With the lockdown still in full effect, fundraising events and dinners are no longer an option this Ramadan. As a result, you will have to rely more on direct marketing such as text messages, emails, phone calls and social media.
GDPR has a massive impact on everything you do this month. From storing personal data (e.g. records of supporters, donors, volunteers and beneficiaries) to fundraising and promoting your charity’s work, it is essential that you are up to date with GDPR requirements.
Let’s start with the basics:
What is GDPR and does it apply to you?
The General Data Protection Regulation (GDPR) is a data privacy law which gives people more control over personal or sensitive information that organisations collect. The regulation applies to anyone that processes the personal data of EU citizens. For now despite Brexit, GDPR does apply to how you use and process personal data.
What is personal data?
Personal data is any information that could be used to directly or indirectly identify a person. There is a broad scope to what can be termed as personal data. Examples include name, address, age and bank details. Non-specific information (e.g. gender, religious affiliation and sexual orientation) which when put together can be used to identify someone also falls under the scope of personal data.
Over the next month, you will be dealing with personal data of all forms relating to donors, beneficiaries, employees and volunteers. Non-compliance with GDPR will lead to large fines (up to 4% of annual turnover) and reputational damage. In an environment where donors are carefully choosing charities to support based on their reputation, this is a pitfall you want to avoid.
We’ve compiled a list of common mistakes that could be detrimental in this article:
1. Consent, Consent, Consent – there is no shortcut.
Under GDPR direct marketing such as emails and texts require a lawful basis. This can be legitimate interest or consent. Since consent provides the most certainty for compliance, this is the option we advise. It means that you must have an individual’s consent (e.g. they signed up to a newsletter) before they can receive direct marketing from you.
The best way to get consent is by using an opt-in box. This can be in the form of a yes or no option on a website. The opt-in box cannot be pre-ticked as this does not demonstrate consent.
A good example of an opt-in message can be worded as follows:
“Tick if you would like to receive information about our campaign:
- by email
- by telephone
- by text message
Ask: Do I have consent from people to receive marketing?
2. Do not copy contact lists from previous campaigns without consent
Let’s say you organised a fundraiser for homeless people where you’ve collected and stored information. Now that Ramadan is here, it may be tempting to copy that email list and use it when sending direct communications for a Ramadan appeal. Note that during the homeless appeal, when people opted to receive marketing, it did not include text for further campaigns. If you did include text on future campaigns e.g. Ramadan Appeals and they opted in, this is fine. If they opted out of receiving future marketing unrelated to what they signed up for, do not send marketing to that database.
Earlier this year, The Salvation Army was found to have breached the code of fundraising practice for direct marketing. They didn’t act on a request to receive communications only for their Christmas and Easter appeals. As a result, the recipient received unwanted emails. Be aware of the stated preferences in your existing database. Consent choices – how people want to receive communications such as emails, text messages or calls – and the type of messages they want to receive, should inform how you interact with donors.
Ask: Is my contact list up to date with preferences?
3. The unsubscribe button should be easy to find
The option to opt-out of receiving communications from you cannot be buried away in a pile of information. GDPR requires that people are given a choice. For example, at the bottom of any newsletter or emails you send this Ramadan, include an unsubscribe button that gives people the option to be removed from your database. In the event someone makes a request to be deleted, you must comply within 28 days.
Ask: Have I given people easy opportunities to unsubscribe (withdraw consent) or delete any data that I hold?
4. Do respect and honour the privacy of your beneficiaries
Protecting and safeguarding the information of your beneficiaries is non-negotiable. Do not share personal or health information all over social media to attract donors. Be careful with what you share on social media e.g. WhatsApp, Facebook, Instagram and Twitter. Have documents in place that shows your beneficiaries have given consent for the information you are sharing whether these are written or video testimonials.
Ask: Do I have consent for what I am about to share?
5. Ensure databases are safe and secure
It is poor practice to leave databases accessible to just about anyone and everyone in your organisation. To avoid a data breach this Ramadan, take all necessary steps to secure confidential and sensitive information. This includes using strong passwords, ensuring proper storage of physical files, and having adequate malware protection on all electronics.
A London-based pharmacy (Doorstep Dispensaree Ltd) was the first company to be fined under GDPR for failing to protect the data of their patients. The pharmacy left about 500,000 documents in unlocked containers at the back of their office. They were fined £275,000 for their negligence. Under GDPR your organisation should protect data against the following:
- Unauthorised or unlawful processing
- Accidental loss
- Destruction and damage
A data breach can lead to a loss of trust and goodwill.
The Information Commissioner’s Office also fined the British and Foreign Bible Society £100,00 after the personal data of over 400,000 of their supporters was breached when hackers exploited a weakness in their computer systems. The breach was traced to the use of a service account with an easy password. Read our article on bad password habits that could be leaving you exposed to a hack. With more staff working remotely due to Coronavirus, it’s even more important that you have adequate protection against cyber-attacks and data breaches caused through human error.
Ask: Have I put in place technical and organisational measures to protect personal information?
Kazient Privacy Experts recently launched the Amanah Project, a scheme that helps Muslim charities to protect the information they hold about their supporters, volunteers and beneficiaries. With increased oversight from regulators on fundraising, we are working with Muslim charities to encourage GDPR compliance. We make the regulation simple and easy to understand.
Get in touch with us to learn more about how we can help you.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.