Having read the consultation by the Fundraising Regulator on the changes it has made to the Code of Fundraising Practice to include the General Data Protection Regulation, I've now come to the conclusion that the detail of data protection should be taken out of the fundraising code.
Aside from referencing a basic and legal need to comply with data-protection rules and any associated regulations, the Code of Fundraising Practice should be silent on it, and it should focus instead on fundraising, as the name implies.
This would be the most effective and efficient way to deliver the "clarity" on the matter I hear charity colleagues calling for all the time - not just fundraisers, but from all parts of the organisation. And this is in itself another reason to take it out of the code: it's not just applicable to fundraisers, but to everyone with responsibility for handling personal data, so why attempt to repeat the detail there?
The consultation has taken my general annoyance with how the sector approaches data protection (usually like the proverbial ostrich) to a new level. We shouldn't need a consultation on this, especially so, so late in the day.
But the black and white of it is there - no clarity needed if you go back to the source. The ICO has already issued guidance on the GDPR and draft guidance on consent that - though the final version is delayed until the end of the year - it admits is unlikely to change from draft to final.The sector, as with the rest of the UK, and indeed the European Union, has been aware of what the GDPR looks like since the regulation was passed in April 2016. The two-year period to enforcement in May 2018 is a transition period, allowing organisations to start preparing and supervisory authorities (the Information Commissioner's Office in the UK) to provide further guidance.
The Fundraising Regulator also issued a comprehensive guide to data protection some time back, including forward-planning sections for the GDPR, and a toolkit. My word of caution for anyone using this would be that the Fundraising Regulator sells its "best practice" approach, with the bar set some way higher than the compliant approach that the law requires, so you have to do the hard work to decide where your organisation sits on the scale between the two and the impact it will have on your fundraising and wider support base.
This is business-critical, so you need to gather the right people from across your organisation to spend time (and perhaps money) on it.
Another, personal guide
A final piece of guidance would be that of Tim Turner, an ex-ICO data protection expert who has been so incensed by the sector's approach to the matter that he personally wrote a guide for fundraisers. It's not for all tastes because of its honesty, but it's definitely worth reading to help get the decision-making juices flowing. Find it here.
So the truth is out there, if only fundraisers could be bothered to go and find it. And there's the rub - I'm not sure most fundraisers do want to deal with it. "It's too difficult; the impact is too great; it shouldn't apply to good causes; and it's not my problem to deal with": I've heard them all, and I disagree with them all.
With only six months to go, there is time to tackle the GDPR, and the information you need is out there. The ICO won't be running after you with fine notices - it just wants you to respect personal data, like you should already have been doing under the existing laws.
Dawn Varley is a fundraising consultant