The current legislation on data protection and e-privacy is being shaken up and is set to change from 25 May 2018. In this post, we set out the key requirements relevant to the marketing activities of UK charities so that you can get ahead of the game and be confident you are fully compliant. At the end of the post is a free compliance checklist.
Introducing the GDPR and ePrivacy Regulation
The new legislation will be based on two EU regulations:
- The General Data Protection Regulation (GDPR), which is set to come into force in the UK from 25 May 2018 and lays out general rules about data protection.
- The proposed new ePrivacy Regulation, which will set out specific rules applicable to digital systems like your charity website.
Why should I care?
You should care for two reasons:
- First the carrot: the legislation contains sensible provisions to make life better for consumers. By ensuring compliance you should also be improving the quality of experience that people have when they engage with your charity.
- Second the stick: there are substantial fines for non-compliance.
What do I need to know?
As a charity marketer, you don’t need to know everything about the new legislation but you need to be aware of certain key points.
GDPR - the biggest change is around consent
The GDPR sets out the lawful basis for processing personal data. The first and most important lawful basis is the consent of the data subject (i.e. the person who’s details you are storing).
Consent means offering people genuine choice and control over how you use their data and the new rules are much clearer about exactly what this means.
Under GDPR, consent must be:
- Unbundled - separate from general terms and conditions
- Active opt-in - no pre-ticked boxes
- Named - clear who is given consent; not just ‘third parties’
- Documented - records are kept of the consent)
- Easy to withdraw
The GDPR also introduces special considerations to make privacy information clear when targeting children.
ePrivacy Regulation - changes to cookie compliance
The ePrivacy Regulation is still in development but it looks likely that it will enhance restrictions on anonymously tracking user behaviour online (often done through ‘cookies’). The current law around this has always been unsatisfying, leading many websites to adopt pop-ups telling users they are being tracked but offering them no alternative other than not using the website. In line with the general principle of active opt-in for consent contained in GDPR, the new ePrivacy regulations are likely to force websites to offer users a genuine choice about whether or not their usage is tracked while they browse.
How does GDPR affect my charity?
Collecting supporter information
When you collect supporter information on your website you must give the supporter a clear option about whether or not they give consent for their data to be processed and for what purposes. If you don’t get consent at this point, through a clear opt-in, then you don’t have permission to use that data. For example, on a donation form, you will need an unchecked checkbox asking whether the donor would like to receive updates. On newsletter subscription forms you’ll need to explain clearly what the subscriber will receive.
Storing supporter information
Storing information securely is already important and will only become more so. GDPR requires you to keep records demonstrating that your supporters have actively opted in. This means that across all the systems in which you store personal data you need to also be storing communication preferences and be able to associate those preferences with the communication through which the supporter actively opted-in. This will require a new level of integration and data management for many small charities.
A simple solution to this will be to store a note on the person’s record in your CRM or database referencing the way they signed up and how they opted in. However, you will also need a robust system for managing changes in preferences when requested by supporters. Many email marketing systems offer these as standard, though bringing that data back to your database can be difficult. A manual approach would be to run monthly reports from your email marketing software listing who has unsubscribed.
Communicating with supporters
When you send communications to supporters you will need to be confident that they have opted-in to the particular type of communication you are about to send. Knowing this relies on the integration and data management mentioned in the last section. You must also be confident that you are giving your supporters a simple way to opt out of communications. For email newsletters, this should come in the form of an ‘unsubscribe’ or ‘manage preferences’ link at the bottom of the email.
GDPR applies to historical data, not just future data that is collected after GDPR comes into force. Depending on the quality of your existing systems and the way you collected data in the past, this means you may have to pro-actively contact your existing supporters to ensure that they have actively opted-in to your charity communications.
Tracking website usage
The new ePrivacy Regulation will make it harder to track website usage through systems like Google Analytics. The reality is that many small charities do not have the resources to make the most of tools like Google Analytics anyway. But for those that do, this new legislation will raise the bar and investment is likely to be needed to allow users an active choice between browsing with tracking and browsing without. It will no longer suffice to offer them the choice of accepting tracking or leaving the website.
GDPR & ePrivacy compliance checklist
- Written policy - Adopt a written policy in which you document your approach to data protection.
- Specify management responsibility - assign someone responsibility for charity data protection and document this in your written policy.
- Staff training - regularly offer staff training on practical data protection issues like clearing out old information, keeping their access passwords secure, etc.
- Registration with ICO - register your charity with ICO as an organisation that processes personal data.
- Responding to requests - adopt a written policy to deal with requests individuals may make to access their personal data or have it removed from your systems.
- Appropriate collection - audit your systems to ensure the data you collect is (a) the minimum data for legitimate business need and (b) kept up-to-date.
- Appropriate disposal - include within your written policy details about how you will ensure that unused and out-of-date data will be safely disposed of.
- Security - include within your written policy the steps you have taken and will take to ensure the systems you use to process data are secure.
- Outsourcing - you are responsible for data processed on your behalf by a third party so check that their processing is also compliant.
Integrated CRM solutions
GDPR will provoke charities to think hard about integration between their various systems. At White Fuse, we have extensive experience of integrating website and CRMs and for small charities, our Hubble platform is a secure cloud-based solution that brings website, fundraising and CRM functions together thereby alleviating many of the concerns small charities have about GDPR compliance. For more information visit the Hubble website or get in touch with us to discuss options.
If this article has got you thinking about compliance more broadly, check out our quick guide to the legal requirements affecting charity websites in the United Kingdom: what to do, where and why.