Compliance Security Social Responsibility

GDPR: how charities should prepare for data protection changes

New regulations affecting fundraising, campaigning and volunteer management come into effect in 2018. Here’s how you can be ready.

Four letters – GDPR – have been imprinted on the minds of fundraisers and charities over recent months. The general data protection regulation (GDPR) is a new EU law that will come into effect on 25 May 2018 to replace the current Data Protection Act. It’s been made clear that all businesses and charities will have to comply.

Fundraisers need to get this right not only to be sure that they’re meeting their legal requirements, but also to give their donors a great experience of supporting charities. So what are the steps charities should be taking now to prepare for the changes?

1. This is not just a fundraising issue

The question of how fundraisers can lawfully contact donors and supporters, or identify and approach potential new supporters, has been the main focus of the debate about data protection so far. We have to be careful not to only see it in this way. The requirements will apply across the board in charities, for campaigning, marketing, managing volunteers and recording information about service users – anything that involves processing an individual’s personal data.

Charities will need to adopt a whole organisation approach, with a strategy agreed at board level. Volunteers are no different to employees; they must be trained and equipped to protect data. Arrange an audit of what personal data you hold, where it came from and who you share it with to get a sense of what you’ll need to do next.

Volunteers are no different to employees; they must be trained and equipped to protect data.

2. Review how you ask for consent

Under GDPR, simply saying “click here to read our privacy policy” is no longer enough. You need to explain clearly why you are collecting personal data and how you intend to use it. If you intend to make any data available to third-party providers (such as Google Analytics or telemarketing companies) you need to get explicit consent for that.

For consent to be valid, it will need to be freely given, specific, informed and an unambiguous indication through a statement or clear affirmative action, such as actively ticking a box.

3. Opt in vs opt out

Organisations don’t need consent for all forms of direct marketing – charities can send direct marketing by post or make calls to numbers not registered with the telephone preference service, provided they can satisfy the legitimate interest condition. Giving people an opportunity to opt out of these will still be acceptable, but that won’t mean a charity has consent – it will rely on legitimate interest and charities have to make sure you get this right.

YOU WILL ALSO ENJOY: GDPR: A quick start guide

4. Provide user access to personal data

One of the other key changes with GDPR is the new emphasis it places on users’ right to access their own personal data. Charities should plan how you will handle any requests within the new timescales to avoid making it too onerous and time-consuming.

5. Manage the data you hold properly

The GDPR also brings in a “right to be forgotten” where people can request the removal of personal data, either if they no longer want the charity to have it or if it is no longer used for the purpose it was collected. Charities should put a process in place, such as to include “Find out what information we hold on you” and “Remove all information about me” sections in your privacy policy to give people clear information.

6. Beware of data breaches

The amount that the Information Commissioner’s Office (ICO) can fine organisations for breaches of data protection has been increased, and there is a new duty on organisations to report certain types of data breach if they occur. Charities should make sure you have the right procedures in place to detect, report and investigate a personal data breach. It’s worth reviewing information from the ICO regularly to keep on top of developments in this area.

Organisations failing to comply could face fines of up to €20m or 4% of annual turnover (whichever is greater).

7. Don’t panic, but be prepared

GDPR is an evolution, not revolution. The Data Protection Act already requires that data is processed fairly and lawfully, so charities shouldn’t have too much more to do.

So don’t panic – take it as an opportunity to review how you process data already and make sure you’ve got plans in place to make any changes that you need to be ready for next May.

Source: The Guardian

Read entire post grey

Read more about the General Data Protection Regulation

Leave a comment

%d bloggers like this: