Nimarta Cheema of Lindsays with the second part of a two part look at how charities can prepare for GDPR. Read the first part here.
Marketing is a crucial element to many charities’ operations - it can help to raise your charity’s profile, engage with your audience and attract donations.
Lots of marketing activities use information about individuals (including names, addresses and email addresses) and so must be carried out in compliance with data protection laws.
Consequently, four letters are currently raising concerns for many charities and charity trustees - GDPR, short for the General Data Protection Regulation. The new data protection regime is a significant issue for charities of all sizes and one which must be taken seriously.
The change to the definition of consent with GDPR is significant and will impose additional operational burdens on charities to ensure adequate processes are in place.
The power of those four letters - GDPR - to instil dread or panic will steadily dissipate over the next few months
Nimarta Cheema
As a practical example, say a local children's charity produces a regular newsletter containing information about its work and to promote upcoming fundraising events.
The charity only sends the newsletter to people who have signed up for it via their website. Does the charity's procedure for obtaining consent meet the new requirements under the GDPR?
By asking the recipients to sign up for the newsletter, the charity is asking recipients for their freely given, specific consent.
However, it is important that the website form requires the recipients to actively opt-in and that it is clear what they are signing up for.
The charity will also need to put in place a privacy policy which clearly sets out how the recipients’ information will be used and how they can withdraw their consent if they choose to do so.
Charities should take advice on whether they need to re-approach all their existing supporters to seek new consent.
Databases and processes
If you send out regular e-newsletters or bulletins, it is likely that you hold a database of the recipients' personal data, including names, addresses (postal or email) and perhaps other information.
The GDPR will give individuals increased rights to understand, access and manage the information which an organisation holds about them.
In order to satisfy any such requests from individuals, you'll need to know why the information has been gathered, how the data is used, and where and how the data is stored.
You must be able to amend, delete or share the data as instructed by the individual and you must be able to recover any data which has been shared with third parties.
If a charity had put together an informal list of information about its supporters or donors by retaining names, addresses, email addresses and contact numbers in a spreadsheet, would this comply with its obligations under the GDPR?
The charity will need to consider its lawful basis for holding the relevant information. This will be closely tied to the purposes for which it has gathered the information.
If the charity does not have a lawful basis for gathering and holding the information, it should be deleted. This will involve a systematic process to determine whether a lawful basis exists and a check to ensure that, if not, the relevant information is fully deleted from its IT systems, records and databases.
If it has a lawful basis, it will still need to audit the information it holds to check that it is accurate and to ensure it is not holding more information than is necessary.
The charity should also review the internal procedures it has in place around dealing with the information, and ensure it has the correct resources to manage and secure the information on a continuing basis.
It will be important for the charity to have a clear privacy policy which sets out how it deals with any personal data.
Start your plan now
What should be clear here is the need for a plan, and one that starts now. Your next steps will depend on the size of your charity, and the state of your current practices. You can refer to this useful checklist here to help you start to build your plan.
In this article, we have focused on marketing activities but the GDPR will also affect other areas such as the contracts you enter into and how you record, use and manage information about your employees volunteers and services users.
When pulling together a plan to make your charity’s activities GDPR compliant, you should look for tailored and pragmatic advice - based on an understanding of the specific pressures facing charities, the reputational issues as well as the legal ones, and the resources available to them.
With such advice, the power of those four letters to instil dread or panic will steadily dissipate over the next few months. Instead, you'll have a viable and sustainable plan.
Nimarta Cheema is a solicitor at Lindsays.