Five common GDPR mistakes

Charities are currently racing to meet the General Data Protection Regulation deadline of 25 May, but the regulation is complex and it's easy to get things wrong. Third Sector asked fundraising and data protection experts which pitfalls charities need to avoid

1 ‘You will always need consent’

Although it’s not as prevalent as it was, one of the lingering misconceptions is that consent is the be-all and end-all of the General Data Protection Regulation, partly because some guidance sets higher standards than are required by law, according to Rowena Fielding, senior data protection lead at Protecture, a data protection consultancy that specialises in working with charities.

"The Fundraising Regulator’s guidance says it believes consent should be the gold standard for all marketing, but that’s not what the law says now," Fielding says. "The GDPR says that direct marketing can be a legitimate interest, so consent isn’t needed."

The Privacy and Electronic Communications Regulations 2003 say that electronic marketing requires consent. Combined with the requirements of the GPDR, this produces a situation in which legitimate interest can be used for postal marketing if you go about it the right way.

"But because charities are looking at the guidance and assuming it reflects what the law says, a lot of them are spending huge amounts of money to get people to give consent for postal marketing, which they don’t actually need," says Fielding.

She says there’s still a tendency to treat legitimate interest, which allows organisations to contact people when they have a valid reason to do so as long as that person might reasonably expect them to, as if it’s a "cheeky loophole" in the rules on consent.

"It’s not a dodge," says Fielding. "It’s every bit as onerous, but in different ways. You have to assess what the interests are, then balance them against the rights and freedoms of the data subject. That can’t be a rationalisation after the event – it’s got to be genuine challenge.

"A lot of people are saying ‘oh well, we’ll just use legitimate interest’," says Fielding. But she warns that using legitimate interest means that any data subject has the right to demand to see a legitimate interest assessment, proving that the charity has considered what the person might reasonably expect to receive. "If you can’t do that, your processing is unlawful," Fielding says.

2 Rushing things

Daniel Fluskey, head of policy and research at the Institute of Fundraising, says some charities have taken decisions about the GDPR that they now regret.

"For example, if you rush to write to all of your supporters by post, saying you’re moving to consent and if they don’t respond they’ll never hear from you again, you really can’t go back on that," he says. "So the phrasing and the wording that you use is really, really important.

"When the RNLI and Cancer Research UK went to opt-in-only, they did it with a structured, timetabled process and asked people at different times, giving them different opportunities to opt in."

Fluskey says he can appreciate that charities feel like they’re between a rock and a hard place as the GDPR deadline looms, but it’s a case of more speed less haste, and doing it in a structured way, he says.

3 Waiting for the ‘magic’ guidance

Another common mistake, Fluskey says, is for an organisation to wait for that magic piece of guidance that’s going to give them all the answers. "It’s never going to be there," he says, "no matter how much guidance is put out."

The GDPR is values-based, he says, and as a result organisations are never going to be able to do it by just reading something and copying and pasting. Guidance can tell you what you need to think about, but it can’t tell you what are the right decisions for your organisation.

J Cromack, chief executive of the fundraising data consultancy Wood for Trees, says it’s down to each organisation to look at the GDPR in terms of what is right for it and its supporters.

"It depends on the type of organisation you are and the relationship you have with your supporters," he says.

4 Treating GDPR as a one-off measure

A lot of organisations are treating the GDPR as a one-off, fixed-term project, according to Fielding. They rewrite policies and change consent statements, then think "we’re done". Instead, they should be "proactively building data-protection considerations into business as usual", she argues.

For example, many charities have simply asked to have their privacy notices rewritten as a single statement that will cover any of the processing they might want to do. But Fielding warns that this will lead to overlong, vague statements that aren’t fit for purpose. "First, you have to work out what you’re doing with data, why and how, and what’s your lawful basis," she says.

"Only then can you create a privacy notice. Otherwise, it’s like trying to win a
Formula 1 race before you’ve even learned to drive."

Cromack says that the changes have to be understood throughout the charity.

"You have to ensure it’s not just the senior people and the team leaders who understand this. The GDPR is a complete cultural shift. It is the responsibility of every individual across the organisation."

5 It’s only a fundraising thing

The GDPR applies to all types of data processing, but much of the focus in the charity sector has been on its impact on fundraising alone.

Jon Kelly, strategic analysis director at Wood for the Trees, says: "Many people are still not grasping the breadth of it, even when they are fairly on top of it. They’re still looking at their fundraising only."

He says charities need to "widen their view" and look at the consequences for all groups, including their volunteers and beneficiaries.

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in
RSS Feed

Third Sector Insight

Sponsored webcasts, surveys and expert reports from Third Sector partners