Opt in, opt out, shake it all about?
Charities have had something of a bumpy ride lately… and the bad news is that it’s not over yet. On top of increasing scrutiny of fundraising carried out by charities, data protection law and the Information Commissioner has now come to the fore with some big-name charities fined for data protection breaches. To top everything off, the new General Data Protection Regulations (GDPR) will be law by the end of May 2018.
Although the data protection and charities has mainly hit the headlines in the context of fundraising and use of donors’ details, it is important to understand that data protection law and the new GDPR affects all personal data held by charities even those who do little or no fundraising.
Such data might include members’ details and information about staff and volunteers as well as that about donors. With the GDPR introducing even bigger penalties than have been seen to date, it is important for all charities to get their heads round what is on the horizon and to plan accordingly.
In this piece, we answer a number of key questions and help you plan for the future.
How will our lives change with GDPR?
• You may need to appoint a Data Protection Officer (DPO). If your core activities involve regular or systematic monitoring on a large scale, or processing special categories of data e.g. medical information. Their role is to inform, advise and monitor compliance. More guidance is awaited from the ICO on requirements
• You will have to be in a position to demonstrate compliance with Accountability Principles. This means you will need to keep detailed records that may need to be presented to the regulator on request; building in evidence of your data protection compliance throughout your processes and implementing appropriate technical / organisations measures to ensure and demonstrate compliance – i.e. policies and procedures
Opt in or opt out: what’s the position?
• Opt in is now the only way forward. Consent must be freely given. Silence, pre-ticked boxes on forms or inactivity is not acceptable. An individual must give a statement of clear affirmative action
What about personal data that we already hold, such as members’ or donors’’ information?
• You need to review what information you hold
• You need to secure consent from members – either at the time of joining or on renewal
• Anyone who’s data you hold needs to know why you hold their data and what you’re going to use it for
Do people have to consent to everything we do with their data?
• Individuals rights will increase under the GDPR
• Data must only be used for the purposes for which the individual has given consent
• Individuals must have the ability to easily ask you to delete their data
What could happen if we get it wrong?
• You could be inspected by the ICO
• You could be fined. Maximum fines of €20m or 4% of turnover.
• You could suffer significant reputational damage
As can be seen from the above, data protection is a complicated business and the cost of getting it wrong, both in monetary penalties from the Information Commissioner and perhaps more importantly, reputational damage, could be high.
If you get these things in order, and keep them that way, then (for fundraising charities) the combination of new fundraising law and practice and the interface with the GDPR and (for all charities) the GDPR won’t end up being as bad as it may seem.
If you don’t, then you could end up being led a merry dance.