Data protection changes: 5 things for NGOs to consider

13 November 2017
Author: Daniel Fluskey

Go to any conference, event, or meeting and chances are that someone will stick their hand up and ask about GDPR. With the General Data Protection Regulation (GDPR) coming into effect on 25 May 2018, people are thinking more and more about what their charities will need to do to get ready.

GDPR doesn’t differentiate between organisations, it sets (pretty much) the same general rules for charities, businesses and all sectors, meaning that lots of organisations are going through the process of thinking about how exactly it applies to them and what they need to do. So, if you’re working in an international development organisation, what are the things that you should be aware of? 

1. You have to come up with some of the answers yourself

Every organisation, every sector, every function (for example, fundraising or campaigning) is thinking about what it means for them. In lots of areas GDPR sets out an outcome to be achieved, but then puts the ball in the court of each organisation to decide on their approach and how they will ensure compliance e.g, not keeping personal data longer than necessary. Although that may seem daunting - no one wants to get it wrong - the lack of absolutes in the legislation does give organisations the flexibility and opportunity to think about what works for them and how they will protect the privacy rights of individuals, rather than just giving them a list of rules to copy and paste. So don’t worry that you don’t have all the answers – everyone else is trying to get there too! 

2. More haste, less speed

While each organisation will need to think about their own work and put in place relevant policies and processes, that doesn’t mean that you need to reinvent the wheel each time. And taking the wrong decision now can have serious ramifications further down the line. Some concentrated work over the next six months will make it easier in the long run. Undertake an audit to understand what data you have and what you process it for, and review and update your policies where needed. Once you’ve got those policies in place, the rest should flow from there and you won’t have to go back to the starting blocks each time you need to make a decision. 

3. “Campaigning” communications sent to individuals is direct marketing

So is fundraising. So is a newsletter telling supporters about your work. Pretty much anything which is directed at a particular individual (whether through post, phone, email, or SMS) that promotes the aims and objectives of the organisation will be “direct marketing”. It’s important you know what falls into the definition of direct marketing as you can only send it if you have a lawful basis to do so. The two that will be most relevant for contacting supporters (whether to get them involved in campaigns or fundraising) will be consent and legitimate interest. Make sure you know how both of these work and choose the approach that works best for your organisation and supporters. 

4. International transfers of data

If you have international offices and work outside the European Union, then you should bear in mind that GDPR imposes restrictions on the transfer of personal data outside the EU. This includes using a CRM that hosts data outside the UK. That’s in place to ensure that individuals get the same level of protection outside the EU as within it. You can do it, but you’ll need to make sure that there are appropriate safeguards in place – you can find out more from the ICO.

5. Get your whole organisation on board

GDPR compliance should run through all aspects of an organisation. Your staff, volunteers, service users, beneficiaries, supporters and donors will all have personal data that you’ll be processing. We know that sometimes different areas of charities’ work can get fragmented and operate in silos. GDPR is actually an opportunity to get all parts of the organisation working together to a consistent and agreed approach, meaning all individuals that you work with will have their personal data treated fairly, securely, and have their choices respected. 

The Institute of Fundraising has a range of resources to help organisations get ready for GDPR at www.institute-of-fundraising.org.uk/guidance/research/get-ready-for-gdpr/ 

At the Bond Conference in February we'll be discussing how to optimise your processes, including a session on building a trustworthy organisation.

About the author

Institute of Fundraising

Daniel Fluskey is head of policy and research at the Institute of Fundraising.