25th May 2018 is the GDPR deadline

The Digital Age Of Consent: How to make your Charity Website GDPR Compliant?

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation is an EU-wide regulation which will become effective in the UK on 25 May 2018. It replaces the existing law we have on data protection (the Data Protection Act 1998) and gives individuals more rights and protection in how their personal data is used by organisations. GDPR is an evolution, not revolution. The Data Protection Act already requires that data is processed fairly and lawfully, so charities shouldn’t have too much more to do.

GDPR Compliance and your website

GDPR Compliance and your website:

Under GDPR, simply saying “click here to read our privacy policy” is not enough. Your charity will need to explain clearly why you are collecting personal data and how you intend to use it. If you intend to make any data available to third-party providers (such as Google Analytics or telemarketing companies) you need to get explicit consent for that. For consent to be valid, it will need to be freely given, specific, informed, dated, and an unambiguous indication through a statement or clear affirmative action, such as actively ticking a box. You will need to ensure that your website obtains consent, and that it is recorded in this manner. (Studio Republic advise that legal help should be sought for added peace of mind, assurance and protection).

SR are able to assist with GDPR compliance

When looking at your website and GDPR compliance SR can assist with:

  • Review website, current strategy (i.e opt in vs opt out) and what changes will need to be implemented.
  • Review the data capture functionality, databases, systems, and resources that you have so that you can keep all personal data secure and manage updates to communication preferences.
  • User Account Functionality - i.e review the user's ability to update their own consent / communication preferences on your website.
  • Implement updated privacy notice and associated policies onsite.
  • Advice on cookies installed on your site, their purpose, and how the user can refuse / remove cookie tracking.
Institute of Fundraising

The Institute of Fundraising has stated as of 25th May 2018:

“You should put in the necessary time and resources to update your database. To send direct marketing you need to be sure you are doing it lawfully and fairly. It is not enough simply to comply with the rules, you also need to be able to demonstrate that you comply. This means that you must keep a record of people’s communication preferences and when they have been provided. If you are unable to demonstrate that you have ongoing consent, or (for the legitimate interest condition that the information is up-to date) you will not be able to use it for direct marketing. If you are not sure that you have their consent to send emails, then do not send them an email marketing message – or even an email to ask them to confirm if they are happy to keep hearing from you. You may be breaking the law.You might have considered contacting an individual in these circumstances to be an administrative data cleansing exercise, but if you are making the contact in order to check if the individual is happy to receive direct marketing in the future, the ICO regards that contact as direct marketing in itself.”

{video}/assets/video/SBS screen final.mp4{/video}

Benefits of Updating & Cleansing your database

Benefits of Updating & Cleansing your database:

  • Obtain explicit consent for direct marketing purposes.
  • Update communication / consent preferences (While not a rule, the ICO and Fundraising Regulator suggest that a 24 month period may well be appropriate to renew consent as best practice).
  • Weed out old, inaccurate data and personal detail.
  • Ensure that data capture on your site is GDPR Compliant (before 25th May 2018).
GDPR Charity Organisational Strategy Advice:

GDPR Charity Organisational Strategy Advice:

Ultimately, GDPR is unequivocally clear that an individual’s choice to say “no” is paramount and more important than the charity’s legitimate desire to want to send future communications.

The Institute of Fundraising advice is:

“A whole organisation approach is necessary with a strategy agreed at Board level following an understanding of your choices and the opportunities or challenges. You will need to have documented processes and procedures in place for using and protecting personal data, with support from your executive/board for implementation, monitoring and enforcement. It must never be just down to each fundraiser to make quick and unilateral decisions.”

It’s important to remember that volunteers are no different to employees and when it comes to protecting data they must be equipped and trained to do so. Internal emails, posters, training documentation, questionnaires could help educated and assist your volunteers to understand the core principles.

Any GDPR questions?

Any questions?

Below is a Frequently Asked Question prepared by The Institute of Fundraising that you may find useful:

So, what should I do at my charity? Should we change to only send direct marketing when we have consent and go ‘opt in’, or should we keep using an ‘opt out’ and rely on our legitimate interest?

This is really where it is a choice for your charity. You will need to think through what is the right thing for you to do, based on a whole number of factors including your fundraising strategy, the size of your organisation, and considering who your donors and supporters are. Think through the range of options that are available. There might be consideration too of a more nuanced approach, where you seek consent for some channels (email and text), but not for direct mail where you decide to rely on your legitimate interest. Some larger national organisations have publicly announced that they are moving to ‘opt in’ for all communications as they have decided that’s the strategy that will work best for them. But others are choosing the alternative ‘opt out’ approach.

For more information, please visit or follow the below:

Information Commissioner's Office, Twitter: @iconews
Institute of Fundraising, Twitter: @ioftweets
An Introduction to GDPR by Studio Republic: @StudioRepublic