All types of fundraising are affected by the General Data Protection Regulations (GDPR) which will be introduced on 25th May 2018.

GDPR is an evolution, not a revolution of existing data protection legislation, and we believe that for many not-for-profit organisations it represents a positive change. However, as the deadline looms, some in the charity sector seem to be getting into a bit of a muddle, about how best to ensure they can meet the new regulations. 

We are not lawyers, so we cannot provide legal advice, but having spent more than twenty years helping charities reach their fundraising goals, our team at Stefan Lipa thought we were uniquely placed to bring some clarity.

Our charity checklist will guide you through some of the issues that charities should be focusing on now, as well as some of the practical steps to make sure that you are GDPR ready.

Don’t panic about the May 25th deadline

Don’t ignore it but we think it’s positive that the Information Commissioner’s office has said that the May deadline is “the start and not the end of GDPR compliance”.  

Choose a GDPR Champion

Choose someone in your organisation to take on the responsibilities required by GDPR. 

Use GDPR online toolkits

The Information Commissioner and the Fundraising Regulator have both produced free online resources to help guide a data protection officer through the GDPR rules. 

Create and Publish a Privacy Policy  

Create and upload a Privacy Policy onto your website, which sets out the principles of the way you handle personal data, and the rights of those whose data you hold. This document should include:

• What personal data you collect
• How you collect personal data
• How you use personal data
• Whether you share personal data, and if so, how
• Use of website cookies
• Security of personal data
• Maintenance of personal data
• The rights of those whose personal data you hold
• The Lawful Bases for processing data

To ensure you are GDPR compliant you should make your Privacy Policy publicly available and easy to access; there are now many examples in the public domain.

Alert every person you communicate with to your Privacy Policy. One idea is to have a footnote in every communication, hard copy or electronic, which includes a link to your Privacy Policy page on your website.

Be sure to tell everyone involved in processing data within your charity about this policy. This should include volunteers and not just staff. 

Conduct a Data Audit

Undertake an audit of your records to identify all the categories of personal data that you hold; how it is held; how it is processed; who processes it and why. Remove any old data that is not required and repeat the audit process on a regular basis to delete unnecessary data as a result of the passage of time.

This really is a positive process for a charity, although it can be quite frightening as fundraising databases will inevitably shrink as a result of organisations deleting old data. By cutting away contacts who are not responsive to fundraising emails, a not-for-profit is able to focus its time on people who are actively engaged with its work, a much more valuable clientele.  

Email Service providers such as MailChimp and MailJet have released toolkits to help you start on this process, although we would encourage you to seek legal advice before implementing any changes. 

Take onboard feedback from people

When you receive feedback from your data subjects, for example a request to inspect, delete or amend information, act on it! GDPR is about encouraging organisations to respect the rights of an individual.

Know an individual's rights under GDPR 

An individual has the right to be informed of what information a not-for-profit has on them and how that information is going to be used. They have the right to access that data and for it be corrected or deleted. A charity must be able to tell an individual how long they will retain any personal data, their purpose for holding the data and who in an organisation has access to it. GDPR also gives individuals the right to object to their information being used and assigns rights in relation to automated decision making and profiling.  

Define your Lawful Bases for processing information

The key thing to know is that for data processing to be lawful under the GDPR, you need to identify and document your Lawful Basis for the processing.

There are six Lawful Bases to choose from but fundamentally they all require that processing is ‘necessary’.

Identifying which Lawful Bases you are going to use is key. We believe that most not-for-profits will predominantly rely on two of them; Consent and Legitimate Interest. 

Consent must be explicit

If you are going to use this basis then bear in mind that consent needs to be freely given, specific, informed and an unambiguous indication through a statement or clear affirmative action. Pre-ticked boxes are no longer allowed – the data subjects have to make a deliberate choice.

Balance your Legitimate Interest with an individual’s rights  

You can process personal data without consent if you need to do so for a genuine and legitimate reason, unless this is outweighed by the individual’s rights and interests. Legitimate Interest can include commercial interests, individual interests or broader societal benefits.

If you want to use the Legitimate Interest basis, there is a three-part test you should apply:

1. Identify a Legitimate Interest
2. Show that the processing is necessary to achieve it
3. Balance it against the individual’s interests, rights and freedoms.

But be wary because if you are relying on Legitimate Interest, the right of the individual to object is absolute and you must stop processing when someone objects. You must inform individuals of their right to object “at the point of first communication” and in your Privacy Policy.

On 23 March 2018, Daniel Fluskey, Head of Research and External Affairs at the Institute of Fundraising said: ”Get this right and, as long as charities tell people about the processing and document their decision-making appropriately, Legitimate Interest will be fair and lawful”.

Other Lawful Bases to consider

Not-for-profits will primarily focus on Consent and Legitimate Interest as the Lawful Bases for their processing, but as we mentioned there are four other alternatives.

The need to ‘comply with a legal obligation’ could be a very useful Lawful Basis for processing data, for example when processing Gift Aid data. Charities who have agreed ‘contracts with an individual’ such as a subscription agreement to send supporters regular updates would also be able to legally process data under the new rules.

The ‘Public Task’ provision means that if you need to process personal data to carry out your official functions or a task in the public interest and you have a legal basis for the processing under UK law, then you can. If you are a UK public authority, the view of the ICO is that this is likely to give you a Lawful Basis for many if not all of your activities.

Hopefully charities will not generally have the need to use the ‘vital interests’ basis which grants organisations the legal basis to process personal data if it is necessary to protect someone’s life.

Let us help you

If you think it would help to lift any fog you may be experiencing, you are welcome to contact us for a no-obligation, no-cost telephone chat, and we will try to share any thoughts we may have from a fundraising point of view.

23.05.2018

For more information, call us on 01264 860003 or send an email.