Understanding the ‘what’, ‘when’, ‘why,’ ‘where’ and ‘who’ of consent will not only help protect your charity; it will also give you an opportunity to deepen engagement with supporters. Here are the key things you need to know.
Privacy policies or notices are under intense scrutiny from a distrustful public as well as regulators. With new legislation looming in the form of the EU General Data Protection Regulation (GDPR), now is the time for fundraisers to get data privacy right. Because getting it wrong could prove a very damaging and costly error.
Preferences are not consent
A common misconception – which could be a charity’s undoing – is that the new requirement under the GDPR is simply to update marketing preferences. This is not the case. From meeting and talking regularly with charities and, in particular, their fundraising teams, we’re aware how quickly conversations can switch from consent back to marketing preferences for campaigns. In part, it’s understandable – it’s the language charities are familiar with using. You routinely ask supporters how they would prefer to receive information. In turn that’s a tacit understanding that consequently, you have the supporter’s consent.
But this is getting data protection wrong, and it’s a point that can’t go unchecked, not only because of the GDPR, but also due to the ongoing scrutiny by the Information Commissioner’s Office (ICO) around current practices regarding personal data – an issue that came to a head in December when the ICO ruled against the British Heart Foundation and the RSPCA, closely followed in January with notification that another 11 charities had been advised of impending action.
The following five questions, centred on the ‘what’, ‘why’, ‘who’, ‘when’ and ‘where’ of data privacy, will be key to you ensuring your charity does not fall foul of the new regulation:
1. WHAT data are you collecting?
2. WHY are you collecting it?
Next, charities need to show why the data was collected in the first place. Organisations need to be clear on the purposes for which they are using data and ensure they have justifiable lawful reasons for collecting and processing this data. Where legitimate interests do not cover this, it is likely that charities will need to have gained specific consent before data can be collected under the new GDPR requirements. The World Economic Forum’s Research found that people believe 67% of organisations, companies and agencies ask for too much information online.
This is a really important part of the new regulations because it pertains to security of personal data. You only have to monitor your own response when you’re asked for information that you feel is not required for the purpose at hand.
3. WHO is using the data?
The next aspect is being clear on exactly who is using the data. From the moment you’ve collected a supporter’s personal information, you need to know exactly who will have access to the data, internally with other departments and externally with other partners and collaborators. It’s worth being aware that third parties will also be liable for penalties under the GDPR.
Data privacy currently only pertains to data controllers. However, under GDPR, those who process data are also liable. For charities, this means that not only do you have to be compliant, but all of your partners who use this data need to be compliant also. There is a considerable risk to charities if they get compliance wrong.
4. WHEN does the consent expire?
5. WHERE does the data come from?
Finally, where consent is used as the basis for processing data, we should know where this permission is granted. This means the exact source and channel. This is different to knowing what source and channel we have permission to use to market to people. It’s knowing where data has come from, and having proof that the charity has the right to process that data, based on a clear consent statement at the point of capture or a well-documented and considered legitimate interest review.
The definition of consent
If we look at how GDPR defines consent, we can see how different it is to marketing preferences: “‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
It’s easy to focus on the end part, because “processing of personal data” is what charities have been doing and need to do. In many charities there are sophisticated systems that make it easy to segment customers according to their preferences. This provides powerful information from models that predict a supporter’s future interactions. It also highlights profiles of prospective new donors who behave in a similar fashion to their most loyal supporters.
Equally, most charities will have opt-in and opt-out processes in place. However, just because your supporters have opted in to receive information, that does not constitute explicit, “informed and unambiguous indication of the data subject’s wishes”. Nor have they given “clear affirmative action” about “agreement to the processing of their personal data”.
It’s this confusion that makes organisations think that GDPR isn’t that different to the existing DPA.
And here’s the crucial bit that needs to be totally front of mind when reviewing a consent capture strategy: consent is a right. It gives the individual total control. It means that they own their personal data, and they have to give permission for charities to use their data. This applies to any data that’s held about that individual. It might be data for marketing. It could be data used for the provision of services. It could quite easily be financial details. And that’s before we even get into specific consents required for sensitive data such as race, gender and health.
Proof of supporters’ consent
As a charity, you have to prove you’ve gained explicit consent. You’ve got to be able to either amend individual supporter details, and their permissions, or give the supporter access to a system that allows them to control their consents. And you’ve got to be able to erase any personal data held, not from just one system, but all the systems that you or your partners operate. And furthermore, you must inform any third parties with whom you have shared this data (obviously with the supporter’s consent).
Preferences are, on the other hand, just that: a statement of how a supporter prefers one thing above another. This might be the type of communication they prefer – they might prefer email to phone. They might prefer receiving 10 raffle books instead of 5. They may like to be contacted annually rather than monthly. These preferences do not, in any way, confirm consent. This doesn’t mean you need a preference management system and a consent management system – both can be managed together when the right audit trail is built into your data foundation. Just view consent at a more granular level. For example: “I am providing consent for you to use my address details to send me communications on appeals, but not about lotteries.” But make sure you have maintained a record of the consent statement that was seen when the data and purposes for use of the personal data was captured (source and time stamp).
An opportunity to deepen engagement
Now is the time not just to protect your charity, but to go a step further. To build and deepen the trust your supporters have. Improve your consent capturing procedures, the quality of your data (yes, now is the perfect time to merge and purge the dupes on the database) and update your policies. This will provide your charity with an excellent opportunity. An opportunity to seek your supporters’ permissions. An opportunity to engage at a deeper level. An opportunity to create a value exchange where both the supporter and you – the charity – will benefit.
Preferences versus consent: let’s get data protection right, from the beginning.
This article first appeared in CharityChoice.