Understanding the ‘what’, ‘when’, ‘why,’ ‘where’ and ‘who’ of data privacy will not only help protect your charity; it will also give you an opportunity to deepen engagement with supporters. Here are the key things you need to know.
By J Cromack
Privacy policies or notices are under intense scrutiny from a distrustful public as well as regulators. With new legislation looming in the form of the EU General Data Protection Regulation (GDPR), now is the time for fundraisers to get data privacy right. Because getting it wrong could prove a very dangerous and costly error.
Preferences are not consent
A common misconception – which could be a charity’s undoing – is that the new requirement under the GDPR is simply to update marketing preferences. This is not the case. From meeting and talking regularly with charities and, in particular, their fundraising teams, we’re already aware how quickly conversations can switch from consent back to marketing preferences for campaigns. In part, it’s understandable – it’s the language charities are familiar with using. You routinely ask supporters how they would prefer to receive information. In turn that’s a tacit understanding that consequently, you have the customer’s consent.
But this is getting data protection wrong, and it’s a point that can’t go unchecked, not only because of the GDPR, but also due to the ongoing scrutiny by the Information Commissioner’s Office (ICO) around current practices regarding personal data – an issue that came to a head in December when the ICO ruled against the British Heart Foundation and the RSPCA, closely followed in January with notification that another 11 charities had been advised of impending action.
The following five questions, centred on the ‘what’, ‘why’, ‘who’, ‘when’ and ‘where’ of data privacy, will be key to you ensuring your charity does not fall foul of the new regulation:
1. WHAT data are you collecting?
Currently, our research shows only 61% of charities provide a statement about the collection of personal data in their privacy policy. It’s crucial we’re clear on the facts. The questions around personal data are not just “what piece of marketing literature we can send?”, or “can we call or visit these supporters?” Citizens, and organisations, need to know exactly what data has been collected, across every system, and what is in use by every department and for what purpose. And this all needs to be mapped.
The act of profiling is one area of data analysis that can be misconstrued by the market. Donor profiling should be about communicating and engaging with supporters by presenting them with the right message, at the right time. The ICO expresses that you need to be transparent about the personal information you collect, especially if you use it for insight by adding to it with other consented publicly available information. Yet our research highlighted that 73% of charities do not mention donor profiling in their privacy policy.
2. WHY are you collecting it?
Next, charities need to show why the data was collected in the first place. Organisations need to be clear on the purposes for which they are using data and ensure they have justifiable lawful reasons for collecting and processing this data. Where legitimate interests do not cover this, it is likely that charities will need to have gained specific consent before data can be collected under the new GDPR requirements. The World Economic Forum’s Research found that people believe 67% of organisations, companies and agencies ask for too much information online.
This is a really important part of the new regulations because it pertains to security of personal data. You only have to monitor your own response when you’re asked for information that you feel is not required for the purpose at hand.
3. WHO is using the data?
The next aspect is being clear on exactly who is using the data. From the moment you’ve collected a supporter’s personal information, you need to know exactly who will have access to the data, internally with other departments and externally with other partners and collaborators. It’s worth being aware that third parties will also be liable for penalties under the GDPR.
Data privacy currently only pertains to data controllers. However, under GDPR, those who process data are also liable. For charities, this means that not only do you have to be compliant, but all of your partners who use this data need to be compliant also. There is a considerable risk to charities if they get compliance wrong.
4. WHEN does the consent expire?
Charities will also need to record exactly when permissions were granted for use of personal data. The current regulation and guidance from the ICO says data should be retained for “no longer than is necessary for the purpose you obtained it for”. Our research shows that 82% of charities don’t say how long they keep data on record in their privacy policy. Research from Data IQ in 2016 showed that 21% of consumers believe that consent is only valid for six months. While this enables data to be disposed of, it does present a challenge for charities to have a system that allows for time stamping when consent for data was obtained, and therefore notifying when consent is going to expire or allowing the safe and secure disposal of data. This element is key for the new GDPR. It is essential charities consider how long they need to retain data for and can show this period has been considered and documented.
5. WHERE does the data come from?
Finally, where consent is used as the basis for processing data, we should know where this permission is granted. This means the exact source and channel. This is different to knowing what source and channel we have permission to use to market to people. It’s knowing where data has come from, and having proof that the charity has the right to process that data, based on a clear consent statement or a well-documented and considered legitimate interest review.
The definition of consent
If we look at how GDPR defines consent, we can see how different it is to marketing preferences: “‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
It’s easy to focus on the end part, because “processing of personal data” is what charities have been doing and need to do. In many charities there are sophisticated systems that make it easy to segment customers according to their preferences. This provides powerful information from models that predict a supporter’s future interactions. It also highlights profiles to direct fundraising teams into the market to find prospective customers who behave in a similar fashion to their most loyal supporters.
Equally, most charities will have opt-in and opt-out processes in place. However, just because your customers have opted in to receive information, that does not constitute explicit, “informed and unambiguous indication of the data subject’s wishes”. Nor have they given “clear affirmative action” about “agreement to the processing of their personal data”.
It’s this confusion that makes organisations think that GDPR isn’t that different to the existing DPA.
And here’s the crucial bit that needs to be totally front of mind when reviewing a consent capture strategy: consent is a right. It gives the individual total control. It means that they own their personal data, and they have to give permission for charities to use their data. This applies to any data that’s held about that individual. It might be data for marketing. It could be data used for the provision of services. It could quite easily be financial details. And that’s before we even get into specific consents required for sensitive data such as race, gender and health.
Proof of supporters’ consent
As a charity, you have to prove you’ve gained explicit consent. You’ve got to be able to either amend individual supporter details, and their permissions, or give the supporter access to a system that allows them to control their consents. And you’ve got to be able to erase any personal data held, not from just one system, but all the systems that you or your partners operate. And furthermore, you must inform any third parties with whom you have shared this data (obviously with the supporter’s consent).
Preferences are, on the other hand, just that: a statement of how a supporter prefers one thing above another. This might be the type of communication they prefer – they might prefer email to phone. They might prefer donating by standing order rather than direct debit. They may like to be contacted annually rather than monthly. These preferences do not, in any way, confirm consent. This doesn’t mean you need a preference management system and a consent management system – both can be managed together when the right audit trail is built into your data foundation. Just view consent at a more granular level. For example: “I am providing consent for you to use my address details to send me communications on appeals, but not about lotteries.”
An opportunity to deepen engagement
Now is the time not just to protect your charity, but to go a step further. To build and deepen the trust your supporters have. Improve your consent capturing procedures and update your policies. This will provide your charity with an excellent opportunity. An opportunity to seek your supporters’ permissions. An opportunity to engage at a deeper level. An opportunity to create a value exchange where both the supporter and you – the charity – will benefit.
Preferences versus consent: let’s get data protection right, from the beginning.
J Cromack is the CEO of Wood for Trees
You may be interested to know that the Fundraising Regulator will be presenting an update on changes to data protection and consent issues at the Successful Fundraising & Donor Cultivation conference on 27 April. Tickets are available for £295.00 which includes lunch, refreshments and plenty of networking opportunities. Click here to book your place.
