The Olive Cooke case caused a media storm when it was declared that excessive direct mailings sent from charities contributed to her death. With this, the government began to review the current data protection laws with the intent to reform the legislation. As a result, the General Data Protection Regulation (GDPR) was born and is predicted to become one of the most impactful legislative measures set to get charities and their fundraisers in line.
From 25 May 2018, the Data Protection Act will be replaced by the GDPR. The new legislation will introduce stricter penalties for organisations who fail to comply. The GDPR will be adopted by all and with stricter guidelines, it should tackle misconduct that has been associated with charities and not-for-profits.
The GDPR will apply to all personal and sensitive data as a way to safeguard and give more choice to individuals. All charities will be required to provide opt-in options to all donors and prospects, as well as the ability to choose whether they wish to receive calls, emails or printed content. Additionally, charities will need to ask existing individuals on the database if they wish to be kept on the database or removed from all communication. The government has introduced several new principles including the “right to be forgotten” and the “right to object” clause, which will allow individuals to object to their details being used, shared, transferred or held. Upon request, organisations will need to remove the individual from all communications immediately. Read all of the GDPR principles here: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/principles/
The sanctions under the GDPR are stricter than that of the Data Protection Act due to misconduct and misuse of data, which was apparent in the Olive Cooke case. Failure to comply can result in organisations being fined up to €20million or four percent of the organisations’ worldwide turnover. In order to avoid this becoming a possibility, there are several processes charities must become acquainted with. To prepare for the changes, charities must:
- Only use the medium you are authorised to use: Charities will be obligated to only use the channel that the individual has opted in to be contacted on.
- Unsubscribes are not to be contacted: If an individual has actively asked to unsubscribe, it is important to refrain from contacting them again. You should never contact them to ask if they wish to be subscribed back to your content.
- Alert Everyone: Make sure that everyone in your organisation, especially those who have access to your data or donor information, are aware of the GDPR. Otherwise you will be held directly responsible if your staff are still emailing contacts or breaching the law.
- Reconsent your active users: Using the medium that the individual has consented to, ask donors if they would like to remain on your database. You can, however, use this as an opportunity to ask if they would like to be kept up to date via other forms of communication.
- Have Data Protection Officers (DPOs) in place: Under the new legislation, DPO’s must be appointed to manage and ensure compliance within the organisation under GDPR requirements
- Safety, encryption and Risk: With data protection soon to be stricter, so should your internal processes. Organisations should take extra precaution to ensure that data is safeguarded. Find out how you can do this in our article; Charities and Cyber-Risks: How to stay protected online
- Establish retention periods: Over the course of time, some users will become inactive or unresponsive. Establishing retention periods so you can keep donor information accurate and your database responsive.
The Information Commissioner's Office (ICO) has a range of tailored content that is specific to charities and not-for-profits which can help get you get in check before the legislation is enforced. You can view the tools and resources available here at the ICO Charity sector toolkit.
To discuss this article, or to discuss your own personal case, contact firstname.lastname@example.org.