Expert View: GDPR has profound consequences for fundraisingExpert View: GDPR has profound consequences for fundraisingExpert View: GDPR has profound consequences for fundraisingExpert View: GDPR has profound consequences for fundraising
  • About us
  • Membership
  • EFA Certification
  • Fundraising Europe
  • News
  • Events
  • Resources
  • About us
  • Membership
  • EFA Certification
  • Fundraising Europe
  • News
  • Events
  • Resources
Astrid Von Soosten
Your Voice: How a more flexible system of tax reliefs could inspire a culture of philanthropy
June 7, 2017
Pia Tornikoski
Your Voice: Why Finland is reforming its public collections law
July 20, 2017

Expert View: GDPR has profound consequences for fundraising

July 20, 2017
Categories
  • Expert View
  • Features
Tags
  • Data protection
Jitty van Doodewaerd

Jitty van Doodewaerd, DMCC Netherlands

Charities are struggling with the implementation of the privacy law. It’s time for a wake-up call on charities’ use of data, says Jitty van Doodewaerd, compliance consultant at DMCC Netherlands.

Next year, new European privacy legislation (General Data Protection Regulation, aka GDPR) will come into force. For any organisation, commercial or non-profit, that collects or processes personal data, this law has profound consequences. Time for a wake-up call!

Many companies have stated that they are concerned that they will fail to meet the implementation deadline of May 2018. In particular, the new legal obligation to administrate and document data processing proves to be difficult and time-consuming. And new requirements around the processing of personal data need to be understood or charities risk damaging the reputation of the sector as a whole. So, what measures should fundraisers take now, to be GDPR-proof?

What data do you collect?
Fundraisers want to get to know their donors or members to serve them better and privacy legislation allows charities to keep records of contact and donation history. However, this does not license hoovering up all kinds of personal data.

If a donor tells you about his sick mother, a fundraiser must wonder whether this piece of information really contributes to improving service. This especially applies to the capture of special categories of personal data such as disease, religion, sexual preference, ethnicity, psychological or other issues. Perhaps in a telemarketing call you find that someone is “deaf” or legally incapacitated? Do you realise that these are special categories of personal data, which you cannot collect without explicit consent of your donor (or a legal guardian)?

Generally, if you can provide the same service or product without collecting certain personal data, you are not allowed to collect or store that data. This is the principle of data minimisation. Of course, determining what data is necessary for your business is subject to interpretation. So it’s important to set out your organisation’s approach clearly and to provide staff with appropriate and regular training. A learning management policy also indicates that your organisation puts effort into complying with the law.

What records do you need to keep?
GDPR obliges organisations to maintain a record of processing activities. Charities must set up a “privacy administration” comparable to their financial administration. This includes describing in detail what data is processed for what business purpose, via what media and stored in which applications. You also have to administer which employees or data processors can access the data, and what information security measures are taken. In practice, this obligation to document data processing is one of the most difficult requirements of the GDPR.

Data has a part in everything that we do. Fundraising institutions increasingly use specialist suppliers to capture, process and save personal data on their behalf. Charities will typically have, for example, a CRM database, email application, petitions platform and an ‘action’ platform managing volunteers and collections and data pulled in via online giving or crowdfunding sites. In addition, data processors store personal data for telemarketing, or web development or the use of chat, facebook or other social media to engage with (potential) donors. Often these systems do not have an automated interface. Internal departments and external supplies use manual imports and exports to keep the different applications up to date. A single customer view or central overview of all data processing activities is often not in place. However, starting May 2018 this is a requirement. And your data protection authority can ask for your records of processing activities.

Who should take responsibility for your data?
GDPR states that organisations that systematically monitor citizens are required to appoint a Data Protection Officer (DPO). The law does not explain what ‘systematic monitoring’ entails. It seems logical that a TELCO or power company has to appoint a DPO; they monitor traffic data and install smart meters. While it is likely that a small charity with some tens of thousands of donors would not have to do so, for larger charities handling data on a bigger scale, they will need to – at the very least – discuss this subject at board level and assess whether it is required.

The data protection remit must be fulfilled (full or part-time) if you process more sensitive personal data, such as information about life expectancy, sexual preference, race, or health. While this may not be relevant to many charities, it is common for those with patient associations or offer services like custom outings and trips.

But even if you do not fall under the definition, you should make somebody responsible for privacy compliance. Under the GDPR principle of accountability, organisations must have a firm grip on their processing. Because when privacy is everyone’s responsibility, it’s often found to slip through the net.

How can you retain care and control when working with third parties?
Accountability also means regularly checking your suppliers. First of all by entering into a data processor agreement. That is not just a paragraph in the sales level agreement or contract, but a full-fledged document detailing your data processing; the type(s) of data, data retention periods and security measures. Secondly, by actually monitoring the data processors. This might include requesting them to periodically provide you with security reports or by asking a third party to audit your processors and the extent to which they comply to the agreement on site.

What do you need to tell supporters?
GDPR still allows for data collection. But under the condition that citizens are comprehensively and understandably informed about your personal data collection and are offered a meaningful choice. It is not enough to provide this information with a hyperlink to the terms and conditions or the privacy statement. The information must be provided clearly where a consumer registers. Check how the WWF informs new donors about their use of data for fundraising online or see how Amnesty asks how their donors want to be contacted. You can provide additional information about your data processing a privacy statement, but do make sure that the statement is easily accessible.

When should you delete data?
Marketers and fundraisers are often nervous of using the delete button. But GDPR states that personal data can be kept no longer than necessary for its collection purposes. If someone receives your email newsletter and they opt out, it is not enough to deactivate their account. If the data is no longer needed, it should – at some point – be deleted or anonymised.

Keeping personal data longer is permitted, if required by law. Such is the case with some financial data. The Dutch IRS for example requires an eight-year retention period. Personal data may also be stored a bit longer as “evidence”. Again, in the Netherlands consumers can claim an “unlawful act” against a company up until five years after the date, so this may mean that charities will need to retain certain data for that length of time.

May 2018 will be upon us all before we know it. Social responsibility obliges us all to be prudent with data and respect consumer privacy and new legislation will enshrine this in law. Many charities have only recently begun to adapt their processing to the new legal requirements and there is much more yet to be done, but there is much guidance available and by unifying our approach across Europe, we have a positive opportunity to build public understanding and trust.

About Jitty van Doodewaerd
Jitty van Doodewaerd is compliance consultant at DMCC Netherlands. She participated in the Big Data Expert Group of the Dutch Ministry of Economic Affairs. In her previous job, she was responsible for public affairs of the Dutch Marketing Trade Association and a member of the Legal Affairs Committee of the Federation for European Direct and Interactive Marketing (FEDMA) and the Privacy Commission of VNO-NCW.

Share

Related posts

TikTok
April 7, 2021

Your Voice: The rise and rise of TikTok, sharing insight from the British Red Cross


Read more
April 7, 2021

Zoe Amar: The road to recovery – what leaders need to do now


Read more
Euros
April 7, 2021

Patrick Gibbels: New EU Anti Money Laundering proposal on its way


Read more

Sign up to our free monthly news and features

  • Latest news
  • Latest features
  • News from EFA
  • Fundraising Europe
  • Advertise with EFA

Search news by country or category

News by date

Popular topics

  • Research
  • Coronavirus
  • Professional development
  • Individual giving
  • Philanthropic trends
  • Digital
  • Legacies
  • Events
  • Collaboration
  • Tax incentives

Events Calendar

< April 2021 >
Mon Tue Wed Thu Fri Sat Sun
      1 2 3 4
5 6 7AEFR Inbound Marketing Strategy Series (Spanish) all day
Session 4: Analysis of results
Online
81st Fundraising Conference for Health & Hospitality (French) all day
One day conference. AFF Fundraisers
Multi-Channel Fundraising (German) all day
Fundraising Verband Austria (Online Seminar)
9 10 11
12 13 14 15Fundraising from abroad (English & French) all day
Roundtable event (online)
Chapel & York
16 17 18
19 20ERNOP Seminar: Engaging with family business all day
(English)
21 22Leadership & Strategic Thinking (English) all day
Central & Eastern European Leadership Development Database fundraising (German) all day
Fundraising Verband Austria (Online Seminar)
Fundraising F***-Ups (English) from 3:00 pm to 4:30 pm
Conference
Online (Fundraisers Alliance Belgium)
23 24 25
26Fundraising Compact - Part 1 (German) all day
4 day training course
Online (Fundraising Verband Austria) Fundraising for Beginners (German) all day
Fundraising Verband Austria (Live Online Training)
26 April - 07 May 2021
27Fundraising Compact - Part 1 (German) all day
4 day training course
Online (Fundraising Verband Austria) Major Donor Fundraising (German) all day
Fundraising Verband Austria (Live Online Training)
Runs from 27 April to 22 June 2021
Online
28Institutional & Corporate Fundraising (German) all day
Fundraising Verband Seminar (Intensive 3-Day Online Seminar)
29Institutional & Corporate Fundraising (German) all day
Fundraising Verband Seminar (Intensive 3-Day Online Seminar)
30Institutional & Corporate Fundraising (German) all day
Fundraising Verband Seminar (Intensive 3-Day Online Seminar)
   

Registered Office

James Wattstraat 100
NL-1097 DM Amsterdam
Netherlands

EFA is registered at the Netherlands Chamber of Commerce
Reg. No. 34212817

Contact

Executive Officer, Denise Dawes
denise.dawes@efa-net.eu

Media enquiries:
news@efa-net.eu

Follow us

Twitter
Facebook
LinkedIn

Search

© 2021 EFA | European Fundraising Association. All Rights Reserved. Privacy Policy
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. Read More
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Performance

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Advertisement

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

SAVE & ACCEPT