Crossing the donor consent chasm
J Cromack is the CEO for Wood for Trees and one of our speakers at IoF's Transforming your Supporter Journey Conference.
The General Data Protection Regulation (GDPR) is coming – like it or not! But in our view, it’s definitely like it. We strongly believe any organisation, be it business or charity, should hold a citizen’s privacy at its heart.
My colleague Andrew Sargent and I presented our 10 practical steps to making the leap at the IoF Transforming your Supporter Journey conference on 11 September, here are just a couple of pointers.
GDPR is an opportunity, to improve engagement with supporters in an open, honest and transparent way. To strengthen trust in your organisation, protect your ‘brand’ and reputation and be ethical by respecting your supporter’s personal data.
Start by asking yourselves the following questions:
- What personal data is being processed?
- Why is the personal data being processed, for which of the six legal justifications?
- Who/Which organisation or department can process that data for the given purpose(s)?
- Where (and how) was the relevant permission captured from the citizen?
- When was the relevant permission captured from the citizen?
We call this the 5Ws Permission Matrix. Once you have established answers to these (based on your existing database and current practices, policies and procedures) you can move on to categorise your database against the six legal justifications of the GDPR, which are:
- Legal Obligation
- Legitimate Interest
- Protect a Person
- Public Interest
Consent and legitimate Interest are probably the justifications you will hear and read most about in the press, especially following the very public ‘flogging” of a number of the UK’s high-profile charities by the ICO earlier this year.
Where you decide that Consent is required, for you to continue to communicate with your existing contact list and any new supporters, you will need to ensure that you can prove that it meets the new consent rules under GDPR. If you can’t, you’ll need to remove them from your database. Simple.
Can you imagine just how much that will impact the causes you support?
Pub chain JD Wetherspoon took the bold decision to stop communications with their existing consumers and have deleted their contact list completely - precisely because they couldn’t prove they had obtained consent to use this personal data. Whether they choose to start collecting consented personal data to reset their database is yet to be seen, they may decide to use a broad-brush approach and spend marketing budget purely on advertising to the masses. Who knows?
Legitimate Interest is a tad trickier. Here’s the legal bit - Article 6(1)(f) & Recital 47
6(1)(f) Necessary for the purpose of legitimate interests pursued by the controller or third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. […taking into consideration the reasonable expectation of the data subject based on their relationship with the controller.]
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. [Recital 47]
Are you willing to take the risk of not Getting Data Protection Right with fines of 4% of annual turnover or €20 million depending on the severity of action as regulated by the ICO?
It’s not all doom and gloom, but doing nothing isn’t an option. Embracing GDPR will present a wealth of opportunities not least to have a clean, engaged database and informed insight from informed consent.
Whatever you decide to do, make sure you are open, honest and transparent. Make sure your supporters have a digital understanding of what you intend to use their personal data for. Update policies, communications and make sure everyone in the organisation plays their part. GDPR impacts the entire team, not just marketing.
So, jump the chasm, and we’ll see you on the other side – come 25th May 2018!