As the countdown continues to the new General Data Protection Regulation being enforced throughout the EU at the end of May, many organisations are busy working on projects to get their data and related business processes in order. But many are not, either through wilful ignorance (which, as we all know, is no defence), through lack of resource (small charities in particular), or because of sheer "rabbit-in-headlights" fear about the whole thing.
Wherever your organisation is at, the ticking of the clock gets louder, so let’s look at the truth of GDPR – and how to get started for those that haven’t yet done so.
The truth about GDPR… is that it’s not scary or impossible, and it makes total sense when you take a moment to consider its purpose. It’s driven by a person’s right to privacy, and I’d like to think we’d all support that basic human right.
With that in mind, how best to tackle it? As with anything in life, the recommended approach is to keep it simple. It is a complex area, so don’t get lost in a rabbit warren of "what ifs" or "how comes" (or even "but Charity X isn’t doing it that way"). When you find yourself or others doing that, just take a moment to ask a fundamental and grounding question – "what did the supporter expect to happen?" – and that should help get you back on track.
The first thing to consider on your compliance checklist is what this GDPR thing actually is. This sounds obvious, but most people aren’t doing it. Go to the source document. Read the actual GDPR document, then the relevant guidance from the Information Commissioner’s Office, the UK’s supervisory authority responsible for the enforcement of data protection regulation. You could also read the Fundraising Regulator’s guidance and use its useful toolkit, but remember that this sets out the best-practice approach, which is over and above what you need to do to be compliant. Once you’ve read all these you can start to work out the best approach for your organisation.
Then you need to ask why it is necessary. Understanding this is key. The GDPR represents a much-needed update to existing data protection legislation (the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003) to take into account the digital and "big data" world we live in today. The old legislation is no longer fit for purpose, so this is a natural evolution of how we protect the right to privacy.
Next, think about whom is responsible for compliance. It might sound facetious to say "everyone", but that is the case. Accountability is a key principle of the GDPR. Everyone within your organisation has a responsibility to manage data correctly and to think of the supporter’s right to privacy as a starting point. The GDPR talks of the need for a "data protection officer" for organisations of a certain size. However, as with the Data Protection Act, thinking of giving one person sole responsibility is a recipe for disaster. Approach it as a living, breathing part of your supporter care culture.
The GDPR begins to be enforced from the end of May and we have already had 18 months to start getting our houses in order. If you are well on your journey to delivering a GDPR compliant regime within your organisation, well done. But if you haven’t yet started then just, well, start. You cannot ignore the requirements, nor the need in particular for marketers (not just fundraisers, but anyone who is promoting your organisation) to ensure that they continue to communicate with supporters on a sound, measured and documented basis of either consent or legitimate interest.
The best way to go about this is as an organisation. It is highly unlikely that personal data is held only by the fundraising team, so a cross-organisation project team needs to be pulled together to get the job done. Applying a robust, project management approach to this complex and cross-organisation project will help you deliver your GDPR project so you can continue with the important work your organisation exists to do.