In the first of a series looking at GDPR and what it means for charities, Andrew Cross, Data and Insights Lead at Lightful, one of the only GDPR Certified Practitioners in the beyond profit sector, explores the basics of the new regulations
If you’ve not heard of the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, then where have you been hiding? OK, so maybe you’ve heard of it but not actually done anything about it yet. Don’t worry, it isn’t too late to read up and start on the road to compliance.
GDPR is a replacement to the Data Protection Act (DPA, 1998). It aims to standardise the way Personally Identifiable Information (PII) is dealt with in terms of Data Controllers (i.e. organisations that collect personal data) and Data Processors (i.e. a third party you share data with) and that exist within the EU or countries operating outside of the EU that process data on EU nationals. If you are processing personal data within the UK, we advise that you register with the ICO as soon as possible.
Ultimately it gives back control and ownership of data to the individual. In terms of compliance, this should be what you adhere to now; however, it does not come into enforcement until the 25 May 2018.
Data controllers vs processors
Let’s take Charity A as an example. This charity will generally be considered a Data Controller, collecting the data of supporters in order to engage and communicate with them in a variety of ways. One of these ways may be to send out direct mail via a fulfilment house (which would take on the role of a Data Processor). The vast majority of charities will fit into the Data Controller category and will be ‘processing’ some data even if it that means just ‘storing’ the information. And it isn’t just supporter data; it also applies to staff data, service user data, trustee data etc.
I hate to break it to you but…
GDPR doesn’t just affect the charity sector. It’s sector-wide. It affects every organisation- no matter your size or whether or not you have a ‘data person’, so decide now who is going to lead on GDPR compliance in your organisation. And… if you fall foul of the law, you will face consequences, which could include a fine from the ICO, enforcement notices, audits and even possible prosecution. Read more about the action the ICO could take
So what can you do, starting today?
There are three areas to focus your efforts on, which many organisations will fall foul of, now and in the future: Consent, Retention and Subject Access Request. Today we’re going to focus specifically on consent.
What do you mean by consent?
Defined as: “Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed” - ICO
In plain English, this means that at the point of data collection (through whatever channel), the individual must be given a statement that corresponds to what their information is being used for. This should detail out:
- Who will be storing the data (Data Controller)
- Any additional consents for contact via channels and specifying the purposes
But what does ‘consent’ mean in practice?
The difference between requiring “consent” or processing under “legitimate” purposes is sometimes difficult to distinguish. The Institute of Fundraising’s (IoF) recent guidance
has some pretty good examples in this area but ultimately the article stipulates that it comes down to the wording and policies that have been exposed to the individual in addition to their "reasonable" expectations. Legitimate interests only apply to communication via mail & telephone (non-Telephone Preference Service) only; and can only be relied upon if the individual has been given a chance to opt-out.
What does this mean for my charity?
For most charities, the “consent” is what should be relied upon as stipulated by the Fundraising Regulator and the ICO, in ensuring engagements with supporters do not breach GDPR. The hard part here is the “re-consenting” of historical records and ensuring that you are not in breach of the DPA, GDPR and Privacy Electronic Communication Regulation (PECR, 2003) when doing this.
How do we obtain consent?
In terms of gaining consent, you cannot contact someone to gain that channel consent through “administrative” means; especially on that channel in question. For example, you cannot email someone to ask if they would still like to receive emails from you; you would need to request consent through another channel (e.g., post; providing you have permission on this channel) to ascertain the e-mail opt-in.
Is there a time limit on consent?
A period of two years is being suggested as “reasonable” but has not been confirmed. This will be a kick in the teeth for charities who segment using the Recency, Frequency and Value (RFV) technique as these supporters often do reengage after a two-year period and this method is often cheaper than acquiring new supporters.
What are the rules for recording consent?
Storage of consent is required, but technically this is rather difficult and lots of the larger Customer Relationship Management (CRM) platforms do not have the capability to store the level of detail that is required under the GDPR currently. And the development of these areas is likely to cut it fine with the enforcement date; in addition to all the work required to validate those historical records.
Is there anything we can do now?
Absolutely. Ensure that every piece of communication you send out – both offline and online - prior to the enforcement of GDPR (25th May 2018) includes a form for people to opt-in to receiving future communications from you. Really think about language and how you convey the urgency and how important is is for them to actively give consent to hear from your cause.
Tune in to Andrew’s next post to find out about Data Retention and Subject Access Requests, and what these mean for your charity too.