There’s a new pressing ‘must-do’ that should be on your list, have you heard of it? It’s called the European Union’s General Data Protection Regulation (or EU GDPR for short).
Not so up to speed? It is a new law that is designed to enhance the existing data protection rights for any European Union resident.
So that means if your business, or charitable organisation, is providing products/services to anyone in the EU or is monitoring the behaviour of anyone resident in the EU, or employs anyone in the EU, then you’re going to be affected by this. So, it is safe to say that everyone is going to be affected.
And the final deadline for compliance is 25th May 2018. So, you’d better get your skates on!
If your organisation is a small to medium sized charity relying upon just a few employees, or perhaps only volunteers, to “get-with-it” it is a doubly tough job – with the risk of the hefty non-compliance fines carrying a much greater risk-impact for you.
We can all remember the national-press stories of the last few years, featuring charities that didn’t have quite the best handle on their data processing transparency and diligence of controlling data, and their suppliers thereof. Nobody wants to be responsible for putting their organisation in the spot-light for the wrong reasons, or indeed to be, unknowingly, causing distress.
Equally, no charitable organisation can afford to ‘write-off’ the majority of their fundraising contacts/mailing list, for fear of not being able to prove they have a valid reason to hold the personal data. That would have dire consequences for a charity’s ability to raise income!
But enough of the scaremongering. There are simple objectives around the strengthening of data protection laws, and therefore, the main thing to focus on is your organisation’s ability to prove, beyond reasonable doubt, that the person whose data you are using has demonstrated a “legitimate interest” in your organisation.
So, in simplistic terms, for a business, it is reasonable to state that someone who has been or currently is a customer of your products/services has demonstrated a “legitimate interest” in your company and for you, therefore, to continue to communicate with them, using the personal data that you hold on them.
For charities, similar applies. If a person has donated to your organisation in the past, and you now wish to send them your latest fundraising-campaign or newsletter, then, so long as when you last received that previous donation, you had a clear communication that you would hold their details on record and would be sending them further fundraising information and gave them the clear opportunity to ‘opt-out’, which they did not subsequently do, then you’re good to go.
When all is said and done, it all comes down to having well organised, easily usable, robust and forensically-auditable recording of personal data, and the relationship your organisation has had, over the arc of time, with that data.
It really can be easy. Difficulty arises when you’ve got lots of volume of data (many hundreds or thousands of records) to keep track of and/or a complex process to keep track of (many forms and methods of getting in touch with people and for them to contact you).
So, you need to think carefully about the systems (whatever these may be; paper, spreadsheet, CRM, ERP etc.) that your organisation has and state clearly how these systems need to be used, so that every relevant person in your organisation knows exactly how to correctly record and update personal data information:
1) Get consensus throughout your organisation on how you will handle the new regulation.
2) Make sure you know exactly what your organisation’s usage of personal data is and how you process the data. How do you store personal data? How do you control it? How do you share it etc. etc.?
3) Understand how you are checking for consent and ‘legitimate interest’ and document these.
4) Review your IT systems and procedures – are these helping or hindering you?
5) Review and update privacy policies to improve transparency and clarity.
(If in doubt, get legal advice about how the new laws will affect you. There are numerous law firms specialising in this subject matter).
We’ve helped numerous organisations – particularly the small and medium sized charities that don’t have massive I.T. budgets – do just that, by implementing our JunariCRM+ system. We have a separate charity-based functionality module which means that all new contacts are defaulted to an ‘opt-out’ position, with the ability to mark the point at opt-in and to record when and what options or basis of communication the contact is agreeing to opt-in for.
If you are scratching your head and wondering how your charity can ensure it is compliant before May 2018, then give us a call. We’ll be happy to chat your issues through and suggest the options and possibilities available to you. Email us at: firstname.lastname@example.org or use that lovely “Get in Touch” button in the footer below.