18 Aug You can’t opt out of the General Data Protection Regulation (GDPR).
GDPR is coming. I know because people keep telling me that it’s coming and that I’d better get ready. And until a few days ago, I wasn’t ready! In fact, until a few days ago I didn’t even really know what GDPR was. But, I can take comfort in the fact that I am not alone. A recent survey from Civil Society Media found that the charity sector is “significantly unprepared” for GDPR. Worse, 55% of respondents said that they think their organisation will suffer because of GDPR – whether it be because they can’t contact their donors (60% said this was a concern) or by losing income (49% said this). So, before I go any further, we should probably talk about what GDPR is!
What is GDPR?
Quite simply, it’s a new law on data protection. It brings together existing data protection laws, to simplify them into one general data protection regulation. Importantly, it gives EU and British citizens (yes, it will apply here even after we’ve left the EU) more control over their personal data, strengthens their existing rights, and gives them some new rights. Also, it’s worth noting that GDPR applies to you if you store, process, or share data related to EU citizens, even if you are not in Europe.
It comes into effect on 25th May 2018. That might sound like a while away, but you really need to be getting ready now – the ICO have made it very clear that come May everyone will need to be compliant, and not having had time to prepare will not be an adequate excuse.
GDPR applies to ‘personal data’, and throughout this blog I’ll talk about personal information and personal data a lot, so, to be clear, personal data means any information relating to an identifiable person (i.e. a real person who can be identified by the information you have about them). The definition of personal data in the GDPR is similar to that in existing data protection legislation, including things like name, address, health information, income, ethnicity, etc. But GDPR’s definition of personal data is more detailed, as it now also includes online identifiers (for example an IP address) as personal data.
To give an example more relevant to the kinds of data charities might hold, this would include things like a mailing list of supporter’s email addresses or donors contacts details and banking information.
People want this regulation.
Recent research by nfpSynergy found that people feel powerless when it comes to controlling how their data is used, in fact only 15% of people feel they have complete control over the data they give online. And we’re not just talking about how people feel about how businesses handle their data. Trust in charities continues to be low (45% of people say they are cautious of charities, 18% are suspicious, and 10% distrust them). 32% of people think there isn’t enough regulation on charities, and people think charities should be treated just as strictly as businesses if they break GDPR regulations.
So actually, a lot of people are talking about how GDPR can be an opportunity, “a chance to improve and regain much-needed public trust”. By obeying these regulations, and showing best practice when it comes to data protection, charities can show their supporters that they can be trusted with their personal information.
But, however you choose to look at it, GDPR will happen anyway! So let’s talk about what is happening.
Four key changes to take note of:
There are a number of changes coming, here are four of the big ones:
In order to process someone’s personal information you need to have a ‘lawful basis’ to do so, and one of the main lawful bases is having the person’s consent to process their data.
GDPR raises the bar for what counts as consent. According to the Information Commissioner’s Office (ICO), consent must be “specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn”. To break that down a little:
- Specific – you need to say why you want their information and what you are going to do with it. This includes naming any third parties you will share their data with, it’s not enough just to say that people’s information will be shared with ‘similar charities’.
- Granular – the more options you can give people the better, break down the ways you’ll process their data and give them the option to agree to each individually.
- Clear – use plain English so people really know what they’re agreeing to.
- Prominent – all of this information has to be somewhere where people can definitely see it when they give their consent, it’s part of making sure they really understand what they are agreeing to.
- Opt-in – people have to actively agree, gone are the days where not opting out could be counted as opting in. Come May you will need to show that everyone that you hold personal data on has actively opted in and agreed for you to process their data (e.g. by sending them emails), that includes people who gave their information to you before May 2018, it’s not just a rule that will apply going forward, it applies to everyone’s data irrespective of when it was accessed.
- Properly documented – you must keep records of consent and be able to show how/where/when people consented to you processing their data
- Easily withdrawn – it should be as easy to withdraw consent as it is to give it. For example, if people can sign up to a mailing list with a single click (like checking an opt-in box), then they need to be able to unsubscribe with a single click too.
This all sounds like a lot, and many people in the sector are concerned that this will mean losing a lot of contacts. But it doesn’t have to be terrible – when RNLI ran an opt-in only campaign earlier this year they got a three times higher response rate than usual. And given recent research suggesting that charity emails have a poor open and click rate (in fact, non-profits were the least opened category of emails), perhaps contacting a smaller group of people who do really want to hear from you can be a good thing.
It’s also worth remembering that having consent is not the only lawful basis on which you can contact someone, there are others, for example if it’s necessary for a contract, if it’s necessary to protect the vital interests of the individual, or if it’s necessary for the performance of a task carried out in the public interest (unfortunately, that doesn’t include fundraising asks, they are classed as marketing). For more on this, have a look at this ICO blog which shows that consent is not the only way to comply with GDPR.
2. Data handling.
The simplest element of this part of the regulations is that you have to use the data for the thing you said you were going to use it for when you collected it, and only for that. For example, if someone makes a donation, that doesn’t mean that they’ve signed up to receive a newsletter from you, you would need a separate legal basis for sending them the newsletter (for example, their consent). GDPR sets out rules about ‘unbundling’ the way that people give their data, so you can’t link some data processing with others and make agreeing to one automatically mean agreeing to another – in order to take someone’s donation you don’t need to send them your newsletter, so the two aren’t linked, bundling them together breaks the rules.
In doing that, you also shouldn’t keep the data for any longer than is necessary for what you’re doing with it. There aren’t time limits set up in the GDPR itself, so you have to use your own judgement here – think about what you’re using the data for and how long that will take, and then only keep the data for that amount of time.
Plus, if you’re processing someone’s data for direct marketing, they have the right to object to the way that you’re using their data at any time by lodging a complaint with the ICO. And, importantly, you need to make them aware of that right.
That’s all pretty straight forward enough at least! Don’t do anything with the data you didn’t say you were going to, don’t keep it longer than you need to, and tell people they have the right to object.
3. Subject access requests.
This is another area that has been upgraded by GDPR, at the moment people have the right to make a request to access the data you hold on them but under GDPR they can do so for free and you must get back to them within 30 days (reduced from 40).
If this kind of request is made, charities will need to verify the identity of the person asking for the data, and then provide them with the records (as in all the records, including backups and archives) in a commonly-used electronic format (unless they ask for something else), as well as letting them know
- Why you are processing their information.
- What categories of data you have about them.
- Who else their information is given to.
- How long the data will be kept, or information about how you make decisions about how long to keep data.
- That they have a right to request changes, that you delete their information (this is generally being referred to as their ‘right to be forgotten’), or that you change or restrict what it is used for.
- That they have a right to object to how you’re using their information.
- Any automated decision-making connected to their data.
In order to be able to fulfill subject access requests you’ll need to make sure you can access each person’s information separately, for example by using a CRM that allows you to view individual records. It’s no great surprise then that a fifth of charities said they are “not at all” or only “a little bit” confident their existing CRM will enable them to be compliant with new regulations like the Fundraising Preference Service and GDPR, and 38% of charities are planning on reviewing their CRM system in the next year.
4. Data breach notifications.
Data security is also a big deal under GDPR, if you have a data security breach you could be fined by the ICO, and you have to get in touch with anyone who’s information might have been comprised (to tell them that their information might have been compromised) within 72 hours.
Obviously, ideally no one wants to experience a data breach anyway, so if you’re concerned about it have a look at this blog which looks at some security measures you can put in place to keep your data super safe.
Other places you can find helpful info and guidance.
These are just four of the changes that are coming under GDPR, there are others. But don’t panic! There is a lot of great guidance out there to help everyone get ready for the new regulations, including:
ICO (2nd March 2107) Draft GDPR consent guidance (pdf) – There will be more guidance from the IOC to come as well, but this has a handy checklist at the end which you can use to see if you’re doing everything you should be on consent
Institute of Fundraising (May 2017) GDPR: The essentials for fundraising organisations – Charity specific, clear, and covers a lot of ground.
ICO (started on 9th August) GDPR myth busting blog series – clearing up what is true and what is ‘alternative facts’
Third Sector (19th May 2017) Fundraising – GDPR should you be afraid? – This article is pretty thorough, and it also looks at the rules around third party contracts which may be important for some organisations.
Information Commissioner’s Office (Accessed 18th August 2017) Overview of the General Data Protection Regulation (GDPR)
Kirsty Weakley, Civil Society Media (3rd July 2017) Charities ‘significantly unprepared’ for GDPR, say one-fifth of respondents
Iain Lovatt, BlueVenn (7th July 2017) Does GDPR apply to organizations outside the EU?
nfpSynergy (16th August 2017) GDPR – It’s what the public want: even for charities
European Commission (2017) Data protection
Third Sector (24th July 2017) Charities less trusted than hairdressers and scientists, research finds
Kirsty Weakley, Civil Society (12th July 2017) Nearly a third of public want more charity regulation, finds latest trust poll
John Simcock, Third Sector (4th April 2017) How to take the positive path to GDPR compliance
Hugh Radojev, Civil Society (9th March 2017) RNLI reviewing £36m income loss figure after better than expected opt-in responses
Austin Clark, Charity Digital News (15th August 2017) Not-for-profits falling short in email opens and clicks, report says
Elizabeth Denham, Information Commissioner’s Office (16th August 2017) Consent is not the ‘silver bullet’ for GDPR compliance
Hugh Radojev, Civil Society (9th May 2017) Nearly 40 per cent of charities to review CRM systems ahead of GDPR, survey finds
Acutec (Accessed 18th August) What Charities Need to Be Aware of with GDPR