Mention the letters GDPR
to your average charity and you might evoke emotional responses ranging from guilt, to frustration, to outright panic. But it isn't all doom and gloom: Matthew Moorut, Head of Marketing for Charity Digital
discusses the positives for the sector and how charities are likely to benefit from the new regulation, emerging stronger than ever after the 25th May.
CDN: Why do you think GDPR is good for charities?
There are massive benefits for charities in having sound data retention policies in place. To put GDPR in some context, it came into being not just on the whims of the EU because they woke up one morning and decided that Facebook and Google have too much data. It’s been the result of a continuous period of improvement
in terms of strengthening data subjects’ ability to manage the data that they, by rights, should own. The core of it is underpinned by the strengthening of human rights regulation. If organisations approach GDPR from that angle, then especially charities who are looking out for beneficiaries and also their supporters, they should be acting in the best interests of both of those groups.
Realistically, many charities’ fundraising attempts in the last couple of years have been unethical
, in terms of practices like putting targets on fundraising, cold calling, spamming and profiling data that theyv’e brought in through lists, where individuals haven’t realised that they gave away their data in the first place. And while that might work in terms of getting the money in, charities, like all organisations, should have a wider view of what they’re trying to achieve - part of that involves maintaining a positive relationship with the supporters they cherish so much.
Some of the large charities haven’t been towing as good a line as they should have done. GDPR is an opportunity to build some of that trust back with the public, to show that charities are leading the way for individuals’ rights and data.
CDN: Do you think there is too much scaremongering and negatively around GDPR?
: There is so much scaremongering about what could happen if you don't comply, but it isn't necessary a bad thing.
A focus on data security
not only mitigates risks from the perspective of having a breach, but it also puts the focus on better security measures generally in an organisation, which is really important. Actually, cyber attacks are just as prevelant with charities as they are in other types of organisations, and charities often have more sensitive data than other corporate organisations do.
It’s quite difficult to get things like data privacy or security onto trustee board minutes or agenda items because it’s seen as a cost for the sector, whereas in a commercial organisation you’d do a risk benefit analysis and say ‘if we had a breach we’d lose x amount of money’. In the charity sector you tend to try and spend a much as possible fulfilling your mission but things like IT infrastructure, training and security are costs not directly linked to the cause. This means that oftentimes those important things get missed out. For small charities especially, all the attention on GDPR means they can now act where in the past they may have struggled to get buy-in from the trustees.
CDN: For charities that are just now getting their houses in order, what is your advice?
It’s not something that needs to necessarily add too much burden to organisations, as long as they start with basic steps like awareness on an ongoing basis (see our handy infographic here
). Trying to start out with data in a sensible, well structured architecture not only means you will likely be more secure, but also you can also take advantage of things like business intelligence. You can potentially use the data that you hold to work out cool new ways of looking at your mission that you may not have been able to think about without that sort of data architecture, whether that’s around improving your fundraising or service delivery.
There is a lot of misinformation going around on GDPR and consultants looking to make a quick buck off it. For any charity who isn’t sure if they’re getting the right advice, their first port of call should be the ICO’s guidance
- they have a lot of charity-specific information
but also a lot of information on different elements of the regulation, like legitimate interest
Until there have been fines doled out under GDPR around some of the elements of it its difficult to know exactly what’s allowed and what’s not, but do keep following the ICO's latest news and guidance
Our view at Charity Digital is that regardless of whether there is a high likelihood you'll get investigated by the ICO you should be looking to follow the principles of the GDPR, because it’s in the best interests of your key stakeholders, your beneficiaries and supporters.
For a quick guide to GDPR for charities, go here to view the infographic: ‘A last minute GDPR checklist for charities.’