The legislation on data protection and e-privacy was shaken up on 25 May 2018. In this post, we set out the key requirements relevant to the marketing activities of UK charities and voluntary organisations so that you can be confident you are in full compliance.
Introducing the GDPR and ePrivacy Regulation
Data protection legislation that applies to charities and voluntary organisations is based on two EU regulations:
The GDPR contains no exemptions for charities or voluntary organisations.
Why charities and voluntary organisations should care
You should care for two reasons:
What do I need to know?
As a charity marketer, you don’t need to know everything about the legislation but you need to be aware of certain key points.
Principle-based not rule-based
The old Data Protection Act 1998 was a principle-based legal structure and the GDPR continues that approach. This means that rather than a set of rigid rules, the law gives broad principles that will be applied differently by different organisations depending on their circumstances.
Here are the six data protection principles contained in the GDPR:
Many of these GDPR principles are similar to the preceding data protection principles but we’ll discuss below some key data protection changes. We have a post and free template explaining what to include in your Data Protection Policy.
To process data you need a ‘lawful basis’
The GDPR sets out six lawful bases for processing personal data:
GDPR - the biggest change is consent
Much of the data processed by charities will be covered by the 'legitimate interests' basis and in those cases, no consent is needed. But most marketing activity done by charities will rely on consent as its lawful basis.
Consent means offering people genuine choice and control over how you use their data and the new rules are much clearer about exactly what this means.
Under GDPR, consent must be:
The GDPR also introduces special considerations to make privacy information clear when targeting children.
ePrivacy Regulation - changes to cookie compliance
The new ePrivacy Regulation is still in development but it looks likely that it will enhance restrictions on anonymously tracking user behaviour online (often done through ‘cookies’). The current law on cookie consent is unsatisfying, leading many websites to adopt pop-ups telling users they are being tracked but offering them no alternative other than not using the website. In line with the general principle of active opt-in for consent contained in GDPR, the new ePrivacy regulations are likely to force websites to offer users a genuine choice about whether or not their usage is tracked while they browse. A new 'best practice' is, therefore, emerging ahead of changes to the ePrivacy Regulation. For example, rather than an invasive pop-up that offers no choice, websites built on the White Fuse platform allow users to either accept or decline cookies that track their website usage.
How does GDPR affect my charity?
Collecting supporter information
When you collect supporter information on your website you must give the supporter a clear option about whether or not they give consent for their data to be processed and for what purposes. If you don’t get consent at this point, through a clear opt-in, then you don’t have permission to use that data. For example, on a donation form, you will need an unchecked checkbox asking whether the donor would like to receive updates. On newsletter subscription forms you’ll need to explain clearly what the subscriber will receive.
Storing supporter information
Storing information securely is already important and will only become more so. GDPR requires you to keep records demonstrating that your supporters have actively opted in. This means that across all the systems in which you store personal data you need to also be storing communication preferences and be able to associate those preferences with the communication through which the supporter actively opted-in. This will require a new level of integration and data management for many small charities.
A simple solution to this will be to store a note on the person’s record in your CRM or database referencing the way they signed up and how they opted in. However, you will also need a robust system for managing changes in preferences when requested by supporters. Many email marketing systems offer these as standard, though bringing that data back to your database can be difficult. A manual approach would be to run monthly reports from your email marketing software listing who has unsubscribed. Users of the White Fuse platform can manage everything in one place: consent collection on donations and enquiries, secure data storage and sending email campaigns.
Communicating with supporters
When you send communications to supporters you will need to be confident that they have opted-in to the particular type of communication you are about to send. Knowing this relies on robust integration between all the systems you use, as mentioned in the last section. You must also be confident that you are giving your supporters a simple way to opt out of communications. For email newsletters, this should come in the form of an ‘unsubscribe’ or ‘manage preferences’ link at the bottom of the email.
GDPR applies to historical data, not just data that has been collected after GDPR came into force. Depending on the quality of your existing systems and the way you collected data in the past, this means you may have to pro-actively contact your existing supporters to ensure that they have actively opted-in to your charity communications.
Do I need a Data Protection Officer?
You already need to have someone in your charity responsible for data protection and the GDPR does not change that. However, it does introduce a new more formal role called a Data Protection Officer (DPO). This role is unlikely to be required in most small charities. A DPO must be appointed if you:
Tracking website usage
The new ePrivacy Regulation (still to be finalised) may make it harder to track website usage through systems like Google Analytics. The reality is that many small charities do not have the resources to make the most of tools like Google Analytics anyway. But for those that do, this new legislation will raise the bar and investment is likely to be needed to allow users an active choice between browsing with tracking and browsing without. It will no longer suffice to offer them the choice of accepting tracking or leaving the website. For more details on this, read our post on cookie notices.
GDPR small charities compliance summary
More data protection resources for charity and voluntary organisations
Charities and voluntary organisations have a wide range of relationships with people and so inevitably end up collecting and storing a range of personal data. We have created a number of resources to help charities and voluntary organisations deal with their data protection responsibilities effectively.
This post explains the role of the Data Protection Policy as an internal document that explains how your organisation protects data and ensures compliance with your legal obligations in this area. The post and template provide a simple framework for carrying out this exercise thoroughly but efficiently.
A ‘cookie’ consists of information downloaded on to your computer when you visit a website. Cookies are widely used and can do a number of things, such as remembering your preferences, recording what you have put in your shopping basket, and counting the number of people looking at a website. This post explains, in plain language, what you need to consider as a charity or voluntary organisation in relation to the data your website holds through cookies.
As well as giving people information about how you will process their data, you also need to hold it securely. This post covers what you can do to ensure your website is as secure as possible and to avoid having your website hacked.
Alongside data protection, there are a bunch of other legal issues that charities and voluntary organisations should consider. This post gives an overview covering topics such as company information and fundraising best practice.