As pressure mounts for charities to comply with the new rules on data protection, fear and confusion abound – and the sector will need to boost its capacity and skill set in order to cope, says Fundraiser editor Jenny Daw
The sector is getting increasingly hot under the collar about the new General Data Protection Regulation (GDPR). Although the regulation doesn’t come fully into force until May next year, the Information Commissioner isn’t messing about: already it has fined 13 well-known charities for violating current data protection regulations.
Under the GDPR, charities will need to prove that they have the consent of the individual to collect, store and use their data. And to date, the commissioner has not been forthcoming with official guidance for charities on how to comply with this new requirement, leaving many in the sector feeling completely at sea.
Avoiding catastrophe
This greater value on personal and sensitive information is good news for the public, but not so much for any organisation that fails to comply with the new regulation. The stricter data compliance regime will undoubtedly lead to breaches, and with that the government has promised “effective and dissuasive” fines.
In the event of an unreported breach of personal data, organisations risk penalties from written warnings to regular audits, all the way up to 20m fines or up to 4% of their annual worldwide turnover. Along with these serious financial implications, the reputational damage that an organisation found in breach would suffer could be catastrophic.
Fundraising charities rely on information about their supporters to survive; such as names and addresses, financial information and other private data. Information such as this will always be integral to the fundraising process, and the storage and safety of this information will be too. But the GDPR’s rules around proving consent necessitate new processes at the back and front ends of data collection – and it’s going to be hard work. The fundraising sector has a lot of fundamental changes to make in a short amount of time.
Essential criteria for senior fundraisers
With so much to learn and do, there may well be a need for organisations to take on new talent and skills to push these changes through.
Bruce Tait, chief executive of charity recruitment consultancy BTA, says: “We’re noting that awareness of data management issues is now becoming part of the essential criteria for all senior fundraising jobs. It is also certainly the case that charities are recruiting additional staff, most usually a donor development or individual giving fundraiser, partially to help them understand and navigate GDPR and the associated sectoral issues.
“While these roles aren’t specifically compliance jobs, they probably wouldn’t exist unless there was this current period of unease and confusion. It’s inevitable that the larger charities will start to recruit GDPR compliance specialists – in the way that companies employ brand and quality assurance staff”.
Christian Propper, senior consultant and director of business intelligence for global fundraising consulting firm, Graham-Pelton, sees at least three areas in which recruitment could benefit:
“First, marketing: using marketing channels to recruit new donors will become ever more important for charities. No longer can contact details be bought – the charity will need to earn them. Good marketers will therefore be in demand.
"Secondly, there could be roles for data analysts – it is still too early to tell to what extent prospect research activities will be affected, but if charities will indeed have to rely less on publicly available information, a charity needs to be able to interpret the data it already has better.
"Third, there may be a need for more relationship fundraisers who can explain how a charity operates, and seeking consent is easier to do in person.”
Making the transition: recruitment opportunities
It is becoming clear that GDPR compliance is certainly something every single fundraising organisation is going to need to look at spending significant man hours on to prevent another avenue for cash haemorrhage. Combine these issues and the sector faces have a big cash allocation, communication, staffing and recruitment challenge in the near future.
Larger organisations dealing with huge amounts of sensitive data may well need to create distinct compliance departments consisting of information security experts. And the skill set required for compliance is technical and specific; characteristics which often come at a high price.
Christian says: “I fear that it will be easier for larger charities to adapt to this new fundraising model and that smaller charities will struggle. If the small charities cannot build up a sufficiently large enough prospect pool, they will not bring in the necessary income required to stay operational.”
Waking up to the challenge
At this point in time, it is unclear exactly how ready organisations feel for the changes brought in by the GDPR. “Most are somewhere on a scale from ‘confused’ to ‘terrified’,” says Bruce.
As we are now halfway through the two-year transitional adoption period, it’s hoped that all organisations will have already begun to implement the necessary changes to achieve compliance. But, says Christian, “unfortunately, it’s only now that charities are waking up to the fact that they cannot carry on as they used to.”
Christian says charities will have to change the way they work. “Seeking consent is the new donor recruitment, and it will require a really clear marketing message to explain to potential supporters not just how their personal information will be used by them, but why. In the long term, this can only build increased trust between a donor and the charity.”
Trust is a vital commodity in the fundraising sector, and once the trust of your donors and supporters has been damaged, it’s hard to get back. All it would take would be a well-timed Freedom of Information Act request to an unready organisation from a media outlet and the fundraising sector could potentially suffer another embarrassing setback. And so everyone in the sector has a responsibility to ensure that they’ve taken every precaution to make effective changes to their data collection and storage policies. Sourcing new talent will be a big help to many in this regard.
The GDPR Call For Views was released on 12 April and encourages any stakeholders to make their views on the derogations of the regulation heard. You have until 10 May to submit your views.
Jenny Daw is editor of The Fundraiser
