The European Union General Data Protection Regulation has been looming on the horizon for two years, always looking comfortably far away. But as we creep nearer to the implementation date of 25 May 2018, charities will need to take action.
The GDPR will supersede the Data Protection Act, bringing in tighter rules about data processing and who organisations can contact. Although it will affect how charities deal with employee and beneficiary data, the biggest issue will be the impact on their treatment of donor data and relationships with supporters.
By the time implementation day arrives, charities will have had three years to prepare. "So if anyone gets to day one and they've not really done anything, or says 'we didn't know', we'd be a bit worried," says Ian Inman, group manager for public sector policy and engagement at the Information Commissioner's Office. "We want to see people working as hard as they can towards it and demonstrate that, even if they're not quite there, they are taking it seriously."
With that in mind, here is a non-exhaustive list of things charities need to consider and begin doing before the GDPR arrives.
Consent - the big one
The debate about opt-in and opt-out has dominated discussion of the GDPR, because many charities fear they will lose access to thousands of potential supporters.
The GDPR says: "Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement ... Silence, pre-ticked boxes or inactivity should not therefore constitute consent."
The ICO's draft guidance on consent under the GDPR, published for consultation at the end of March, says "all consent must be opt-in consent - there is no such thing as 'opt-out consent'".
Some have argued that this takes the original legislation too far. They say it does not explicitly forbid opt-out totally, but unless the ICO performs a radical U-turn when the final version of the guidance is published, it is its opt-in-only interpretation that charities are likely to be judged against if they are relying on consent. This means all consent forms will have to be compliant, but the biggest headache for charities will be dealing with consent for data they already hold.
Mairead O'Reilly, charity and social enterprise consultant at the law firm Bates Wells Braithwaite, says it seems charities that have relied on consent that doesn't meet the GDPR standard will have to refresh all of those consents if they want to rely on them after May 2018.
The GDPR also adds an obligation to demonstrate you have consent, Inman says, so it's important to keep records effectively.
To contact supporters by email, text messages or automated phone calls, charities will need consent. But charities can contact people by post and live phone calls if they can demonstrate they have a "legitimate interest" in doing so. Under the GDPR, marketing counts as a legitimate interest. For example, you could send a newsletter about your latest fundraising appeal to someone who donated to you last year, but you must balance that legitimate interest with whether contacting that person would override their rights.
This means assessing whether they would reasonably expect to receive marketing calls or letters (did you say this was a possibility when the data was collected?) and whether they have ever told you they do not want this kind of marketing, in which case you cannot rely on legitimate interest. This could be useful for charities that are refreshing consents. Inman says postal communication is probably the safest way to contact people if you are unsure about the type of consent you already have.
Another reason for writing to supporters will be the sheer volume of information required. The privacy notice - information explaining how you plan to use the person's data and what their rights are, given to them when you collect their data - will have to be far more detailed.
"Currently, under the Data Protection Act, broadly you've got to tell people who you are and for what purposes you're going to process their data, including any sharing," says O'Reilly.
Under the GDPR, charities will have to explain the legal basis for processing the information, what exactly they plan to do with it and the names or categories of any other organisations they plan to share it with. It won't be enough to say "we will share your data with similar charities": notices will now need to be much more specific about the organisations with which charities are planning to share personal data. And the GDPR says the information must be given "using clear and plain language".
The GDPR will shift the responsibility for privacy protection from the data controller alone (the organisation on whose behalf the data is being processed; in this case, the charity) to the controller and the organisation processing it. This means charities will have to review their contracts with third-party processors to reflect the balance of responsibility, and be prepared for data processors to do their own due diligence on where their data came from.
"When you ask people to do work for you - mailing, processing, profiling, for example - you would expect those companies to quiz you about that data," says John Mitchison, head of preference services, compliance and legal at the Direct Marketing Association. "And if they don't, you'd have to question whether they know what they're doing."
Under the new rules, the ICO will have to be informed of any breach that is likely to result in a risk to the rights and freedoms of individuals without undue delay, and within 72 hours where possible. This means reporting systems within charities will need to alert the right people in the organisation quickly. Third-party contracts will also have to ensure information is passed along in time for you to comply, O'Reilly says.
The GDPR retains the requirement that data should not be kept longer than necessary, but doesn't set time limits, so in most cases it's up to charities to judge. O'Reilly says that, for fundraising data in particular, introducing a fixed limit can be tricky.
"You might hold a fundraising event every three years and contact the same donors about it every time, so it's quite hard to then apply an arbitrary rule about deleting it every two years, for example," she says. "The key thing is to demonstrate that you have a reason for keeping it and have a policy in place."
Data subject rights
The GDPR will give data subjects a range of rights, among them the right to have their data erased and access to any data held on them for free. Charities need to ensure their systems for storing and handling data can deal with this. Inman says: "If you can't treat records individually - for example, bring up one record to delete it - then you can't comply with the right to erasure."
Do an audit
The most important thing for charities to do is to work out where they are now in terms of their data, O'Reilly says. "Lots of organisations would be well advised to carry out an audit at this stage, so that they're in a good position to comply," she says. "This applies particularly to older records that you might have been holding on to for a long time." Then, Mitchison says, you can develop a strategy for what you're going to do with the data you've got and how you'll collect it in the future.
The ICO and the Institute of Fundraising, among others, have developed guides to complying with the GDPR. These are available on their websites, and more guidance is in development.
It's true that many aspects of the legislation, what it will mean and how it will be enforced are still unclear, but Mitchison, Inman and O'Reilly all agree the important thing is to begin preparing now.