Published: 14 October 2017
Area of Law: Data Protection
Are charities up to speed with the changes to managing data?
According to the Institute of Fundraising’s recent GDPR survey of more than 300 UK charities a fifth haven’t yet taken any steps to get ready for the changing regulations and what it means to them. So what do charities need to do first?
Understand the flow of data
The GDPR process needs to permeate all touch points between charities, their service users and supporters. From the first contact, the GDPR requires organisations to be completely transparent about how they collect, process, store and pass on actual or potential donors’ personal data. Unless a charity has complete visibility of all its data flows, including any wealth screening it conducts, it cannot hope to be able to satisfy this most basic of requirements.
Manage your consents carefully
Understanding the basis of processing and ensuring that consent is appropriately obtained and managed is key. The GDPR, in particular, the ICO’s draft guidance on consent, means that consent is no longer the easy fall back that it probably should never have been. Consent now needs to be specific, informed and given by a positive statement. A number of charities (including the RNLI) have moved to an opt-in model for direct marketing – is this right for your organisation?
Have a robust subject access request process
Managing the data sets that are collected from service users and supporters will be key. The GDPR requires organisations to only collect the necessary personal data required for the processing to be carried out. Whilst this is fundamentally no different from the position under the existing legislation, enhanced awareness of an individual’s rights under the new regime, together with the removal of the fee for subject access requests, means that fundraising charities in particular should expect a significant increase in subject access requests. Minimising and streamlining the information that is held about supporters and service users will make responding to these significantly easier.
Ensure your staff are trained
To be able to meet the GDPR requirements, your staff and volunteers need to be trained to ensure that they follow best practice whenever communicating with supporters and service users, particularly when taking information from them. Consistency is key! Staff should also be aware of the Fundraising Code of Practice and the restrictions it seeks to impose on the use of personal data, such as the general opt-out arrangement for individuals in accordance with the Fundraising Preference Scheme.
Carry out Data Protection Impact Assessments
Carrying out Data Protection Impact Assessments will also support charities hoping to enhance trust. By properly understanding the impact that the introduction of new processes will have on the use of personal data, charities will be able to explain the benefits of the processing to their supporters and service users. Additionally, knowing that the associated risks have been properly managed allows supporters and service users to engage with the charity with greater trust. This is likely to be particularly relevant in the context of wealth-screening technologies, which can up build up detailed profiles of potential donors.
The transition to the new world of GDPR is likely to be a challenging process for a number of charities. However, if managed correctly, the sector can use it as an opportunity to engage with their supporter base and increase trust with service users, rather than merely as a series of hurdles and red tape to navigate.