GDPR: It’s good for your charity

We’ve known for years how important data would be in all our futures, so why the panic over GDPR?

I’m about to confess an unpopular opinion. GDPR – if done right – has the potential to be a real positive for charities.

We’ve known for a long time that data is an increasingly important asset. More important, some say, than oil in terms of its value to the economy. A charity sector without data would be a very different place. Take away the data and you would be left with a very large pool of fundraisers and marketers doing very little, and a whole range of services delivered far less effectively. For starters.

Arguably dubious comparisons with oil don’t end with data’s value. There are obligations too. While the production and transport of oil and its derivatives is highly regulated in order to limit those catastrophic oil spills that used to be commonplace, the spillage of data is an increasingly regular occurrence. According to the UK government. 46% of businesses have been the victims of some form of cyber attack, many of which result in personal data being stolen. Charities aren’t immune. Government and the Charity Commission for England and Wales have warned that charities need to do more.

While prosecutable offences already exist under the current Data Protection Act, the GDPR, which goes live (in the Form of the Data Protection Bill 2017) on 25 May, largely reflects how important data has become in the last 20 years and places clear obligations on us with regards to how we use data and what our obligations are.

Now at this point you may be suffering from GDPR fatigue. It seems like everyone is selling compliance. Your social media feeds are probably rife with it. But here’s the thing that nobody seems to be mentioning.  Why is this an opportunity for charities? It’s because of the thing we’re all concerned with – trust.

Shaking up your communications and data management processes will not only keep you safe from the, really quite severe, fines that are contained within the legislation but will increase your bond with those you serve.

GDPR needn’t be a matter of keeping on the straight and narrow but could instead be an opportunity to make a series of sustainable changes that will have a positive and long-lasting effect on the sector.

Trust levels in charities tend to fluctuate wildly.  Research by nfpSynergy put trust at 64% at the start of 2017, 55% over the summer and 60% at the end. Charities finished 2017 as the fifth most trusted institution. Two years previously, amidst reams of negative stories about CEO pay, they had been twelfth.

Our trust levels in Northern Ireland are consistently higher. In 2016 the Charity Commission for Northern Ireland put 79% of the public with a medium to high level of trust in charities. In the same year nfpSynergy reported that 62% of the public in Northern Ireland trust charities “a great deal” or “quite a lot”.

However, trust levels here are equally volatile. They run the risk of plummeting with every scandal, leading to decreased giving and levels of engagement that may never recover. But while most negative stories seem to involve larger charities that are basically ‘letting the side down’, GDPR could change the narrative.

With the risks of non-compliance supposedly higher in smaller charities who may struggle to implement the changes they need to, GDPR poses a unique type of risk. So what to do?

The demands of the GDPR are reasonably straightforward if you view them as a means to increase the levels of trust between your charity and the public. It shouldn’t be too hard to relate, after all. You might be a prospective data controller or a secretly resentful trustee today but tomorrow you’re an individual whose details are currently being processed by any number of charities, businesses or government organisations.

It’s not that long since a major scandal erupted around the sharing of donor data between charities and wealth screeners. The ICO imposed only modest fines, mostly because they didn’t think that donors would wear larger ones, and another blow was dealt to the sector’s reputation. Imagine if you were one of the donors whose information had been shared and had been bombarded by unsolicited mail.

The GDPR states that every organisation must be able to demonstrate that it processes data fairly, conforms to data protection by design and puts limits on data retention. You should put the correct processes in place. Keeping a record of every data processing activity, carrying out privacy impact assessments and securely deleting the data of non-responsive contacts will not only keep you compliant but will demonstrate to your people that you take protecting their data seriously.

GDPR also demands that privacy notices are clear. Where the data goes will have to be unambiguously described and opt-in will have to be the default, rather than opt-out. Not only are clearer notices important in getting people to trust you with their data but they are a great chance to explain why you’re using their data and why they should allow you to process it. Charities should seek to explain why I should allow them to process my activity on their website because transparency is good.

Finally, GDPR will place limits on who you communicate with. By accident, if not by design, compliance will ensure that you’re only targeting those engaged by your campaigns. This is good, because it limits the amount of communicating you do which could be termed spammy. This in turn reduces the risk of restrictions being placed on email service providers and sign ups to the Mail and Telephone Preference Services. In short, you’ll be communicating better, smarter and lessening the chance of the field narrowing for the industry as a whole.