On 25th May 2018 a new EU Directive on data protection comes into force and this will have an impact on the way that fundraising operates. It is the most significant overhaul of data protection legislation for over 25 years and, despite the UK’s decision to Brexit, data protection specialists agree that UK organisations will still have to adhere to the directive.
This is because it is not absolutely clear what will happen and when. The most likely reaction will be that the UK will give notice to leave the EU, using the procedure set out in article 50 of the Treaty on European Union. This then triggers the need to agree withdrawal and future relationship terms with the EU.
Agreeing terms will probably take more than two years, so at the earliest, the UK will leave the EU in late summer 2018 but if giving notice to leave is delayed, departure may be in 2019 or 2020. Consequently when GDPR comes in on the 25th May 2018 it is likely we will still be members of the EU and therefore bound by the laws of the Directive. And as a result it is likely that when we leave we will adopt all or most of GDPR as domestic legislation.
GDPR – General Data Protection Regulation – demands an opt-in system of fundraising and non-compliance could result in severe sanctions including fines of up to four per cent of global turnover. Unlike the proposed FPS (Fundraising Preference Service) which is likely to operate on an opt-out model (and as recently reported is likely to only be in operation until GDPR comes into force), GDPR will require fundraisers to send direct marketing materials only to people that have explicitly agreed to receive such mailings, calls or house visits. What this means is that charities will only be allowed to seek donations from existing donors (provided their data meets the new conditions) or prospects that give their unambiguous consent for their data to be used.
The directive also states that individuals will have a right to object to having their data processed and this right will have to be explicitly brought to their attention. Consequently, charities will need to review their systems well in advance of the new regulation taking effect.
The major changes that GDPR will bring are:
· More rigorous requirements for obtaining consent for collecting personal data
· Raising the age of consent for collecting an individual’s data from 13 to 16 years old
· Requiring a charity to delete data if it is no longer used for the purpose it was collected
· Requiring a charity to delete data if the individual revokes consent for the charity to hold the data
· Requiring charities to notify the relevant data protection authority of data breaches within 72 hours of learning about the breach
· Establishment of a single national office for monitoring and handling complaints brought under the GDPR
· Increased fines for non-compliance
So charities have two years to get ready for GDPR. This should be seen as an opportunity rather than being viewed as a negative. Our recommendation is to use the time as a way to build a compliant and effective donor pool. All existing data should be stringently audited and any records that would be considered non-compliant in 2018 should either be deleted or made compliant. Fundraisers should also use the next 23 months to focus on a data recruitment campaign – i.e. gaining consent from consumers to hold their data within a database. These individuals can then be communicated with in the future and potentially activated as donors. If they are not signed up now, gaining their opt-in consent in the future will be much harder.
Once the compliant database is built maintaining it is crucial. Out of date data could be the single most reason for ICO sanctions. Moreover good data hygiene practices such as screening against goneaway and deceased suppression files will also mean that charities can retain valuable opted-in contacts by not losing track of people who move house (around seven million people each year) or risk alienating supporters that have suffered bereavements by mailing the deceased. As every marketers knows acquisition is more costly than retention, but when GDPR comes into force the onus on retention will become even more important as fundraisers can ill- afford to lose valuable opt-ins from their databases.
Karen Pritchard is Product Director, Wilmington Millennium Mortscreen.
Main image: People’s consent – Jakub Grygier on shutterstock.com
Get free email updates
Keep up to date with fundraising news, ideas and inspiration with a weekly or daily email. [Privacy]