How charities can ensure they are GDPR compliant
In her first blog Val Surgenor gave an overview of the new general data protection regulation (GDPR) and the potential impact it may have on the third sector. In this latest blog she takes a closer look at the impact of the GDPR on fundraising and marketing.
Data is a key fundraising resource for third sector organisations – it is how supporters are identified, contacted and often how they are made aware of fundraising campaigns. However, with data comes responsibility for protection of that data. The GDPR will reform the current data laws in the UK as of 25 May 2018 – meaning direct marketing and consent will face significant change and influence how charities raise funds in the future.
Preparing for the change will ensure that charities don’t lose out on potential funding come 2018 because their marketing practices aren’t GPDR compliant.
So, what do charities need to know?
1. Affirmative consent – the demise of the pre-ticked box
A donor or supporters consent to receive your newsletters, updates and information on your latest campaigns will need to be “affirmative” to be lawful. What does “affirmative” mean? Well, this will include ticking boxes on a website (the opt-in), but reliance on silence, inactivity or the pre-ticked box will be explicitly excluded as means of consent. An early review of how you obtain consent and what information you provide at the time is good practice but will also help you “GDPR prepare”.
2. Rights of supporters and donors
Under the GDPR, your supporters and donors will have the right to:
• “Withdraw consent” at any time, and it must be as easy for them to withdraw it as it was for them to give it – once a participant or donor withdraws consent his or her personal data must be erased and no longer used by the charity; and
• Object to receiving your direct marketing – objection would require you to erase the individuals personal details “without undue delay”.
To avoid fines, consider now how you would ensure that supporters and donors are not contacted once they have withdrawn consent or objected to use of their information.
Why should charities care?
• Reputation – charities and their fundraising practices have been under the spotlight in recent months, and failure to comply with the GDPR may fuel public distrust in fundraising.
• Sanctions – major breaches of the rules around consent could result in fines of the higher of 4% of your global turnover or €20m. This makes the current maximum fine in the UK of £500k seem (almost) insignificant.
How can charities prepare?
2018 may seem a long way off, but in preparation terms it isn’t. Charities must think about preparations now to ensure that they are GDPR ready by spring 2018:
• Review procedures used to seek, obtain and record consent (“Know Your Data”);
• Review and revise privacy policies and notices to ensure compliance – say goodbye to your pre-ticked boxes; and
• Look at the consents you already have and decide whether they meet GDPR standards.
Val Surgenor is a partner at MacRoberts LLP. Its team of data protection specialists can provide expertise and advice to charities wishing to adopt a proactive approach to compliance preparation.