The long awaited and dreaded (although it needn’t be) arrival of the General Data Protection Regulation is now just a little over five months away, and it’s encouraging to see charities beginning to address their responsibilities.
Like any of us, I receive a whole range of charity communications – by post and by email – and it’s been extremely instructive just how different organisations are dealing with the issues of consent, opt-ing in, opting-out and generally shaking it all about. Taking a professional interest, the approach of different charities has been variable and I have to say quite frankly misconceived in many cases. I don’t know if they have sought external advice, adopted a DIY approach or simply been so anxious about GDPR compliance that their risk-aversion has created an even greater risk of losing large swathes of their database. The fact is – and you know who you are – you DO NOT need opt-in consent for all forms of marketing or fundraising communication, only when it is by email or text. And so, if you put all of your data protection eggs in that basket and you don’t get consent, where does that leave you? Have you just cut yourself off from many of your supporters? And whether you are seeking opt-in consent or relying on legitimate interest (another of the allowable legal bases for processing data) you still need to explain fully the ‘how’s, why’s, what’s and what-ifs’ in a Privacy Policy that sets out in comprehensive but intelligible terms your obligations and the data subject’s rights in relation to the data you collect. Without it, you opt-in consents cannot be said to be fully informed and so their validity is open to challenge. Many of the privacy policies I’ve seen are outdated and only relate to data collected through websites. That’s not good enough. Yes, it’s complicated. Yes, the regulations are open to interpretation and yes, even the regulator, the Information Commissioner’s Office, hasn’t yet published all of the relevant guidelines. But help is at hand and for an informal initial chat about GDPR and data protection, please get in touch.