Charities will face fines that could put them out business if they cannot tell donors what information they are holding about them after the General Data Protection Regulation comes into force, delegates at the International Fundraising Congress in the Netherlands have heard.
Ilja de Coster, fundraising data strategist at Amnesty International in Belgium and director of donor relationship management at the fundraising agency The DonorVoice, warned that charities needed to prepare their systems to deal with the implications of the EU legislation, which is due to be implemented from 25 May next year.
Under the GDPR, people will have the right to approach any organisation and demand to know what data the organisation is holding about them.
De Coster said he recommended that charities should ensure their customer relationship management system has a simple mechanism to allow them to extract all the data on a particular subject into a single report.
"That’s an important thing," he said. "Every person has the right to access data and, in the whole fine and penalty system, if you do not comply with that I guarantee you will get a high penalty.
"If you will not answer that request from a donor, you are out of business – that’s it. The fee will be the maximum."
Under the GDPR, the Information Commissioner’s Office will be able to levy fines on organisations for data protection breaches of up to 4 per cent of their turnover or €20m (£18m), whichever is larger.
De Coster also told delegates that charities operating in more than one country needed to be aware that any fines would be calculated on the basis of turnover of the global organisation, not just the turnover of the charity in the country in which the breach happened.
He said the GDPR should be viewed as human rights legislation, because it was designed to protect people’s right to privacy, guaranteed under Article 8 of the European Convention on Human Rights, and many of the requirements of the GDPR were not new.
"The GDPR is the continuation of existing data protection law in Europe," he said. "There’s some details stuff and some optimisation stuff based on the evolution of technology, but basically everything you’re not allowed to do in GDPR you are not allowed to do today.
"But what is new is that from now on it’s serious; playtime is over."