You might have heard of GDPR – but do you know what it is and what it means for fundraisers?
General Data Protection Regulation is a change that will impact everyone in the UK who manages data. It comes into effect on 25 May 2018, when it replaces trusted and familiar rules like the Data Protection Act.
GDPR also incorporates and updates some other rules that we use every day in our fundraising and communication roles, including PECR (Privacy and Electronic Communication). These regulations have been around since 2011 and you may be more familiar with one element of them – ‘cookie law’.
Aside from giving us the opportunity to look at creative ways to add pop ups with legal info onto our websites, PECR rules cover other forms of fundraising communications too, such as email and telephone.
One of the most important things to remember is if you don’t have permission to contact your donors or supporters via a particular channel (say email), you can’t contact them by that channel – even to ask for their permission to contact them that way.
PECR is important too.
In the rush to comply with the new rules around GDPR, it’s important to remember that the rules of PECR still apply. Two recent (March 2017) cases provide us with salutary lessons.
Airline Flybe sent 3.3m emails last year to past customers, asking them if their details were correct. They were fined £70,000. Car manufacturer, Honda, sent a series of emails aiming to clarify customers’ preferences for receiving future communications. They were fined £13,000.
If you’re reading that and thinking that’s exactly the kind of thing that your charity might be thinking of doing, you’ll see why I selected these two cases.
In the judgement on these cases, the ICO stated, “Sending emails to determine whether people want to receive marketing without the right consent is still marketing and it is against the law.“ and makes it clear that you cannot “break one law [PECR] to comply with another [GDPR]”.
There is an irony in the revelation that both companies were preparing to be GDPR compliant when their breaches occurred, but let’s learn our lessons from them.
4 lessons for charities as we get GDPR-ready:
Lesson 1: if you don’t have permission for a channel, you can’t ask for permission via that channel (so if you don’t have permission to email, you can’t email to ask for permission to email; if you don’t have permission to call, don’t call).
Lesson 2: don’t ask for ask for permission from people who have actively opted out of receiving communication via the channel you are using. While writing to people to ask if you can email them might sound a bit bonkers, if that is the communication approach you have consent for, that is how you must do it.
Lesson 3: be clear about what you have permission to do and what is covered by your permission.
As you craft new permission statements, consider what you may want permission to do in the future, as well as what you may want to do now.
Lesson 4: Don’t be caught out in a GDPR compliance bubble and forget about other rules and regulations – or about people. Making people-based decisions rather than data-based decisions shows due respect to our supporters and will give them confidence in our integrity as an organisation.
Read up on GDPR:
- Fundraising and Regulatory Compliance: https://www.fundraisingregulator.org.uk/2017/02/21/fundraising-regulatory-compliance-conference-2017/
- ICO pages on GDPR and progress of consultations on key issues (eg consent): https://ico.org.uk/for-organisations/data-protection-reform/
- ICO’s excellent ‘12 steps to take now’ diagram is a good place to start https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Mags Rivett has 15 years’ experience of marketing, communications and fundraising for non-profits. She is Marketing Director for Purple Vision, a technology consultancy that specialises in helping non-profits with CRM, digital and data challenges.
This article offers general advice, based on our understanding of facts and guidance issued to date. We are not offering legal advice.