Three cheers for GDPR - Is it a Happy Birthday?By Andy Quickende… | News Fundraising Mailing | 24 May 2019
A year ago GDPR came fully into effect in the UK (cue the cake, candles and birthday singing), and despite much rumour-mongering, the data wheels are still turning! Charities are continuing to communicate with their supporters and, to date, very few legal actions regarding GDPR compliance have been taken against charities by the Information Commissioners Office (ICO). Find out more about actions the ICO has taken.
A little after the May 2018 landmark date I enrolled in the Institute of Data & Marketing’s Professional Certificate in General Data Protection Regulation (GDPR) which I recently completed. But what does this acolade mean for me, mean for Yeomans and ultimately, mean for you?
It took me 11 months of part-time study to complete the course and gain the certificate. I can’t say it was the most interesting subject I’ve ever studied (see my previous blog on cake!) but it has affirmed to me that common sense and integrity are the best tools when it comes to Data Protection & GDPR.
Fundamentally it has confirmed that if your supporters know what you are going to do with their personal information, they have agreed with this and you don’t deviate from this agreed path, then you will be home and dry. In a nutshell, GDPR in working practice comes down to 3 main areas:
- Data collection
- Data storage
- Data processing & use
Data collection and GDPR compliance:
When collecting data, be up-front and honest – if you plan to send appeals quarterly, say so. Statements like “we’d like to send you information and updates about our work” don’t mean “we are going to ask you to financially support us”.
Let your potential supporter know:
- What they’ll receive
- When they’ll receive it
- How you plan to store their data
- How you will safeguard their data
- What your profiling methods are
- Whether you do any data sharing
Armed with this information they can make an informed decision on whether they wish to enter a relationship of trust with you – providing you with their valuable personal details.
Unsurprisingly, this means many things to many people. What does it look like in your organisation?
- An excel spreadsheet?
- A powerful CRM?
- A Rolodex? (If you’re feeling retro)
Whatever system you use to store your supporters data, it has to be secure. It has to be protected. It has to be accessible by only those people who really need to use it. Is your data stored onsite? Offsite? Who has access to backups? This is probably the most in-depth part of GDPR as it has implications outside of your organisation and requires some groundwork to really know who has access to your data and how secure the records you (and they) hold are.
Data processing and use:
Processing & use really is the easy bit, providing you’ve done the collection bit right!
You’ve already told your supporters how you will use their data – now you just have to put the words of your contract with them into action.
You may still need to profile your data to ensure your activity is relevant to your audience – and manual profiling of data is fine, this includes things like:
- Mailing your Christmas campaign to the section of your audience who are known to give at Christmas
- Ascertaining donors who fall into your major donor stream so that you can isolate them to receive a particular campaign
By profiling like this you are simply using the insight your donor activity has given you.
Automated profiling on the other hand is completely different, please check the ICO’s website for the definitions or give us a call and we’ll be happy to help clarify any queries you might have.
Some things never change:
It is important to remember that there are still things that you are required to do with your data that haven’t changed since the Data Protection Act 1998 morphed into GDPR. For example, your data has to be kept accurate and up-to-date. To ensure you comply with this requirement you’ll need to action gone-aways from mailing returns and regularly run data through PAF validation, MPS and against the bereavement register. I know, as a donor, that there is nothing that will turn me off quicker to an appeal mailing than seeing that my name or address aren’t correctly presented on a mail-piece. If you don’t know me well enough to get these basic details right – you don’t deserve my time, my support or my hard earned money.
What if it goes wrong?
And if the worst happens and things do go wrong? The advice is:
- Take action
- Take action immediately
- Inform the ICO if need be
- Be as honest about errors with your supporters as you were in collecting data in the first place! People are far more likely to understand errors if are open and honest about them – mistakes do happen but a relationship where trust breaks down is harder to rebuild.
How does it help you that the Yeomans team have a Professional Certificate in GDPR?
Quite simply, it means that we care about you and your data. We’ve taken steps to maximise our knowledge about GDPR so that when you entrust your data to us for your supporter mailings you can be sure that it’s in a safe pair of hands. We’ve been processing and managing data for more than 15 years and our data team personally have 35 years of experience using and handling data.
It also means that you can rely on our friendly teams to help you get it right – we are in this together! So, if you’d like to chat with a member of our team about your organisational response and steps to remain GDPR compliant please contact us.
So let’s celebrate the challenges brought about by GDPR, and whether to you celebration means cake, prosecco or just the warm glow that GDPR didn’t bring the data-wheels to a grinding halt, join us in saying Happy Birthday GDPR – cheers!