Corinna Loges

30 Aug 2017, 10:41

Worried about GDPR? Keep calm and embrace the opportunity

Corinna Loges, Associate Consultant

As a former CEO of a smaller sized charity relying heavily on individual giving, I fully understand the concern felt by many small and medium sized charities regarding the implementation of the new Data Protection Regulation (GDPR) and e-Privacy Regulation coming into effect in May 2018.

As you are doubtless aware, the framework within which we have to deal with supporter data and matters of privacy will change significantly. How and why we acquire and process data will have to become more transparent and our transactional accountability will have to increase.

Although we may hope this will go away, or at least not affect our less high-profile charity, there will be no escape. However, even though this will mean a great step-change for our data policies and related internal processes, there is also a great opportunity.

While the new regulations and implementation requirements may seem something of a technical nightmare with uncertain outcomes, it may be helpful to look at the matter first from a supporter’s perspective: according to recent research on charity donations and how data is treated by charities, people are feeling suspicious and uneasy[1].

So, it is not just the pressure put on us by political decision makers and the threat of fines that ought to spur us into action. The general public, as a major source of funding of our charitable activities, has to be heard and taken seriously. 

It strikes me that this is a great opportunity for those of us willing to embrace the change, and re-connect with our constituencies in a way that better values the relationship. This way we will be able to stand out from the crowd and form stronger, more authentic bonds. Yes, some people on our database may not want to continue talking to us but (if we get it right) the loyal ones are likely to become even more engaged.

I would encourage you to seize this opportunity. Explore the positives of what GDPR means for your organisation and how you can make it work in your favour.

Here are the steps you should take:

  1. Appoint a designated individual (trustee or senior staff person) to lead on the process and/or form a designated working group
  2. Adopt a deliberate and planned approach that promotes privacy and protection from the start of each process, and not as an after-thought. (In the jargon, this is known as Data-Protection-by-Design.)
  3. Perform an information audit across your organization – what information is held where? (remember this applies to data held on paper as well as electronically)
  4. Map out and update all Data Protection policies and processes.
  5. Identify practical risks (e.g. insecure equipment or untrained staff/volunteers) and reputational risks (data breach and bad press).
  6. Document your planning and implementation process so you can justify your rationale if challenged by the ICO. 
  7. Take care to minimise the impact of the regulations on your fundraising and operations, whilst making compliance your goal – don’t tie one hand behind your back unnecessarily, but remember that if you get it wrong the stakes for your reputation and legal enforcement are high.

Whether you are in a tight spot or simply need help devising and implementing a practical framework to get ready for May 2018, do contact Corinna at admin.ap@actionplanning.co.uk.

[1] GDPR – It’s what the public want – nfpsynergy.net

David Saint

For more advice on how to deal with GDPR, get in touch

Contact David Now