October 21, 2016
The date of 25th May has always had a major impact on my life. Not only is it my birthday, in 1977 it was the date on which the original Star Wars movie was first released in the USA. In 2018, another area of my life will be drawn to this date, as the new General Data Protection Regulation (GDPR) will come into effect.
Let’s not beat around the bush… the GDPR will have dramatic consequences for charities when it launches! However, unlike the Fundraising Preference Service (FPS) which launches much sooner in 2017, we actually know a great deal about GDPR. This is great and allows charities to start preparing for the changes.
As ever, the Information Commissioner’s Office (ICO) has provided a very handy “12 steps to take now” document. Do read this to ensure you’re up to speed with the basics around GDPR.
Most of us know that the biggest change in the GDPR is around people having to provide consent for charities to hold their data. What many still don’t fully appreciate is that people also need to provide consent as to how that data will be used by the charity, including automated decision making and profiling, as well as the sources any additional information originates from and whether it came from publicly accessible sources.
In principle, I agree with the GDPR. People should have the right to know what data is being held and how it is being used. Stopping nuisance phone calls, random emails, and knowing which companies make automated decisions based on your credit scores is a good thing.
However, upon reading the documents issued by the ICO, it soon becomes very clear that they’re all very broad and not very specific towards charities. It is clear that charities aren’t going to get any special treatment, just because they help society. For me, a few questions remain:
- How can we get people to consent to being wealth profiled and researched? We’re already worrying about getting people to give consent to be contacted, let alone create further concern.
- Automated decision making may not play a prominent part in smaller charities, but they may employ a third party to help them set ask amounts, score engagement, or find wealth information. How can smaller charities write privacy policies to take this into account, even though they may not be considering this right now or even know such services exist? Surely, we want to avoid charities having to seek consent each time they think of a new way to process data which will help them to become more efficient.
- The GDPR is clear that proof is required that consent was given. However, those people with whom a charity has had regular two-way contact should be allowed to opt in via an easier method. This is especially true for educational institutions that have been engaging their alumni for years. There seems to be an exception for not-for-profit organisations linked to political, philosophical, religious, or trade union activities, so why not education or other membership-based societies? For more information, you can review Article 9 – (2)(d) of this document.
One thing is clear though: charities should not shy away from writing comprehensible privacy policies that truly explain how data is used for fundraising purposes and be proud. Some terminology may need to be changed. For example, rather than calling it “wealth profiling”, call it “grouping you with similar people who may be able to give at a level that is suitable to yourselves” (that is why we wealth profile). Then, if we store “ask amounts” rather than “wealth” or “gift capacity” ratings, people will be able to understand some of the more complex work that goes on in fundraising offices.
Alas, areas of the Fundraising Code of Practise already look quite out of date in light of the GDPR – not least in that it makes no reference as to what is acceptable in terms of prospect research and wealth screening and in its recommendations on working with third parties.
The guidance provided by the ICO so far has been very useful. However, the fundraising industry needs more specific guidance. This is an area where the Fundraising Regulator, the Charity Commission, and the National Council for Voluntary Organisations (NCVO) should become more involved.
– Christian Propper, Senior Consultant