Ensuring compliance with the new General Data Protection Regulation by 25 May 2018 is the hot topic of the moment, but there are many charities still seemingly frozen in the headlights and not taking even the most basic steps to prepare.
In fact, many of the requirements under GDPR are not new, and organisations should have been adhering to them all along. But one of the most significant regulations for charities does require urgent action, and the window of opportunity is closing.
Communicating with supporters is essential for all charities. The annual newsletter, the seasonal charity appeals and increasingly the frequent e-bulletins sent to a database of thousands, all represent important ‘contact opportunities’ to keep your donors informed of your activities, and you in their thoughts.
As many charities are now realising from the clamour around GDPR, it’s actually long been a requirement of the Privacy and Electronic Communications Regulations 2003 (PECR) to have clear, informed, opt-in consent from an individual before you can send them marketing, fundraising or promotional communications by email, SMS (text) or automated telephone call.
What will change from 25 May, is that you will no longer be able to use a ‘soft opt-in’ to communicate with your supporters by email. So what is the soft opt-in?
For all of those charities who have been emailing newsletters and appeals on the basis that supporters at some time or other signed up to receive them, the soft opt-in allows you to ask them to re-confirm their consent in a way that will be compliant with GDPR.
You can do this by way of a stand-alone ‘administrative’ email with a particular, nuanced form of words referring to your privacy policy, so recipients know exactly what you will do with their personal information and their rights in respect of it. And if you haven’t yet updated or, heaven forfend, written you privacy policy, you have even more work to do, because without it, consent cannot really be said to be informed.
Beware though. If you don’t already have some form of consent - for example if you obtained a database from another source without those on it knowing that you have their details – or if you know that people have asked not to be contacted, you can’t approach them at all by email to ask for consent, since you don’t have their consent to email them in the first place (yes, it is a bit circular!). Budget airline Flybe were fined £70,000 for sending such emails to over 3 million addresses in March of 2017.
Inevitably, there’s more to this apparently straightforward process than first appears, but with guidance from someone with expertise in the field, you can use your soft opt-in options.
For an informal chat about this and your preparations for GDPR, please contact me here.