The slides from the event can be downloaded here
Cllr Mark Watson
Chief Executive at Fat Beehive
Mark welcomed everyone and made the point that GDPR was coming in (Brexit or not) and that whilst the larger charities have probably made provision for GDPR it’s been harder for smaller / medium sized charities.
Charities also rely on databases of supporters which they have built up over years – not all data will meet GDPR. Not only are these databases the lifeblood of the charities, but many smaller / medium sized charities don’t have the budget/resources to prepare for the changes.
There has therefore been a lot of concern/fear about GDPR in the charity sector – but overall it is probably a good thing and should improve the relationship between charities and their supporters.
Public confidence and giving to charities has been knocked over recent years but the work of many charities is more important than ever. So how charities build relationships with donors has never been more important. GDPR puts consumers in control of their data and how it is used and this, in turn, will lead to more open, honest and transparent donor relationships, which is good for consumers and charities / not for profits. Once charities have access to data they must use it to build real personal engagements with each donor based on their preferences.
Steve Reed MP
Shadow Minister for Civil Society
Welcomed everyone and pointed out that the UK was currently divided and the need for charities greater than ever. He commended the great work undertaken by the thousands of charities across the UK and was pleased to be able to host an event with specialist speakers to particularly help small and medium-sized charities. As the Shadow Minister for Civil Society, he was keen to arrange a number of roundtables with charities to help formulate the Labour Party policy on supporting the third sector. If interested please contact Alex White.
F IDM, Strategy and Insight Director, DotMailer Ltd
Reminded everyone that GDPR isn’t really anything new – there’s just been a shift in language and that GDPR really comes down to three fundamentals: being open, honest and transparent.
Communications should be relevant. Relevant comms are useful. Anything that is irrelevant is not useful and not good enough. A lot of people in the past have sent information to potential supporters that has not be useful or relevant and this not only wastes money but can negatively impact supporter engagement.
Charities should see GDPR as a chance to change and improve. See it as an opportunity to clean up your data and improve your processes.
Managing Director, A City Law Firm Ltd
It’s not just active consent that’s important – you need to make sure that consent is informed.
Not sure where to start with GDPR? Always start with an audit of what you’re doing now and go from there – you’ll be surprised at how much you’re already doing.
Map where your data is going and where it’s held.
Business Development and Partnerships Manager, Small Charities Coalition
Check out their Charity GDPR tool to help you with your audit process and establish how you’re doing SCC have partnered with a great organisation to bring an innovative tool that’ll help your charity become compliant – quickly, efficiently and with 100% confidence. It’s designed specifically for the small charity sector and was created with the help of GDPR experts. Best of all, it’ll let you focus on what’s important: your charitable cause.
Head of Client Partnerships, Fat Beehive Ltd
Focused on 5 Key elements to get your website GDPR ready:
- Privacy Information Notices (PINs) – Consider layering information, making them user friendly and easy to understand. Must be in plain English.
- Forms – you must also consider the context in which the forms site – what are the benefits the user gets from sharing their information. Updated forms are an opportunity to create fantastic engaging forms as well as improve the quality of data that you are collecting. Forms must be 3 things:
- Clear: what exactly are they signing up to?
- Granular: Separate out the types of processing – putt he user back in control of how their data is used.
- Unbundled: Consent must be presented separately in a distinguishable manner from other content such as general T&Cs and PINs.
- Just in Time Notices – information must not only be held in PINs but also given in context to what data they are given.
- Data Deletion – focusing on the user’s right for their data to be deleted. How long do you legitimately need to store the data for? Consider adding an expiry function in your CMS to delete data after a certain time period (eg. 30 days)
- Security – users’ privacy should be considered at the core of any website. Your IT systems must be able to resist, at a given level of confidence, accidental events or unlawful or malicious actions. You must:
- Ensure your website provider is keeping your CMS up to date (inc open source technology security patches)
- Install a SSL certificate to encrypt data transfer between browser and server
- Review all 3rd party systems that integrate with your website (inc mailing lists, CRMS) to check they are upgrading their processes or systems.
Group Manager Policy & Engagement, Information Commissioner’s Office
Don’t forget to document what you’re doing to become GDPR compliant.
The first data protection principle is that data be processed lawfully, so to process personal data under the GDPR you must have a legal basis to do so, and document it. Under the Data Protection Act, this was known as ‘conditions for processing’.
There are six legal bases under the GDPR:
- Consent – the individual has given clear consent for you to process their personal data for a specific purpose;
- Contract – the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract;
- Legal Obligation – the processing is necessary for you to comply with the law (not including contractual obligations);
- Vital Interest – the processing is necessary to protect someone’s life;
- Public Task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law; and/or
- Legitimate Interest – the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. Generally, organizations utilizing an email service provider are all relying on consent or legitimate interest as their legal basis for processing data to send direct email marketing, however it is up to data controllers to determine and document their basis for processing. The ICO has published guidance, which you can read here: Lawful processing of personal data under the GDPR.