Kirsty Weakley writes that changes to data protection rules don’t just apply to fundraising departments and require an organisation-wide culture change.
The letters GDPR seem likely to strike fear into the hearts of fundraisers.
The acronym stands for the General Data Protection Regulation, which is due to come into force in May 2018. Fundraisers have good reason to believe it could mean the end of days for direct mail and wealth screening practices as they know them, and have been quite vocal in their concerns – perhaps in the hope of securing a change in the law or an exemption for charities.
But in some ways this has distracted from the wider issue at play.
Simply put, the changes don’t just apply to fundraising. They apply to all pieces of personal data collected, processed and stored. This is likely to apply not just to the fundraising database, but to the marketing, campaigning, communications, volunteering and beneficiary databases.
The new rule says that charities must have “unambiguous consent” to collect, process and store personal data, including data published by the individual concerned.
On this subject, the existing rules were actually a lot stricter than most charities realised, but they were patchily enforced. GDPR brings it all into focus and makes it much more costly to breach the rules.
This is likely to mean a lot of work for the sector, but it's worth saying that the change in the rules are not necessarily a bad thing, and there are some aspects that charities should definitely support.
Last week I went to the Charity Finance Group’s IT, Data and Cyber Security conference, where the audience was mostly charity finance and IT professionals. GDPR was mentioned in almost every session, and was never far from the minds of delegates as they asked questions.
I watched faces in the audience got paler and paler as the extent of the new rules dawned on them.
A game changer
Experts are not being hyperbolic when they describe GDPR as a ‘game changer’. It marks a fundamental shift in the relationship between data processors and the general public.
This is not just about introducing new rules for how fundraisers do their jobs. It is about a cultural shift in how society in general treats personal data.
Under the new rules personal data is considered golden. Essentially regulation has woken up to how valuable personal data is, and is attempting to put people back in control of their data.
This mean that if you fail to get “unambiguous consent” there are some serious penalties. Fines could be as high as €20m (£17.2m) or 4 per cent of a company’s total worldwide annual turnover, whichever is higher. So everyone in an organisation handling personal data needs to be aware of the rules.
While it’s not an overreaction to say that the new rules are a significant shift, I feel that some of the response - from the fundraising community particularly - has focused excessively on the potentially damaging consequences of people saying they would rather you didn’t have their information and contact them.
First, it may not actually be as harmful as first feared. Indeed early results from the RNLI’s move to an opt-in only approach for its communications to comply with new rules have been encouraging. An opt-in only campaign saw a signifcantly higher rate of return than previously.
Data experts presenting at CFG last week were also keen to stress that once you have obtained the appropriate consent from supporters, or other people you would like to contact, there is nothing to stop useful and insightful data analysis taking place that can help to lead to better relationships with stakeholders.
Being compliant with GDPR could even help to reduce a charity’s risk of falling victim to cyber criminals, according to one speaker.
It’s too late to change the law
Second, it won't do any good. The law has been made – the time for arguing about the broad tone is over.
While some of the details of how it will be enforced are open to interpretation by the UK government, the basic principles have been laid down. Instead of whingeing about the overarching message everyone needs to get on with understanding and complying with it.
But thirdly, there is a strong argument that charities should be adopting and embracing the principles behind GDPR. The sector is about making lives better for ordinary people, and GDPR will help do that.
Previous regulation wasn’t designed for the internet age. It's no longer appropriate to permit anyone to hoover up as much information as they could get their hands on, without any thought as to the consequences.
If you don’t believe me, here’s what Tim Berners-Lee, who created the internet, had to say about the damaging impact that the widespread practice of personal data collection has.
“Even in countries where we believe governments have citizens’ best interests at heart, watching everyone all the time is simply going too far. It creates a chilling effect on free speech and stops the web from being used as a space to explore important topics, such as sensitive health issues, sexuality or religion.”
From Governance & Leadership
Surely the ambition to put individuals back in control and feel empowered online is something the sector can get behind?
Of course changes to legislation need to be scrutinised and if there are significant practical implications charities should raise them.
But charities need to stop believing that GDPR is a blanket threat to fundraising and get serious about the culture change needed to operate successfully under the new rules.
Civil Society Media is hosting a breakfast seminar discussing the EU General Data Protection Regulation (GDPR) ahead of its introduction in May 2018. For more information, including on how to book, see here.
Editor's note: A paragraph on the RNLI's campaign has been amended to say that the impact may not be as harmful as first feared and that the RNLI had seen a higher rate of return, not a higher overall return, after Civil Society received clarification from the RNLI.