If you work in the third sector, you're probably aware that on 25 May, 2018 the toughest privacy law in European business history - the General Data Protection Regulation (GDPR) - comes into effect. There has been a great deal of misinformation published online about how certain aspects of the GDPR will - and importantly won't - affect not for profit organisations, but charities have to comply with the new data legislation just as businesses will.
Managing concerns around data protection and marketing consent is nothing new for not for profit organisations. But, once the GDPR comes into force, breaking the data protection legislation carries much stricter and higher financial penalties from the Information Commissioner's Office (ICO), in the range of €20 million or 4% of total worldwide annual turnover. Charities shouldn't just be concerned with the fines, however. If they fail to handle personal data correctly and a breach occurs, charities risk harming their relationships with supporters, which could lead to long term reputational damage and lack of trust from the donors they rely on.
With the goodwill of donors critical to fundraising, and many high-profile charities having come under fire for their questionable use of data previously, not for profit organisations need to get GDPR compliance right. Supporters certainly won't want to see their donated funds used to pay fines which could have been prevented, but compliance is also key to providing donors with a great experience when engaging with their cause, communicating the work of the charity to galvanise future support.
Building and maintaining a GDPR compliant fundraising database
The GDPR requirements will be felt throughout an organisation, affecting everything from marketing, volunteer management, campaigning, fundraising and keeping details of service users on file - in short, anything which involves storing or processing the personal data of individuals (donors, employees, volunteers etc.). Large charitable organisations are therefore dealing with potentially hundreds of thousands of records, and these are arguably a NFP's most valuable asset, if managed correctly.
Here are a few things to be aware of when establishing and managing a GDPR compliant database:
Anyone operating in the third sector should keep a very close eye on the ICO's website for further guidance over the coming months.
How will the GDPR impact the Fundraising Preference Service?
Created by the Fundraising Regulator - the independent regulator of charitable fundraising, established in 2015 - the Fundraising Preference Service (FPS) gives the public choice and control over the communications and fundraising requests that they receive from charities. Under the GDPR, the FPS will effectively allow charities to validate consent against a pre-existing database. All charities in the UK will be obliged to check if an individual has given consent to receive marketing material from that charity. Of course, there are very specific challenges from a records-keeping perspective when someone opts-out of communications from a charity directly. How this will be updated and managed on the FPS system is yet to be seen.
Finding the opportunities
Having a huge impact on all systems and processes which are core to the running of a charitable organisation, it's not surprising than many working in this sector with responsibility for data compliance feel daunted by the task ahead. But, the opportunities presented by this change shouldn't be overlooked. By acting now and having a compliant approach to consent and data protection, and clearly articulating this to existing and potential supporters, charities can help to re-build the trust that may previously have been damaged.
Looking for a way forward?
Sytorus is one of the leading firms in data protection advice, working with NGOs and charities globally. We have experience of working with the top 20 NGOs in the world, and have dozens of UK and Ireland charities as active clients, currently rolling out large-scale GDPR programs for five leading not for profit organisations.
Sytorus provides lifecycle support, from assessing the current situation, identifying needs and - via our cloud-based SaaS product, Privacy Engine - managing the ongoing process of identifying and mitigating risk. Our approach is designed to specifically drive a working framework to rapidly get an organisation up to a level where they can achieve all the above in a practical and efficient manner.
If you’d like to find out how our lifecycle approach can help you to identify and manage risks across your organisation and provide a simple way of managing and mitigating these risks on an ongoing basis, contact our Dublin team on +353 (0)1 683 3314 or email firstname.lastname@example.org or contact the London team on 0207 936 9442 or email email@example.com.