Many large charities are still not clearly explaining what they do with supporters’ data, despite fines being handed out for a lack of transparency, an audience of trustees heard last week.
Tim Turner, a data protection consultant with 2040 Training, was speaking at Trustee Exchange, Civil Society Media’s conference to promote excellence in charity governance.
He told delegates that despite 11 of the sector’s largest fundraising charities being fined earlier this month - and two others in December - for failing to explain how they had used their supporters’ data, many big sector bodies still have unclear privacy policies on their website.
“If you look at recent fines they were for lack of transparency,” he said. “There are few activities which are forbidden, so long as you clearly explain to people what you are doing with their data.”
New rules coming into force in May next year – the General Data Protection Regulation – will require even clearer standards of transparency about what you are doing with people’s data, but Turner said “some fundraisers are still in denial” about the changes which are required.
Charities need to change
He said big charities would have to change to comply.
“I have looked at some of the big name charities’ privacy policies and they are still not clear,” he said. “There’s one big name charity which I think is profiling donors, but you can’t really tell. There’s language in their privacy statement about ‘we might take some action to understand you better’. What does that mean?
“It’s waffle. It’s euphemistic. It’s too long to understand. If you want to explain what you are going to do with supporters’ data you must you clear and simple language that is fit for the audience you are talking to.
“If you look at a lot of what’s going on at the moment, it doesn’t make the grade. People don’t understand how their data is being used, and who it’s being given to.”
Turner said the GDPR would require “data protection by design” – a process which many organisations planned to treat as a compliance exercise. He said that charities would find it more effective if they considered data protection early in the design of processes.
“Don’t leave it to the last minute to ask a data protection officer,” he said.