GDPR: What we didn’t know last year...
Today we publish our refreshed version of our GDPR: The Essentials for Fundraising Organisations guidance. Sam Boyle, Policy and Information Officer at the IoF, talks through what has changed and why we felt the need to update it.
2018 was the year of GDPR. Unless you were living under a rock last year, you wouldn’t have escaped hearing those four (dreaded?) letters if you were involved in fundraising. For many charities, complying with GDPR appeared to be a daunting challenge. Even as late as April last year, some 76% of third sector organisations admitted they still had work to do to achieve full compliance.
With these challenges in mind, we released our GDPR: The Essentials for Fundraising Organisations back in May 2017 – a guide to help fundraising organisations navigate through the main challenges that GDPR posed and get ready for the changes that were to come.
While GDPR became effective as of 25 May last year, that date was never the end of the process. The Information Commissioner's Office has been clear that organisations will need to continue to update their policies and procedures at appropriate intervals to ensure they are compliant with data protection laws, and just like a car needs regular servicing and an annual MOT, charities need to be regularly reviewing and checking that their processing of personal data is being done fairly and lawfully.
As it gets to almost a year on from the GDPR "D-Day" of May 2018, we were keen to make sure that the guidance we produced with BDB Pitmans is updated to take into account changes that have happened since then, signpost to new pieces of guidance, and respond to a number of the questions that fundraisers have been asking about how to comply with GDPR.
So what’s new in the updated guidance?
First of all, don’t worry, this is not a fundamental rewrite! The basics are still the same – this update is about tweaking, including latest thinking, and providing some more tips and advice. This includes new information around minimising data protection risks, advice about when you need to consider employing a data protection officer and all new top tips on how to assess whether you have a legitimate interest for carrying out direct marketing under GDPR.
No piece of guidance will be able to answer every single question that fundraisers might have, but we hope that it is the best ‘starting point’ for helping your charity get things right and a jumping off point to dive into areas in more depth.
As the data protection landscape changes, parts of this guidance may need refreshing – but the core tenants of the advice we give should remain relevant for a long time to come. With new developments such as e-privacy on the horizon, there may well be a need to refresh the guidance when appropriate and we’ll continue to review our guidance and advice to give fundraisers the best support we can.
Sam Boyle, Policy and Information Officer, Institute of Fundraising