I’ll confess as a campaigner thinking about data and data regulation, isn’t one of the most exciting parts of my work.
But, the GDPR, or the General Data Protection Regulation to give it its full title, are important EU wide changes that will impact all organisations, including charities and campaigning organisations, who hold data about members of the public. And with the GDPR coming into effect in May 2018, it’s worth spending a few moments engaging understanding what it is and what it could mean.
Important disclaimer – the points below are drawn from reading a number of really helpful guides to the GDPR. I’m not a GDPR/data expert, so please check in with someone who is if you have specific questions.
Here are 7 things that you should know;
1. It covers all communications – lots of recent regulations have focused on fundraising practices, most prominently through the ‘opt-out’ from the Fundraising Regulator, but the GDPR affects anything that involves processing an individual’s personal data, which includes who can receive your campaigning communications or information held by volunteer campaign groups.
2. It’s not a moment to panic – We already have lots of guidance and regulation about how data is processed and held, so many of the GDPR changes are an ‘evolution, not a revolution‘. Plus there is still lots of time to make sure that you’re compliant, and loads of people are providing helpful advice – my big recommended starting point is to look over the IoF report, which, although written for fundraisers has lots of practical advice, as does this NCVO guidance.
3. It is about clear consent – At the heart of the GDPR is being able to show that consent to use someone’s data has been ‘freely given, specific, informed and an unambiguous indication through a statement or clear affirmative action, such as actively ticking a box’. So it means that there has to be a clear ‘opt in’ to getting further communciations. The guidance suggests that pre-ticked boxes aren’t appropriate, and you’ll need to be able to show how the consent has been given if someone asks. You also need to have explicit consent if you plan to share the data with third-party providers.
4. Review the information you currently hold – ahead of the GDPR coming in you need to be reviewing what data you hold. So now is the time to make sure you’ve looked at all those extra spreadsheets and lists you might have with personal data in, and also make sure you’re aware of the changes that the GDPR brings to communicating with under 16s.
5. Power over information – The GDPR gives individuals more power over the information you hold on them, including being able to ask to have their personal data deleted from your database, being able to request what information you hold on someone through a ‘subject access request’ (there is a campaign tactic in this as well I think) or to be rectified if it’s not correct. Again it’s thinking about what that means for the information you hold.
6. Work with others within your organisation – if your organisation has someone who is responsible for your database if you’re not already, it’s time to talk with them about what they’re doing and how you can help. If your data management approach is shared across different teams make sure you’re starting to talk together.
But either way, start to check in with others, and also make sure that you’re drawing your board or senior management. Although they might not do the work of implementing the guidance, the risk of not being compliant means they need to be aware, not least as the fines from the Information Commissioner for data breaches are much higher.
7. Share with others outside your organisation – Some of the most ways that organisation have found to grow and build campaigning lists will have to change under the GDPR, but that shouldn’t mean that growing your list, re-engaging lapsed supporters or supporting local groups isn’t possible. Organisations sharing approaches that are working and compliant will be really useful in ensuring that this is regulation that stifles campaigning.
Still looking for more on the GDPR? Then I’d recommend a read of GDPR: The essentials for fundraising organisations by the IoF and How to prepare for GDPR and data protection reform by NCVO. The official ICO guidance is here.