Updated: Jan 24, 2021
You must be living under a rock if you haven’t yet heard of GDPR. Every business, every charity, and most individuals who have any involvement with personal information processing must have read about it by now.
I appreciate that as a small charity, you must be struggling to understand the vast amount of information on the subject available online and figuring out which parts of the new regulation you need to act on.
This brief article will provide small international development charities in the UK a quick and easy-to-digest guide on how to prepare for the upcoming data protection law changes in the next two weeks
1: Look at where your data comes from, where it sits and who you share it with
It is very important that you are as thorough as you possibly can be when working on this. You need to think about personal data here: where does the data you hold come from? Do you collect it through paper forms handed out at fundraising events? E-newsletter list? Donation pages on your website? Take your time to map out each way in which you receive personal information.
Where is your data stored? How many different platforms do you have? Do you use a fundraising database to record donor information but also use an email marketing platform? Are both of those platforms safe? How do you know that they are safe?
Lastly, who has access to this data? Do you have a database user agreement to ensure that new staff understands their responsibilities when it comes to data processing and safety before they are given the rights to manipulate the information? How many third parties do you share this data with? Do you have contracts with them where you state your data privacy notice and where they tell you more about how they keep your data safe?
Practical advice: When I say “map it out”, I literally mean taking an A3 sheet of paper and mapping out these three sections – how you receive data, how you store data, and how you share data. You can always transfer this information to a written data protection policy after.
2: Update your privacy notice
You want to make sure that the people whose data you’re processing know exactly how and why you do it.
3: Ensure you have the right to contact people
This is something that you should take as a matter of priority, however, it might be tricky to do before you go through the first two steps. You need to know what type of data you hold and how you process it in order to understand which segments you need to worry about when collecting consent (you don’t want to bombard your entire mailing list if some of those individuals have already consented).
Practical advice: Make sure that you keep your email as simple as possible and that your form has clearly laid out tick boxes (no barrelled questions or convoluted statements). Try to come up with a catchy subject line to get as many people to open and click-through as you can. I suggest that you send an email in the next couple of days, then one a week before GDPR comes into force and the last one a day prior to it (24 May).
4: Write up a policy on getting rid of “dead data”
Data retention is another important aspect of GDPR. You need to ensure that you have a policy in place that talks about how you keep people’s data and for what purposes.
You probably know that for both HR and Gift Aid purposes, you need to keep people’s data for 6 years. Think about supporters: how long do you think you should keep their data for? Are there any supporters whose data you would like to keep indefinitely even if they do not support the organisation by giving regularly (e.g. legacy pledgers)? What’s the number of years you could justify? Make sure that you write it up in a document and that you implement this policy into your work (delete data on annual basis?).
5: Document your processes
The last thing to touch on is that GDPR suggests organisations record their processes. Everything that you have done in the first four steps should be documented in your organisation’s data protection policy. What’s the structure of the policy you ask? Well, essentially, it’s all about how your gather, process, store, and share data and how you ensure that all of your processes are in compliance with GDPR.
There are many other things that I could talk about when it comes to preparing for GDPR, but I don’t want to make it more daunting than it already is. I suggest that you start by working through the above five steps in order to be as ready as you can be by 25 May and then take some time to look into other areas of the regulation that you may need to do some more work on.
Below is the list of resources that I found useful in learning more about GDPR.
Information Commissioner’s Office (ICO): https://ico.org.uk/
General Data Protection Regulation: https://gdpr-info.eu/
12 steps to take now to prepare for GDPR: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Personal information and fundraising: consent, purpose and transparency: https://www.fundraisingregulator.org.uk/wp-content/uploads/2017/02/GuidanceFinal.pdf
Fundraising Preference Service: https://public.fundraisingpreference.org.uk/
GDPR on community fundraising: https://www.institute-of-fundraising.org.uk/documents/3-gdpr-spotlight-on-community-fundraising/
GDPR on corporate fundraising: https://www.institute-of-fundraising.org.uk/documents/4-gdpr-spotlight-on-corporate-fundraising/
GDPR on legacies: https://www.institute-of-fundraising.org.uk/documents/5-gdpr-spotlight-on-legacies/
GDPR on trusts: https://www.institute-of-fundraising.org.uk/documents/6-gdpr-spotlight-on-trusts/