Image found on Pexel

GDPR for non-profits

TL;DR — changes to data protection regulations will mean that harsher fines can be given for not handling your customer data with care. It’s especially important for charities to understand the ways this will impact them

GDPR is hopefully an acronym everyone has heard by now. It’s been on the radar for a while, and as time rushes by, is talked about more and more in all different kinds of circles. It’s reached almost myth like status, and in my experience, used frequently for effect (even if the perpetrator doesn’t really understand the details themselves) — “Oh, you will have to stop doing that next year. Because GDPR”.

What does it actually mean? The General Data Protection Regulations (GDPR) are changes to data standards in the EU, coming into place on Friday 25 May 2018. The term often used to describe the new regulations is ‘privacy by default’. New ePrivacy regulations come out at the same time, and combined with the GDPR, they apply a much more user centred focus to the way organisations handle personal data, and give individuals more control of how their data is used. It’s a change in culture as much as a change in regulations, making an individual’s time online more like the real world (where people don’t normally follow you around the shops).

For everything that’s out there, I’ve not yet read a breakdown of what this means, on a practical basis, for any given organisation. One of the biggest reasons for this is undoubtedly that the regulations are not black and white. There’s still lots of room for interpretation, which makes it very hard to pin down exactly what they mean or don’t mean.

However there are things that are possible to confirm, or at least confidently speculate. Broadly speaking, here’s some of the main things the new GDPR will mean for organisations:

1. Every organisation now has to employ a data protection officer
2. And complete a data privacy impact assessment
3. A breach (e.g. a hack, a lost memory stick) must be raised to the Information Commissioner’s Office (ICO) within 72 hours, and there will be bigger fines if a data breach occurs. Therefore the security of an organisation’s technology systems is now even more important
4. Personal data will mean more than just names and addresses. This is still a grey area and so more information is needed, but it appears that if an individual can be uniquely identified by an Ad ID, an IP address, or cookies, then this also constitutes personal data
5. Organisations can only collect data once a positive action has taken place, where the user has ‘done something’ such as clicked on a button
6. The user must be explicitly told how their data is going to be used (e.g. for a year, not sold to any third parties, used by sub-brands)
7. Consent requests have to be clear and broken out from other terms and conditions
8. ‘Opting in’ to any communications now must have explicit tick boxes that aren’t hidden, and aren’t an assumed yes
9. Consent also has to be explicit on a name basis with third parties — “give permission to pass your details onto our selected partners” will no longer be accepted
10. Organisations have to make sure the consent a customer has given is recorded accurately, and keep a record of everything they do with it for regulations sake. They also have to provide ongoing transparency to individuals (e.g. if they ask to be removed, that will mean they can never be added back on the same details)
11. Organisations can hold onto data and contact customers, even if they have objected to direct marketing, if there is ‘legitimate interest’
12. Data can only be kept for a set period of time, but there isn’t a clear view on what that time period is yet

So why is this important for non-profits?

This is what we think is going to be different:

1. The cost of the fines

If anything goes wrong, like an employee leaving documents with details of volunteers contact addresses on a train, then the fines are now much higher — up to €20m or 4% of your annual turnover. This is obviously very impactful for a charity, and no employee wants to be responsible for the loss of income to the cause they work for. This can be used as an incentive to up-skill staff on data security, to create a culture where everyone is aware of best practices and put their supporters’ needs at the heart of the communications.

2. The need to employ specialist roles

Are you a public authority, or do you carry out large scale systematic monitoring of individuals (for example, behaviour analysis or targeted marketing)? If you don’t have one already, you are going to need to employ a data protection officer. Their job is to advise, give information and monitor how the organisation manages it’s data.

3. The way personal data is stored and sent

There are going to be much stricter regulations on the security of the personal data you store and transfer. It is not going to be ok to do things like save a list of telephones numbers to your documents, or email an excel sheet of names and address from your work email to your personal email, to use when you are working from home (in fact we’ve already seen convictions of this nature take place just last week). This is why you will need someone whose role it is to advise on how to keep your data secure.

4. The need to opt in

Consent in this context refers to an individual agreeing to how their personal details are used by an organisation. The regulations now state you have to make it clear for individuals to see what they are consenting to, and make it as easy as possible to withdraw. Consent to use data to contact the individual, or share to third parties, now needs to be broken out as much as possible from things like terms and conditions and privacy policies.

Where before interactions such as the examples below were tolerated, now the individual must be explicitly able to ‘opt in’ to something.

This example forces the individual to read the text carefully and actively opt themselves out

This example has the checkbox already ticked when the page opens, and forces the individual to untick it themselves

This kind of trickery won’t be acceptable any more.

Even better is the ability to allow the individual to choose which channels they would like to hear from you. Here’s some examples where this is already being done well.

RNLI

Cancer Research UK

For individuals that have consented, any future communications must have clear unsubscribe features that work within 28 days.

5. The way supporters can be marketed to

The ePrivacy Regulations make it clear that unsolicited marketing is not allowed — texts and emails are included in the new regulations that stop organisations sending communications without permission from an individual.

It can generally be assumed that by using the old consent tactics exampled above, many organisations’ contact lists consisted of individuals who had unknowingly given their permission. With these practices gone, you will find you have a smaller pool of individuals to market to.

It will also mean stricter rules on marketing to new audiences. For example, it may be that profiling cannot be done without consent — so a Facebook ad to women in their 40’s who support local causes won’t be possible. This makes organisations, especially not-for-profits with tight budgets, have to think of innovative ways to reach new audiences. It also opens up space to try out new initiatives to encourage the individual to voluntarily opt in to hear more.

6. The concept of legitimate interest

Legitimate interest is going to be a big grey area and a very difficult one to regulate. What’s interesting here is that the Data Protection Network (DPN) suggest legitimate interest could include direct mail from a charity to existing supporters updating them on details of upcoming events. I can imagine this being a very difficult area to get right. When does an upcoming event become a call to fundraise for the charity? How often can existing supporters be contacted in this way? The ICO are expected to bring out more guidance in December, and we will be watching this with interest to see if anything more develops.

7. The potential change to Google Analytics

This is still not confirmed, but it’s looking like under the new ePrivacy Regulations, an individual will have to have consented to cookies to have their browsing data collected in Google Analytics. The great free tool anyone with a website uses on a regular basis will no longer contain an accurate portrayal of performance. I’m really hoping this won’t be the case.

8. The need to think more user-centrically

The change is being done in order to give the individual control of how their data is taken, stored and passed on. It therefore forces all organisations to think more about the needs of their customers over their own. This kind of shift in mindset is such a step forward for Digital Transformation.

Have you had any thoughts on what the GDPR will mean for your organisation? Let us know in the comments below.