Tag Archives: Fundraising

Preferences v Consent: Getting Data Protection Right for Charities

Understanding the ‘what’, ‘when’, ‘why,’ ‘where’ and ‘who’ of consent will not only help protect your charity; it will also give you an opportunity to deepen engagement with supporters. Here are the key things you need to know.

Privacy policies or notices are under intense scrutiny from a distrustful public as well as regulators. With new legislation looming in the form of the EU General Data Protection Regulation (GDPR), now is the time for fundraisers to get data privacy right. Because getting it wrong could prove a very damaging and costly error.

Preferences are not consent

A common misconception – which could be a charity’s undoing – is that the new requirement under the GDPR is simply to update marketing preferences. This is not the case. From meeting and talking regularly with charities and, in particular, their fundraising teams, we’re aware how quickly conversations can switch from consent back to marketing preferences for campaigns. In part, it’s understandable – it’s the language charities are familiar with using. You routinely ask supporters how they would prefer to receive information. In turn that’s a tacit understanding that consequently, you have the supporter’s consent.

But this is getting data protection wrong, and it’s a point that can’t go unchecked, not only because of the GDPR, but also due to the ongoing scrutiny by the Information Commissioner’s Office (ICO) around current practices regarding personal data – an issue that came to a head in December when the ICO ruled against the British Heart Foundation and the RSPCA, closely followed in January with notification that another 11 charities had been advised of impending action.

The following five questions, centred on the ‘what’, ‘why’, ‘who’, ‘when’ and ‘where’ of data privacy, will be key to you ensuring your charity does not fall foul of the new regulation:

1. WHAT data are you collecting?

Currently, our research shows only 61% of charities provide a statement about the collection of personal data in their privacy policy. It’s crucial we’re clear on the facts. The questions around personal data are not just “what piece of marketing literature we can send?”, or “can we call or visit these supporters?” Citizens, and organisations, need to know exactly what data has been collected, across every system, and what is in use by every department and for what purpose. And this all needs to be mapped.

The act of profiling is one area of data analysis that can be misconstrued by the market. Donor profiling should be about communicating and engaging with supporters by presenting them with the right message, at the right time. The ICO expresses that you need to be transparent about the personal information you collect, especially if you use it for insight by adding to it with other consented publicly available information. Yet our research highlighted that 73% of charities do not mention donor profiling in their privacy policy.

2. WHY are you collecting it?

Next, charities need to show why the data was collected in the first place. Organisations need to be clear on the purposes for which they are using data and ensure they have justifiable lawful reasons for collecting and processing this data. Where legitimate interests do not cover this, it is likely that charities will need to have gained specific consent before data can be collected under the new GDPR requirements. The World Economic Forum’s Research found that people believe 67% of organisations, companies and agencies ask for too much information online.

This is a really important part of the new regulations because it pertains to security of personal data. You only have to monitor your own response when you’re asked for information that you feel is not required for the purpose at hand.

3. WHO is using the data?

The next aspect is being clear on exactly who is using the data. From the moment you’ve collected a supporter’s personal information, you need to know exactly who will have access to the data, internally with other departments and externally with other partners and collaborators. It’s worth being aware that third parties will also be liable for penalties under the GDPR.

Data privacy currently only pertains to data controllers. However, under GDPR, those who process data are also liable. For charities, this means that not only do you have to be compliant, but all of your partners who use this data need to be compliant also. There is a considerable risk to charities if they get compliance wrong.

4. WHEN does the consent expire?

Charities will also need to record exactly when permissions were granted for use of personal data. The current regulation and guidance from the ICO says data should be retained for “no longer than is necessary for the purpose you obtained it for”. Our research shows that 82% of charities don’t say how long they keep data on record in their privacy policy. Research from Data IQ in 2016 showed that 21% of consumers believe that consent is only valid for six months. While this enables data to be disposed of, it does present a challenge for charities to have a system that allows for time stamping when consent for data was obtained, and therefore notifying when consent is going to expire or allowing the safe and secure disposal of data. This element is key for the new GDPR. It is essential charities consider how long they need to retain data for and can show this period has been considered and documented. We are currently providing a number of our clients with consent audits and one of the outputs is the length of time between donations, in some case this can be considerable but the supporter still would tell you they support the charity.

5. WHERE does the data come from?

Finally, where consent is used as the basis for processing data, we should know where this permission is granted. This means the exact source and channel. This is different to knowing what source and channel we have permission to use to market to people. It’s knowing where data has come from, and having proof that the charity has the right to process that data, based on a clear consent statement at the point of capture or a well-documented and considered legitimate interest review.

The definition of consent

If we look at how GDPR defines consent, we can see how different it is to marketing preferences: “‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

It’s easy to focus on the end part, because “processing of personal data” is what charities have been doing and need to do. In many charities there are sophisticated systems that make it easy to segment customers according to their preferences. This provides powerful information from models that predict a supporter’s future interactions. It also highlights profiles of prospective new donors who behave in a similar fashion to their most loyal supporters.

Equally, most charities will have opt-in and opt-out processes in place. However, just because your supporters have opted in to receive information, that does not constitute explicit, “informed and unambiguous indication of the data subject’s wishes”. Nor have they given “clear affirmative action” about “agreement to the processing of their personal data”.

It’s this confusion that makes organisations think that GDPR isn’t that different to the existing DPA.

And here’s the crucial bit that needs to be totally front of mind when reviewing a consent capture strategy: consent is a right. It gives the individual total control. It means that they own their personal data, and they have to give permission for charities to use their data. This applies to any data that’s held about that individual. It might be data for marketing. It could be data used for the provision of services. It could quite easily be financial details. And that’s before we even get into specific consents required for sensitive data such as race, gender and health.

Proof of supporters’ consent

As a charity, you have to prove you’ve gained explicit consent. You’ve got to be able to either amend individual supporter details, and their permissions, or give the supporter access to a system that allows them to control their consents. And you’ve got to be able to erase any personal data held, not from just one system, but all the systems that you or your partners operate. And furthermore, you must inform any third parties with whom you have shared this data (obviously with the supporter’s consent).

Preferences are, on the other hand, just that: a statement of how a supporter prefers one thing above another. This might be the type of communication they prefer – they might prefer email to phone. They might prefer receiving 10 raffle books instead of 5. They may like to be contacted annually rather than monthly. These preferences do not, in any way, confirm consent. This doesn’t mean you need a preference management system and a consent management system – both can be managed together when the right audit trail is built into your data foundation. Just view consent at a more granular level. For example: “I am providing consent for you to use my address details to send me communications on appeals, but not about lotteries.” But make sure you have maintained a record of the consent statement that was seen when the data and purposes for use of the personal data was captured (source and time stamp).

An opportunity to deepen engagement

Now is the time not just to protect your charity, but to go a step further. To build and deepen the trust your supporters have. Improve your consent capturing procedures, the quality of your data (yes, now is the perfect time to merge and purge the dupes on the database) and update your policies. This will provide your charity with an excellent opportunity. An opportunity to seek your supporters’ permissions. An opportunity to engage at a deeper level. An opportunity to create a value exchange where both the supporter and you – the charity – will benefit.

Preferences versus consent: let’s get data protection right, from the beginning.

J Cromack is the CEO of Wood for Trees and Co-founder of MyLife Digital. For a simple solution to ensure a charity can remain GDPR Consent Compliant check out MyLife Digital’s Consentric Platform.

This article first appeared in CharityChoice.

GDPR Getting Data Protection Right | A fundamental pillar of the trust debate

Over the last few years we have been debating, lobbying and socialising the fears and concerns that an overly harsh update to the data protection laws in the EU might do to the marketing sector. Now that the EU General Data Protection Regulation (GDPR) has been ratified, we finally have more clarity, and the hard work can begin on its implementation. 

I recall the direct marketing sector often referring to the downside the GDPR might have on it, and whilst I appreciate there is still a huge amount of risk to many organisations and business models, I don’t recall much of a citizen-centric view being taken. During this time the attitudes and understanding by the citizen towards the use and protection of their own personal data and the value that exists within it has been gathering pace. Whilst the GDPR seeks to protect and respect the individuals’ personal data and its use, an uncompromising adoption of the Regulation sooner rather than later has the ability to accelerate an organisation’s respect from the citizen – what some are calling a new era of “Growth Through Trust”.

“Trust” can mean many things, from transparency on how much the CEO of a charity is being paid, to what percentage of the funds raised are being spent on good causes and who is the charity sharing my data with? The guardianship of a citizen’s data, information and the permissions attached to it is a fundamental pillar of the trust debate.

In May 2014, the World Economic Forum published a paper titled “Rethinking Personal Data: A New Lens for Strengthening Trust”. The paper was the output of a multi-year initiative with global insights from the highest levels of leadership from industry, governments, civil society and academia, and aimed to articulate an up-and-coming vision of the value a balanced and human-centred personal data ecosystem could create. The key theme that came out of the research was the need for pragmatic and scalable approaches to personal data which strengthen transparency, accountability and the empowerment of individuals, and went as far as stating this to be a global priority. It highlighted the need for solutions and tools that answer fundamental questions – who has the data, where is the data and what is being done with it?

GDPR is therefore a great starting point to develop a Growth Through Trust model and organisations should be embracing the new legislation as a whole rather than just viewing it as an upgrade to the current UK Data Protection Act. Adopting a citizen centric model towards GDPR and empowering the citizen to fully control the access of their personal data by an organisation is one way to build trust. It also has the benefit of sharing accountability of the control of the data – potentially making the citizen their own data controller. 

The Data-Value Exchange: A few years ago we would never have considered a citizen wanting a consent portal or the ability to control the data usage permissions they have given to an organisation, but today this is fast becoming a reality. A recent DMA research report found that 91% of respondents wanted more control over the personal information they give organisations and the way it is stored. 38% of people cited trust as one of the key drivers for sharing data, far outweighing “freebies” and lower prices which received 10% and 6% of responses respectively. This is reinforced by DataIQ’s recent research, (GDPR: Idenitifying its impact on marketers and the consumer’s moment of truth) which found 41% of consumers do not need or expect anything in exchange for their personal data, they will give permission to use and store it if they believe it is relevant. This information underpins the need for transparency and clarity in the data value exchange.

The 5Ws: Like the 5Ps which is a mix of business activities to build a brand and a business, we like to think of the 5Ws as an approach to building trust through GDPR.

Make the following clear to the individual:

WHAT data is being collected

WHY is it being collected and for what specific purpose (consent statement)

WHO will have access to the data

Make sure you capture:

WHEN and 

WHERE the permission was granted

Technology teams, creative, marketing, copywriting, legal and compliance are all going to have to work together seamlessly to capture and secure the data, deliver clear consent statements and provide frictionless methods for gaining and managing permissions. 

The new regulation will undoubtedly create challenges and if not carefully managed could have a big impact on current fundraising practices. However smart organisations will also see the potential in embracing the overall ethos of “growth through trust” to build stronger relationships with its supporters and reap the rewards.

J Cromack

J is a co-founder of MyLife Digital and CEO of Wood for Trees.

MyLife Digital

In late 2014 MyLife Digital was established to build a trust platform for organisations to empower their members, supporters or customers to control their own data… who can see it, who can share it and what can be done with it. This will help individuals and organisations unlock the value in this data to deliver informed insights from informed consent. http://www.mylifedigital.co.uk

Wood for Trees

Wood for Trees makes things happen through data analytics and insight. They collaborate with some of the world’s best-known charities and not-for-profit organisations to improve fundraising efficiency and performance. http://www.woodfortrees.net