Charities are struggling with the implementation of the privacy law. It’s time for a wake-up call on charities’ use of data, says Jitty van Doodewaerd, compliance consultant at DMCC Netherlands.
Next year, new European privacy legislation (General Data Protection Regulation, aka GDPR) will come into force. For any organisation, commercial or non-profit, that collects or processes personal data, this law has profound consequences. Time for a wake-up call!
Many companies have stated that they are concerned that they will fail to meet the implementation deadline of May 2018. In particular, the new legal obligation to administrate and document data processing proves to be difficult and time-consuming. And new requirements around the processing of personal data need to be understood or charities risk damaging the reputation of the sector as a whole. So, what measures should fundraisers take now, to be GDPR-proof?
What data do you collect?
Fundraisers want to get to know their donors or members to serve them better and privacy legislation allows charities to keep records of contact and donation history. However, this does not license hoovering up all kinds of personal data.
If a donor tells you about his sick mother, a fundraiser must wonder whether this piece of information really contributes to improving service. This especially applies to the capture of special categories of personal data such as disease, religion, sexual preference, ethnicity, psychological or other issues. Perhaps in a telemarketing call you find that someone is "deaf" or legally incapacitated? Do you realise that these are special categories of personal data, which you cannot collect without explicit consent of your donor (or a legal guardian)?
Generally, if you can provide the same service or product without collecting certain personal data, you are not allowed to collect or store that data. This is the principle of data minimisation. Of course, determining what data is necessary for your business is subject to interpretation. So it’s important to set out your organisation’s approach clearly and to provide staff with appropriate and regular training. A learning management policy also indicates that your organisation puts effort into complying with the law.
What records do you need to keep?
GDPR obliges organisations to maintain a record of processing activities. Charities must set up a “privacy administration” comparable to their financial administration. This includes describing in detail what data is processed for what business purpose, via what media and stored in which applications. You also have to administer which employees or data processors can access the data, and what information security measures are taken. In practice, this obligation to document data processing is one of the most difficult requirements of the GDPR.
Data has a part in everything that we do. Fundraising institutions increasingly use specialist suppliers to capture, process and save personal data on their behalf. Charities will typically have, for example, a CRM database, email application, petitions platform and an ‘action’ platform managing volunteers and collections and data pulled in via online giving or crowdfunding sites. In addition, data processors store personal data for telemarketing, or web development or the use of chat, facebook or other social media to engage with (potential) donors. Often these systems do not have an automated interface. Internal departments and external supplies use manual imports and exports to keep the different applications up to date. A single customer view or central overview of all data processing activities is often not in place. However, starting May 2018 this is a requirement. And your data protection authority can ask for your records of processing activities.
Who should take responsibility for your data?
GDPR states that organisations that systematically monitor citizens are required to appoint a Data Protection Officer (DPO). The law does not explain what ‘systematic monitoring’ entails. It seems logical that a TELCO or power company has to appoint a DPO; they monitor traffic data and install smart meters. While it is likely that a small charity with some tens of thousands of donors would not have to do so, for larger charities handling data on a bigger scale, they will need to – at the very least - discuss this subject at board level and assess whether it is required.
The data protection remit must be fulfilled (full or part-time) if you process more sensitive personal data, such as information about life expectancy, sexual preference, race, or health. While this may not be relevant to many charities, it is common for those with patient associations or offer services like custom outings and trips.
But even if you do not fall under the definition, you should make somebody responsible for privacy compliance. Under the GDPR principle of accountability, organisations must have a firm grip on their processing. Because when privacy is everyone's responsibility, it's often found to slip through the net.
How can you retain care and control when working with third parties?
Accountability also means regularly checking your suppliers. First of all by entering into a data processor agreement. That is not just a paragraph in the sales level agreement or contract, but a full-fledged document detailing your data processing; the type(s) of data, data retention periods and security measures. Secondly, by actually monitoring the data processors. This might include requesting them to periodically provide you with security reports or by asking a third party to audit your processors and the extent to which they comply to the agreement on site.
What do you need to tell supporters?
GDPR still allows for data collection. But under the condition that citizens are comprehensively and understandably informed about your personal data collection and are offered a meaningful choice. It is not enough to provide this information with a hyperlink to the terms and conditions or the privacy statement. The information must be provided clearly where a consumer registers. Check how the WWF informs new donors about their use of data for fundraising online or see how Amnesty asks how their donors want to be contacted. You can provide additional information about your data processing a privacy statement, but do make sure that the statement is easily accessible.
When should you delete data?
Marketers and fundraisers are often nervous of using the delete button. But GDPR states that personal data can be kept no longer than necessary for its collection purposes. If someone receives your email newsletter and they opt out, it is not enough to deactivate their account. If the data is no longer needed, it should - at some point - be deleted or anonymised.
Keeping personal data longer is permitted, if required by law. Such is the case with some financial data. The Dutch IRS for example requires an eight-year retention period. Personal data may also be stored a bit longer as “evidence”. Again, in the Netherlands consumers can claim an “unlawful act” against a company up until five years after the date, so this may mean that charities will need to retain certain data for that length of time.
May 2018 will be upon us all before we know it. Social responsibility obliges us all to be prudent with data and respect consumer privacy and new legislation will enshrine this in law. Many charities have only recently begun to adapt their processing to the new legal requirements and there is much more yet to be done, but there is much guidance available and by unifying our approach across Europe, we have a positive opportunity to build public understanding and trust.