Accountability is a GDPR requirement that makes sense, but how do we achieve it?
Suzanne Lewis, who sat on the IoF's focus group for GDPR, says that while the new legislation has had cost implications for fundraisers, it was not the ‘bogeyman’ that many had feared – but there are real benefits to adhering to these new levels of accountability.
We’ve heard a lot about GDPR’s impact on fundraising in its first year, with this month’s Fundraising Convention seeing the release of two benchmarking reports that revealed how it has changed the UK fundraising landscape.
Rapidata issued it’s 2019 Charity Direct Debit Tracking Report that shared how donor recruitment stalled during 2018 but returned together with lower than usual cancellation rates in early 2019, implying perhaps improved quality levels post GDPR. Echoing these findings, the IoF and Blackbaud Europe’s Status of UK Fundraising Benchmarking Report indicated that while the new legislation certainly had cost implications for fundraisers, it was not the ‘bogeyman’ many had feared. In fact, the majority said it had also made them think differently about their engagement strategies.
So, all in all, there has been considerable reshaping and positive outcomes for fundraising; the charity sector seems to have handled the implementation of GDPR.
But we cannot afford to rest on our laurels. At the recent Data Protection Practitioners’ Conference, the Information Commissioner, Elizabeth Denham, said we were at a critical stage with the legislation. The crucial change it had brought, Denham said, was its requirement for accountability, with the legal onus firmly on organisations to understand the risks they create for others in processing data, and to ensure that they mitigate those risks.
And yet she added, while data protection should therefore now be part of every organisation’s cultural and business fabric, the ICO does not yet see this happening, and this includes among charities.
It’s important to remember that GDPR requires an ongoing and enterprise-wide commitment, and no organisation will be beyond scrutiny. The ICO has handed out some hair-raising fines recently, including £183m for British Airways and £99m for Marriott, both for customer data breaches, also £100,000 for EE for sending marketing text messages without consent.
In order to meet GDPR requirements and avoid hefty fines – and to keep our supporters’ permissions to use their data – we need to be checking and then taking action on the compliance policies and preparations we completed, to ensure we are actually compliant… and that we stay that way.
In practice, this means:
- Ensuring you have all the documentation the ICO requires to help you embed compliance across your organisation as well as demonstrate it; such as a Privacy Management Framework, records of all processing activities, and Data Protection Impact Assessments (DPIAs).
- Considering data protection and privacy issues at every stage of everything you do, from start to finish.
- Keeping an eye on the continued relevance of your grounds for processing. With no specific time limit for consent under GDPR, you have to make the call on what’s appropriate depending on the context it was given in. When someone has donated to a particular project, it might be for as long as that project continues for example, while with an annual charity fundraising event, 12 months might be appropriate.
- Upholding basic data hygiene standards, and regularly cleaning and updating your records.
- Only processing the data you actually need to achieve a specific purpose. For example, for some charities pet ownership details may be relevant whereas for others they wouldn’t be.
- Not keeping personal data for any longer than necessary and ensuring it is securely deleted when you have finished with it.
For more help, the ICO has published a guide on the basics of compliance that looks into accountability in greater detail.
Compliance is a legal requirement, not an option, but there are real benefits to adhering to these new levels of accountability.
Being accountable means dotting every i and crossing every t, but once you do that to ensure full GDPR compliance you will have more responsive data and happier supporters.
Suzanne Lewis is founding director of charity data specialist Arc Data and regularly advises at sector level, having sat on expert panels including the IoF’s focus group for GDPR, the DMA Code and the DMA’s Governance Committee.