own personal data. Charities should plan how you will handle any requests within the new timescales to avoid making it too onerous and time-consuming.
5. Manage the data you hold properly
6. Beware of data breaches
The amount that the Information Commissioner’s Office (ICO) can fine organisations for breaches of data protection has been increased, and there is a new duty on organisations to report certain types of data breach if they occur. Charities should make sure you have the right procedures in place to detect, report and investigate a personal data breach. It’s worth reviewing information from the ICO regularly to keep on top of developments in this area.
7. Don’t panic, but be prepared
GDPR is an evolution, not revolution. The Data Protection Act already requires that data is processed fairly and lawfully, so charities shouldn’t have too much more to do.
So don’t panic – take it as an opportunity to review how you process data already and make sure you’ve got plans in place to make any changes that you need to be ready for next May.
Source: The Guardian
Read more about the General Data Protection Regulation
- 2017-06-05 GDPR: A quick start guide
- 2017-06-03 More than half of UK business owners still unaware of GDPR
- 2017-06-02 List of data breaches and cyber attacks in May 2017
- 2017-06-01 Google reiterates commitment to EU’s General Data Protection Regulation
- 2017-05-31 One year to go: The countdown to GDPR begins