• Paula Alionyte

5 steps small charities should take now to prepare for GDPR

You must be living under a rock if you haven’t yet heard of GDPR. Every business, every charity and most individuals who have any involvement with personal information processing must have read about it by now.

I appreciate that as a small charity, you must be struggling to understand the vast amount of information on the subject available online and figuring out which parts of the new regulation you need to act on.

This brief article will provide small international development charities in the UK a quick and easy-to-digest guide on how to prepare for the upcoming data protection law changes in the next two weeks

Number 1: Look at where your data comes from, where it sits and who you share it with

It is very important that you are as thorough as you possibly can be when working on this. You need to think personal data here: where does the data you hold come from? Do you collect it through paper forms handed out at fundraising events? E-newsletter list? Donation pages on your website? Take your time to map out each way in which you receive personal information.

Where is your data stored? How many different platforms do you have? Do you use a fundraising database to record donor information but also use an email marketing platform? Are both of those platforms safe? How do you know that they are safe?

Lastly, who has access to this data? Do you have a database user agreement to ensure that new staff understand their responsibilities when it comes to data processing and safety before they are given rights to manipulate the information? How many third parties do you share this data with? Do you have contracts with them where you state your data privacy notice and where they tell you more about how they keep your data safe?

Practical advice: When I say “map it out”, I literally mean taking an A3 sheet of paper and mapping out these three sections – how you receive data, how you store data and how you share data. You can always transfer this information to a written data protection policy after.

Number 2: Update your privacy notice

You want to make sure that the people whose data you’re processing know exactly how and why you do it. Take time to look at your current privacy policy (a statement on your website, most likely to be available as a click-through in the footer on the homepage) and update it to ensure that you cover areas such as data gathering, data processing, data sharing, how you communicate with your supporters, how they can update their communications preferences, information about the data that your website might collect for analytics purposes (e.g. cookies). Many charities have already updated their policies, so there is no need to reinvent the wheel here; simply do some digging and write up your own policy using existing examples.

After the privacy policy is updated, ensure that at least a statement on where it can found and how it can be accessed is available at each and every point of data collection (mapped out in step 1).

Practical advice: Most charities think about terms of conditions when I mention privacy policy. It’s the one thing it’s not – a convoluted legal statement that doesn’t have relevance to the everyday work of the organisation (a bit harsh!). Make sure you use plain language and short sentences to ensure it’s accessible to your audience.

Number 3. Ensure you have the right to contact people

This is something that you should take as a matter of priority, however it might be tricky to do before you go through the first two steps. You need to know what type of data you hold and how you process it in order to understand which segments you need to worry about when collecting consent (you don’t want to bombard your entire mailing list if some of those individuals have already consented). Also, you need to have the privacy policy in place in order to share it with the people whose data you’re processing to ensure that they have access to the latest version of it (the one containing information about how you’re planning to comply with GDPR).

Opt-in vs. legitimate interest argument could turn into a long conversation but, to put it simply, if we only talk about email communications here, you must have the explicit consent from an individual in order to contact them via email. So if you don’t know whether the people on your mailing list ticked the box to say they wish to be contacted, you need to re-gain their consent to contact them after 25 May. I suggest that you create an embeddable form on your website (at the top of the privacy policy page) for communication preferences updates and put together an email where you can tell people more about the upcoming changes and ask them to opt in to your communications.

Practical advice: Make sure that you keep your email as simple as possible and that your form has clearly laid out tick boxes (no barrelled questions or convoluted statements). Try to come up with a catchy subject line to get as many people to open and click through as you can. I suggest that you send an email in the next couple of days, then one a week before GDPR comes into force and the last one a day prior to it (24 May).

Number 4: Write up a policy on getting rid of “dead data”

Data retention is another important aspect of GDPR. You need to ensure that you have a policy in place that talks about how you keep people’s data and for what purposes. You probably know that for both HR and Gift Aid purposes, you need keep people’s data for 6 years. Think about supporters: how long do you think you should keep their data for? Are there any supporters whose data you would like to keep indefinitely even if they do not support the organisation by giving regularly (e.g. legacy pledgers). What’s the number of years you could justify? Make sure that you write it up in a document and that you implement this policy into your work (delete data on annual basis?).

Number 5: Document your processes

The last thing to touch on is that GDPR suggests organisations record their processes. Everything that you have done in the first four steps should be documented in your organisation’s data protection policy. What’s the structure of the policy you ask? Well, essentially, it’s all about how your gather, process, store and share data and how you ensure that all of your processes are in compliance with GDPR.

Practical advice: Make sure that you include links to your overall data protection policy to any other sources of information, such as your privacy policy page on the website, communications preferences form etc. Make sure that you have the date of when it was last updated in the footer of the document.

There are many other things that I could talk about when it comes to preparing for GDPR, but I don’t want to make it more daunting than it already is. I suggest that you start by working through the above five steps in order to be as ready as you can be by 25 May and then take some time to look into other areas of the regulation that you may need to do some more work on.

Below is the list of resources that I found useful in learning more about GDPR.

  1. Information Commissioner’s Office (ICO): https://ico.org.uk/

  2. General Data Protection Regulation: https://gdpr-info.eu/

  3. 12 steps to take now to prepare for GDPR: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

  4. Personal information and fundraising: consent, purpose and transparency: https://www.fundraisingregulator.org.uk/wp-content/uploads/2017/02/GuidanceFinal.pdf

  5. Fundraising Preference Service: https://public.fundraisingpreference.org.uk/

  6. GDPR on community fundraising: https://www.institute-of-fundraising.org.uk/documents/3-gdpr-spotlight-on-community-fundraising/

  7. GDPR on corporate fundraising: https://www.institute-of-fundraising.org.uk/documents/4-gdpr-spotlight-on-corporate-fundraising/

  8. GDPR on legacies: https://www.institute-of-fundraising.org.uk/documents/5-gdpr-spotlight-on-legacies/

  9. GDPR on trusts: https://www.institute-of-fundraising.org.uk/documents/6-gdpr-spotlight-on-trusts/

  10. Privacy Impact Assessment: https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf

I really hope that this article was helpful and if you wish to discuss any of this in more detail, feel free to drop me an email at paula@fairdevelopmentconsulting.co.uk anytime. Look forward to hearing from you and good luck!

#database #dataprotection #GDPR #dataregulations #smallcharities #internationaldevelopment #policy #communications #communicationspreferences