GDPR COMPLIANCE

The Digital Age Of Consent: How to make your Charity Website GDPR Compliant?

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation is an EU-wide regulation which will become effective in the UK on 25 May 2018. It replaces the existing law we have on

GDPR Compliance Advice for Charities

data protection (the Data Protection Act 1998) and gives individuals more rights and protection in how their personal data is used by organisations. GDPR is an evolution, not revolution. The Data Protection Act already requires that data is processed fairly and lawfully, so charities shouldn’t have too much more to do.

GDPR Compliance and your website:

Under GDPR, simply saying “click here to read our privacy policy” is no longer enough. Your charity will need to explain clearly why you are collecting personal data and how you intend to use it. If you intend to make any data available to third-party providers (such as Google Analytics or telemarketing companies) you need to get explicit consent for that.

For consent to be valid, it will need to be freely given, specific, informed and an unambiguous indication through a statement or clear affirmative action, such as actively ticking a box. You will need to ensure that your website obtains consent in this manner. (Studio Republic advise that legal help should be sought for added peace of mind, assurance and protection).

When looking at your website and GDPR compliance SR suggest and are able to assist with:

  • Review website, current strategy (i.e opt in vs opt out) and what changes will need to be implemented.
  • Update your privacy notice to explain clearly what information you collect and how you use it
  • Updating of associated policies (e.g. a data retention policy)
  • Review the data capture functionality, databases, systems, and resources that you have so that you can keep all personal data safe and manage communication preferences.
  • User Account Functionality - i.e review the users ability to update their own consent / communication preferences on your website.

Database Cleansing Services:

According to The Institute of Fundraising has stated as of 25th May 2018:

“You should put in the necessary time and resources to update your database. To send direct marketing you need to be sure you are doing it lawfully and fairly. It is not enough simply to comply with the rules, you also need to be able to demonstrate that you comply. This means that you must keep a record of people’s communication preferences and when they have been provided. If you are unable to demonstrate that you have ongoing consent, or (for the legitimate interest condition that the information is up-to date) you will not be able to use it for direct marketing. If you are not sure that you have their consent to send emails, then do not send them an email marketing message – or even an email to ask them to confirm if they are happy to keep hearing from you. You may be breaking the law.

You might have considered contacting an individual in these circumstances to be an administrative data cleansing exercise, but if you are making the contact in order to check if the individual is happy to receive direct marketing in the future, the ICO regards that contact as direct marketing in itself.”

Benefits of Updating & Cleansing your database:

  • Obtain explicit consent for direct marketing purposes
  • Update communication / consent preferences (While not a rule, the ICO and Fundraising Regulator suggest that a 24 month period may well be appropriate to renew consent as best practice)
  • Weed out old, inaccurate data and personal details
  • Ensure your site is GDPR Compliant (before 25th May 2018)

GDPR Charity Organisational Strategy Advice:

Ultimately, GDPR is unequivocally clear that an individual’s choice to say “no” is paramount and more important than the charity’s legitimate desire to want to send future communications.

The Institute of Fundraising advice is:

“A whole organisation approach is necessary with a strategy agreed at Board level following an understanding of your choices and the opportunities or challenges. You will need to have documented processes and procedures in place for using and protecting personal data, with support from your executive/board for implementation, monitoring and enforcement. It must never be just down to each fundraiser to make quick and unilateral decisions.”

It’s important to remember that volunteers are no different to employees and when it comes to protecting data they must be equipped and trained to do so. Internal emails, posters, training documentation, questionnaires could help educated and assist your volunteers to understand the core principles.

Below is a Frequently Asked Question prepared by The Institute of Fundraising that you may find useful:

So, what should I do at my charity? Should we change to only send direct marketing when we have consent and go ‘opt in’, or should we keep using an ‘opt out’ and rely on our legitimate interest?

This is really where it is a choice for your charity. You will need to think through what is the right thing for you to do, based on a whole number of factors including your fundraising strategy, the size of your organisation, and considering who your donors and supporters are.

Think through the range of options that are available. There might be consideration too of a more nuanced approach, where you seek consent for some channels (email and text), but not for direct mail where you decide to rely on your legitimate interest.

Some larger national organisations have publicly announced that they are moving to ‘opt in’ for all communications as they have decided that’s the strategy that will work best for them. But others are choosing the alternative ‘opt out’ approach. You can see case studies of what some charities are doing on the Fundraising Regulator’s website ... click here!


For more information, please visit or follow the below:

Information Commissioner's Office - Twitter @iconews
Institute of Fundraising - Twitter @ioftweets
An Intro to GDPR by Studio Republic @StudioRepublic

"We engaged Studio Republic to assist with the redesign of our website and were so impressed that we asked for additional help with the design of a new corporate brochure and event materials. They are incredibly professional and hard working, and took time to understand our business and research our market before commencing with the project. We had looked at a number of options before deciding on Studio Republic and would recommend their firm to anyone. They have become a very important partner and we look forward to continuing to work together as our business continues to grow"

Richard Watts-Joyce CTA, Regional Managing Director - EMEA, Global Tax Network Ltd
GDPR COMPLIANCE CHILDHOPE CREATIVE FOR THE CHARITY AND NGO SECTORS

WINCHESTER

LONDON

SEND US A MESSAGE

WINCHESTER

10 Charlecote Mews
Winchester
Hampshire, SO23 8SR

01962 659123
[email protected]

LONDON

86-90 Paul Street
London
EC2A 4NE

0203 507 1842
[email protected]