Tag Archives: profiling

Preferences v Consent: Getting Data Protection Right for Charities

Understanding the ‘what’, ‘when’, ‘why,’ ‘where’ and ‘who’ of consent will not only help protect your charity; it will also give you an opportunity to deepen engagement with supporters. Here are the key things you need to know.

Privacy policies or notices are under intense scrutiny from a distrustful public as well as regulators. With new legislation looming in the form of the EU General Data Protection Regulation (GDPR), now is the time for fundraisers to get data privacy right. Because getting it wrong could prove a very damaging and costly error.

Preferences are not consent

A common misconception – which could be a charity’s undoing – is that the new requirement under the GDPR is simply to update marketing preferences. This is not the case. From meeting and talking regularly with charities and, in particular, their fundraising teams, we’re aware how quickly conversations can switch from consent back to marketing preferences for campaigns. In part, it’s understandable – it’s the language charities are familiar with using. You routinely ask supporters how they would prefer to receive information. In turn that’s a tacit understanding that consequently, you have the supporter’s consent.

But this is getting data protection wrong, and it’s a point that can’t go unchecked, not only because of the GDPR, but also due to the ongoing scrutiny by the Information Commissioner’s Office (ICO) around current practices regarding personal data – an issue that came to a head in December when the ICO ruled against the British Heart Foundation and the RSPCA, closely followed in January with notification that another 11 charities had been advised of impending action.

The following five questions, centred on the ‘what’, ‘why’, ‘who’, ‘when’ and ‘where’ of data privacy, will be key to you ensuring your charity does not fall foul of the new regulation:

1. WHAT data are you collecting?

Currently, our research shows only 61% of charities provide a statement about the collection of personal data in their privacy policy. It’s crucial we’re clear on the facts. The questions around personal data are not just “what piece of marketing literature we can send?”, or “can we call or visit these supporters?” Citizens, and organisations, need to know exactly what data has been collected, across every system, and what is in use by every department and for what purpose. And this all needs to be mapped.

The act of profiling is one area of data analysis that can be misconstrued by the market. Donor profiling should be about communicating and engaging with supporters by presenting them with the right message, at the right time. The ICO expresses that you need to be transparent about the personal information you collect, especially if you use it for insight by adding to it with other consented publicly available information. Yet our research highlighted that 73% of charities do not mention donor profiling in their privacy policy.

2. WHY are you collecting it?

Next, charities need to show why the data was collected in the first place. Organisations need to be clear on the purposes for which they are using data and ensure they have justifiable lawful reasons for collecting and processing this data. Where legitimate interests do not cover this, it is likely that charities will need to have gained specific consent before data can be collected under the new GDPR requirements. The World Economic Forum’s Research found that people believe 67% of organisations, companies and agencies ask for too much information online.

This is a really important part of the new regulations because it pertains to security of personal data. You only have to monitor your own response when you’re asked for information that you feel is not required for the purpose at hand.

3. WHO is using the data?

The next aspect is being clear on exactly who is using the data. From the moment you’ve collected a supporter’s personal information, you need to know exactly who will have access to the data, internally with other departments and externally with other partners and collaborators. It’s worth being aware that third parties will also be liable for penalties under the GDPR.

Data privacy currently only pertains to data controllers. However, under GDPR, those who process data are also liable. For charities, this means that not only do you have to be compliant, but all of your partners who use this data need to be compliant also. There is a considerable risk to charities if they get compliance wrong.

4. WHEN does the consent expire?

Charities will also need to record exactly when permissions were granted for use of personal data. The current regulation and guidance from the ICO says data should be retained for “no longer than is necessary for the purpose you obtained it for”. Our research shows that 82% of charities don’t say how long they keep data on record in their privacy policy. Research from Data IQ in 2016 showed that 21% of consumers believe that consent is only valid for six months. While this enables data to be disposed of, it does present a challenge for charities to have a system that allows for time stamping when consent for data was obtained, and therefore notifying when consent is going to expire or allowing the safe and secure disposal of data. This element is key for the new GDPR. It is essential charities consider how long they need to retain data for and can show this period has been considered and documented. We are currently providing a number of our clients with consent audits and one of the outputs is the length of time between donations, in some case this can be considerable but the supporter still would tell you they support the charity.

5. WHERE does the data come from?

Finally, where consent is used as the basis for processing data, we should know where this permission is granted. This means the exact source and channel. This is different to knowing what source and channel we have permission to use to market to people. It’s knowing where data has come from, and having proof that the charity has the right to process that data, based on a clear consent statement at the point of capture or a well-documented and considered legitimate interest review.

The definition of consent

If we look at how GDPR defines consent, we can see how different it is to marketing preferences: “‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

It’s easy to focus on the end part, because “processing of personal data” is what charities have been doing and need to do. In many charities there are sophisticated systems that make it easy to segment customers according to their preferences. This provides powerful information from models that predict a supporter’s future interactions. It also highlights profiles of prospective new donors who behave in a similar fashion to their most loyal supporters.

Equally, most charities will have opt-in and opt-out processes in place. However, just because your supporters have opted in to receive information, that does not constitute explicit, “informed and unambiguous indication of the data subject’s wishes”. Nor have they given “clear affirmative action” about “agreement to the processing of their personal data”.

It’s this confusion that makes organisations think that GDPR isn’t that different to the existing DPA.

And here’s the crucial bit that needs to be totally front of mind when reviewing a consent capture strategy: consent is a right. It gives the individual total control. It means that they own their personal data, and they have to give permission for charities to use their data. This applies to any data that’s held about that individual. It might be data for marketing. It could be data used for the provision of services. It could quite easily be financial details. And that’s before we even get into specific consents required for sensitive data such as race, gender and health.

Proof of supporters’ consent

As a charity, you have to prove you’ve gained explicit consent. You’ve got to be able to either amend individual supporter details, and their permissions, or give the supporter access to a system that allows them to control their consents. And you’ve got to be able to erase any personal data held, not from just one system, but all the systems that you or your partners operate. And furthermore, you must inform any third parties with whom you have shared this data (obviously with the supporter’s consent).

Preferences are, on the other hand, just that: a statement of how a supporter prefers one thing above another. This might be the type of communication they prefer – they might prefer email to phone. They might prefer receiving 10 raffle books instead of 5. They may like to be contacted annually rather than monthly. These preferences do not, in any way, confirm consent. This doesn’t mean you need a preference management system and a consent management system – both can be managed together when the right audit trail is built into your data foundation. Just view consent at a more granular level. For example: “I am providing consent for you to use my address details to send me communications on appeals, but not about lotteries.” But make sure you have maintained a record of the consent statement that was seen when the data and purposes for use of the personal data was captured (source and time stamp).

An opportunity to deepen engagement

Now is the time not just to protect your charity, but to go a step further. To build and deepen the trust your supporters have. Improve your consent capturing procedures, the quality of your data (yes, now is the perfect time to merge and purge the dupes on the database) and update your policies. This will provide your charity with an excellent opportunity. An opportunity to seek your supporters’ permissions. An opportunity to engage at a deeper level. An opportunity to create a value exchange where both the supporter and you – the charity – will benefit.

Preferences versus consent: let’s get data protection right, from the beginning.

J Cromack is the CEO of Wood for Trees and Co-founder of MyLife Digital. For a simple solution to ensure a charity can remain GDPR Consent Compliant check out MyLife Digital’s Consentric Platform.

This article first appeared in CharityChoice.


Falling off the data wagon!

January 3rd 2015 and I am already feeling the draw of data.  I made a promise to myself when I left my last role in data, I would take a break from hypothesising about the insights data can deliver to brands and businesses.

Yet here we are 5 weeks on, Christmas and New Year celebrations just over and I am already hypothesising – this time about equities!  I am not about to give away my idea on how I think you can predict the stock market, but to say it involves easily accessible data such as social sentiment, economic data and a few simple rules!

This then got me thinking about the right to be forgotten and the GDPR debate plus a book I read in the summer of 2014, called The Circle by Dave Eggers.

“The Circle is a work so germane to our times that it may well come to be considered as the most on-the-money satirical commentary on the early internet age.” 

Edward Docx, The Guardian October 2013.

This book has made me challenge my ethics when it came data mining and what me and my colleagues were trying to do to better understand human behaviour and how we could use gentle nudges to influence that behaviour. Reading this book, has helped me understand why new regulations (like the [potential] forthcoming GDPR) are needed to catch up with the digital age.

But if trust in organisations declines and people start to go off grid, as per the Circle, a digital society may be halted and we all suffer – society, business and the people themselves.

I accept that we want to hide certain things about ourselves, but we need to help business, brands and even governments understand more about us so we can receive better services, messages and value. But for this to work, we have to trust the organisations with our data and be in control of how our personal data is being used (both obtained and received) and for what purpose. I’m not just talking about targeted sales messages about the latest Rapha cycling bib shorts (in the case of this author), but preventative messages such as health related ones.  These could be based on data shared from something like a Garmin, profile data; including age, sex, where we live, the restaurants and pubs we visit as well as the frequency!  This may seem like big brother, but it then comes down to how this data is used ethically and the way the message is presented to help better people’s lives. What I mean by this is simple, the message shouldn’t say…we know you visit the pub 3 times a week and your average heart rate when cycling on the flat looks pretty worrying! But a service message advising a general health check at the local health centre, together with a map and simple booking procedure. (If only I could get past the receptionist at our health centre!!!).

The upsides of sharing and giving permission to use our data are huge.  The two use cases above would help us because I’d only get ads I’m interested in, and if we could prevent more illness by identifying at risk individuals and screening earlier, the burden on the health service could be significantly reduced saving hundreds of millions of pounds (as well as lives saved).

As a data practitioner I am in total agreement with the rules that we abide by when managing and processing data, but too often we tend to focus on the downsides of sharing personal data and how we store and protect it and not enough time delivering the true value and benefits that can be delivered from trusted data.

With the GDPR (still in draft) looking likely to be a focus for many organisations in the years to come, I believe it should be embraced and leveraged so all organisations can become trusted data stewards and grow by building trust with their consumers, patients, customers [etc], by putting their data into their hands and empower them to use it.

The personal data revolution is happening, and I have a sneaky feeling something big is about to happen.

Happy New Year!

J Cromack  January 3rd 2015