Data Protection Reform – Blackbaud’s Update
GDPR – December Update
Key updates on Data Protection Reform following further releases of information from the ICO and Fundraising Regulator. What can we expect over the next few months, and what should non-profits be doing right now to get ready?
Earlier this autumn, Blackbaud Europe published a statement detailing our position on the Data Protection Reform legislation, encompassing GDPR and the Fundraising Regulator, along with a handy guide to give a useful summary of the planned changes. As promised, we will continue to provide regular updates as new information comes to light.
Originally the ICO announced that it planned to publish its interpretation of GDPR in November 2016. However, they revised their timetable in October, saying that they now won’t issue any guidance until 2017, and even then we should not expect all the guidance to be published in one go – it will come in stages.
This means, of course, that the ICO will now be out-of-sync with the Fundraising Regulator, who said they will release their guidance before Christmas. However, it’s clear that the Fundraising Regulator’s guidance will go ‘beyond’ compliance. So we are not unduly concerned that they will be out of step with the ICO. If non-profits follow the guidance issued by the Fundraising Regulator this year, then they are highly likely to be fully compliant with anything the ICO subsequently publishes in 2017.
We also remain very eager to engage with the Fundraising Regulator in a more technical discussion around the practicalities of integration and matching of the Fundraising Preference Service.
Our current understanding
It is clear that there are changes afoot, and some important new legislation of which we must all be aware. Blackbaud’s message is that sound preparation for GDPR would be making sure you are adhering well to current obligations under the Data Protection Act and PECR. If you are doing the currently-required things correctly then there will be far less of a jump to GDPR.
Transparency, reasonability and supporter experience are three key principles we have seen shining through recent communications and discussions across the sector:
1. Embrace transparency as a means of building trust and confidence with your supporters. Provide a clear Privacy Notice to individuals about how you will use their personal data and make this easily accessible online and within communications – use understandable language, not jargon, and don’t hide it away with small fonts!
2. The concept of reasonability is a useful guiding principle. For example:
o Your supporters can make a Subject Access Request at any stage to see the data you hold about them, so always ask yourself how they may feel upon seeing this data; even if a little surprised, will they consider it reasonable?
o If an individual requests to have their data removed or be forgotten, it makes sense that you will need to retain a minimal amount of data, appropriately secured, for required purposes and to prevent them being mistakenly contacted again in the future.
o Beginning a 1:1 relationship with a new prospective supporter by requesting acceptance of a complex consent form could be inappropriate for them as well as you, so a sensible path may be to build up ‘layered consent’ over several touch-points.
o Your use of data may evolve over time and it can be impractical for everyone to ‘reset’ consents after minor changes to your Privacy Notice, so setting out a reasonable timeframe for periodically renewing consent offers a more manageable alternative.
3. If you are continually considering ways to enhance your supporters’ experience, and inviting and matching their interests, then this is likely to help you drive long-term successful impact. There have already been several successes across the sector by non-profits who have embraced better understanding and responding to their supporters’ preferences.
Alongside a number of useful blogs and reports published by the NVCO, consultants and others, these topics are being very well discussed at events hosted by the Institute of Fundraising, CASE, IDPE and others. An example was the very useful Data Protection session, led by Victoria Cetinkaya of the ICO, at the IOF’s recent Researchers in Fundraising Conference.
Collecting consent – start now:
Many charities, large and small, have already switched – or begun switching – to an ‘opt-in’ system of collecting consent to communicate with supporters and to store their data. Our recommendation is that all non-profits move towards channel-based opt-in today, working towards achieving transparent, supporter-focused engagement.
In particular, you can and should be collecting consent now – consent that complies with the GDPR’s definition of being freely given, specific, informed and unambiguous. Likewise, be clear about how you use your supporters’ data. If what we are doing is reasonable, then our supporters will understand this, provided we explain it clearly and in their language. And if it isn’t reasonable, then we should stop doing it!
There’s no need to wait until GDPR becomes law in May 2018, you can take steps forward now.
Privacy Notices are necessarily very specific to each organisation. If you need help getting started, take a look at the ICO’s recommended wording for a best practice Privacy Notice. This is a good place to start, but do note that you will need to make edits to cover your unique processes and practices. Contact Blackbaud if you have questions about how your CRM and digital systems can help. Also keep an eye out for a further update from us shortly around what we’re doing across our products to help you, and let us know if you would like to contribute to our product discovery process.
While the information provided above is reliable, it does not constitute legal advice and should not be construed as legal advice or a legal opinion on any specific facts or circumstances.