The EU’s general Data Protection Regulation (GDPR) is currently one of the biggest challenges facing all organisations which hold and process personal data. There is a feel of Y2K about it – a sense of doom as to what its impact may be when May 2018 arrives. Almost a whole industry of advice has built up around mitigating and preparing for it. Yet despite a wealth of seminars, articles and training sessions, a majority of charities are not comfortable that they are ready. Research published by Charity Finance in July has found that 72 per cent feel only somewhat prepared, with another fifth significantly unprepared.
Much of the focus in the voluntary sector has been on the impact on fundraising, but there are equally important considerations in terms of wider direct marketing activities, the data of service users, and IT security. So given the uncertainty, how much in reality will GDPR affect charities? What can charities practicably do to prepare, and what are the barriers that are preventing them from being fully GDPR-proof and compliant?
David Roberts, director of corporate services at NSPCC, said his organisation restructured internally after it was one of 13 charities fined by the Information Commissioner’s Office (ICO) this year. NSPCC was fined £12,000 for not making clear to people how data was being used, for using a wealth-screening company to market events to people with specific profiles, and for using data-matching and tele-matching services to fill gaps in its database.
“Following the challenges we had with the ICO, we reviewed where various functions sat. Data protection and fundraising compliance moved over to me. Because GDPR is a principle-based set of requirements and tied up with risk, it over-arches everything. We have focused upon learning lessons from the past.”
Meanwhile, Will Denton has been data protection manager at Christian Aid since April. He has a background in data protection law and was recruited for his newly-created role because of GDPR. “Christian Aid considered that it was important to recruit a specialist rather than train someone up from within. While we have not faced ICO censure, we felt it was crucial to get it right with hundreds of thousands of supporters and over 600 employees.”
Daniel Fluskey’s role as head of policy and research at the Institute of Fundraising focuses on assessing the impact of GDPR across the sector. “GDPR is an issue in itself, but has become a proxy for lots of other discussions. It isn’t just about the law changing; it has brought to light issues around compliance and ways of working. In one sense it is a legal compliance exercise, but it also throws up best practice questions. There is a confusion between what the law requires and where charities should be generally.”
John Lock, IT operations manager at Mencap, views GDPR from a different angle. “My interest is in terms of IT security. I work with the legal and risk teams to ensure our IT policies and procedures are compliant.
“In my experience, we have the right policies but not everyone across the organisation is implementing them. We need to make sure everyone understands those policies. We are trying to bring control back to the centre and in-house. There is a lot of information out in the organisation and we need to be fully aware of what we have.”
Henry Sainty, partner and data protection expert at Farrer & Co, first became involved with data protection during the implementation of the Data Protection Act 1998. “What we have seen since,” he says, “is a progressive ratcheting up of data protection as a compliance issue. The ICO acquired the power to fine in 2011, and has increasingly made clear that it will use its powers against charities as well as companies and private bodies. GDPR adds further to the ICO’s powers and to charities’ compliance burdens.”
However, Fluskey adds that you should not see GDPR solely as a compliance exercise. “At the heart of it there is a really interesting debate around individuals’ rights and privacy, versus the need of charities to raise money. As there is a grey area in between, it becomes a problem when those two things are set up as mutually exclusive, with one a barrier to the other. We should be thinking about the right way to go about our work, which enables us to fundraise and do good, rather than having two conflicting starting points and trying to negotiate to a point in the middle.”
Sainty points out that data protection has always been a balancing act between the legitimate needs of business, charities and government to make sensible use of information, and the privacy rights of individual. “As organisations get better at collecting and interrogating data, so the lawmakers are shifting the balance back in favour of individuals.”
However, Roberts argues that it is important to remember that GDPR remains a barrier to fundraising due to its emphasis on gaining explicit “opt-in” consent from stakeholders before sending them communications. “We delude ourselves if we don’t recognise that.”
Part of the problem charities face is a lack of clarity around what the ICO will require them to do in terms of consent for fundraising marketing, not just in relation to GDPR but also in light of upcoming changes to the Privacy and Electronic Communication Regulations (PECR).
Sainty considers that the ICO is in an interesting position. “Its job is not only to enforce the law but to educate. Its first draft guidance suggested that consent should be optin, and it wants to push fundraising in that direction.”
However, he says, consent is just one gateway to compliance – another is claiming a “legitimate interest” for communicating without explicit permission. “Where fundraisers have a strong existing relationship with supporters, legitimate interest may be sufficient for postal fundraising communications.”
Fluskey concludes that the law says you can market if there is legitimate interest, but it can’t be a cover for anything involving prospect research and wealth screening, which the ICO has been concerned about in the past.
Much of the confusion centres on the consent required for telephone fundraising, and Roberts says the lack of clarity is not helpful. “On the grounds that consent is seen as an affirmative action, NCVO has recommended that you phone people now under an opt-out basis and refresh their consent. But it isn’t practical to call everyone before May. We need to know the exact position because of the cost involved.”
Fluskey agrees that the sector is still grappling with this. “There is less than a year to go until GDPR is introduced and there is still no statutory guidance. People are frustrated and worried. The best way of not getting it wrong is by following what the ICO says, but it hasn’t had its say yet.”
Roberts raises another conundrum around retrospective consent. “We have millions of people on our database, some going back years. How do I demonstrate affirmative consent for all of them?”
This is indeed another grey area, says Fluskey. “The onus is on each organisation to internally decide whether the consent is valid and demonstrate you are taking each case seriously.”
Keeping it regular
Given all of the uncertainty, Lock asks what charities should do. “It seems you can think you are following the rules and have sensible processes, yet the ICO may still say you are doing it wrong. For example, what does ‘regular’ mean in terms of marketing communications?”
Fluskey says that whether you are relying on consent or legitimate interest, you have to think of the context and what you have told people. “With child sponsorship for example, there are clear expectations that the supporter will receive regular updates for a number of years, and the charity sets the boundaries. Whereas time-limited capital appeals are different. The problem is when you send stuff and haven’t told people you will be.”
Fluskey asks from a supporterexperience point of view how much people want to receive reams of technical information on a charity’s data protection policies. “Some legally compliant fundraising is rubbish. It has no passion. It might be compliant but it is not engaging. We need to retain the passion otherwise there is no point fundraising.”
Another concern is the wider definition of direct marketing. Does it cover administrative communications such as thank you letters? Or newsletters? For Denton of Christian Aid, the distinction is simple. “We work on the basis that anything we have ever sent anyone that includes any information about the work we are doing is direct marketing.”
So how do you ensure data held around the organisation is being held and processed securely? For Lock, it is about detection and making sure you report any breaches. “From an IT perspective, you have 72 hours to let the ICO know if there has been a breach, so identifying it is crucial, as well as reducing the chances of one happening. We have been looking at an information-asset register. You need to find out what data you have and who the business owners are. It is about going back to the business and challenging people, asking what data they have and why.
“Retention is also a struggle,” he adds. “Are we doing a good job of getting rid of data? And how far do we go back?”
Fluskey suggests that it isn’t just fundraising supporter data that is an issue – so is service-user data. Denton agrees. “The focus on fundraising does not mean other areas such as beneficiary data aren’t as risky, if not more so. My biggest concern is staff setting up their own databases on the likes of home laptops.”
“We have very clear controls on service user data,” says Roberts. “But while you can have controls on information held electronically, what you can’t legislate against is people who like physical files, and the unsecured filing cabinet in a regional office.”
The panellists moved on to discussing whether, if the worse happened, it is worth appealing a fine imposed by the ICO. Drawing on NSPCC’s experience, Roberts remembers that there was a group of supporters who wanted to draw a line under the situation and pay the fine, so the charity did so. “It was a conscious decision. We wanted to stop being a running media story. It was about protecting our reputation.”
Denton says there was a feeling among lawyers that the ICO fines were challengeable, and not appealing helped some of the principles become accepted in law. “Clearly some of the practices were wrong and looked bad. But the ICO bundled these clear breaches with more technical and legally questionable ones, which made it harder to challenge.”
Education and culture
While the people working with data protection concerns on a daily basis may be on top of processes and procedures, the bigger challenge is establishing a culture of data protection compliance across the organisation.
“The fundraisers get it,” says Roberts, “but it is about pushing it out to the whole organisation. We are training people on GDPR principles and consequences. We hope that disseminating knowledge will be a catalyst to identifying current practice that might be problematic.”
Denton adds that he is encouraging as many people as possible in his organisation to ask what they may think are stupid questions so that he can build up a picture of what is happening.
Given that trustees have ultimate responsibility, how much interest are they taking? Denton says Christian Aid’s trustees have faced up to the issue. “We deal with it through the risk and finance committees and are trying to keep them involved.”
NSPCC has organised training for trustees. However, Roberts argues that the lack of clarity around guidance makes it difficult. “If actions are taken by the executive and they get it wrong, it is trustees in the spotlight, but decisions have to be made on a day-to-day basis, so it is impossible for trustees to be involved in everything. You can end up being totally risk-averse.”
Fluskey says there is going to be an element of risk assessment and judgment in deciding on your activity. “Consent is easier. If you have valid consent then you can contact them. Legitimate interest will always require a balancing exercise to be confident that you aren’t overriding an individual’s rights and that you are acting within their reasonable expectations.”
He continues: “Trustees’ duty is to act in the best interest of the charity. They need to understand the risk and accept that they may be able to explain why they made a decision, but someone may still come back and say it was wrong.”
Overall, Sainty concludes that charities should avoid making too many decisions before the relevant guidance has been finalised. “Hold your horses to ensure you have considered all options on things such as consent. Don’t rush into decisions right now, but be prepared and watch carefully for further guidance on the ICO website.”
With thanks to Farrer & Co for its support with this feature
Ian Allsop is a freelance editor and journalist, and regular contributor to Charity Finance