General Data Protection came into effect on 25th May 2018, it is an update to the UK Data Protection act of 1998 and sets out requirements for how organisations need to handle personal data. There is an abundance of information on GDPR which can make it difficult for churches and charities to decipher what does apply to them and what doesn’t. In this article we debunk a few GDPR myths and correct a few misconceptions, so that you can move forward with clarity and peace of mind.
If you fundraise, collect donations or use feedback or enquiry forms of any kind, you’ll be storing and using individuals’ personal information. This will occur when recording names, addresses and contact details, sending information or using publicly available information to research and contact new supporters. This means that you will be ‘processing data’ under GDPR and are subject to the regulation.
GDPR is actually a good thing. It exists to protect us in terms of how data is being used and stored and gives us all the right to know what information organisations hold on us, how they are using it and also the right to have our information removed. GDPR is about honesty, integrity and transparency, all of which are important for building trust and long-lasting relationships. Although many organisations and charities have had to remove a number of people from their mailing list, these organisations also report that those they continue to communicate with, are more responsive and engaged with their work and initiatives. In the long-run, these regulations will help strengthen your relationships with your community and key stakeholders.
GDPR does mean that you must have permission to email your database of contacts, but it is about so much more than email. It is fundamentally about data not channels of communication. It has an impact on your charity’s technology, marketing and processes.
Email marketing has changed but it is still one of the most effective forms of marketing. There is nothing that can replace email and as such not even GDPR can eradicate it for 10 very simple reasons.
(Source: Even GDPR can’t kill email)
If you already have the appropriate permission ‘Affirmative Consent’ to contact people on your database, you don’t have to ask for permission again. According to article 4(11) of GDPR, Affirmative Consent is defined as:
Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed… …Silence, pre-ticked boxes or inactivity should therefore not constitute consent.
You may also have Legitimate Interest to contact people on your database. According to the Information Commissioner’s Office (ICO); Legitimate Interest is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
If you ensured that your church or charity was compliant last year before GDPR came into effect that’s great, you’ve done much of the hard work but there is still work to do. For example:
Your organisation’s responsibility for personal data doesn’t end when it gets passed to others for processing. For example, if you outsource your Gift Aid or use an email management system, you will still be processing some information and you have to ensure that those businesses you outsource to are legally compliant, even if they are based outside the EU.
GDPR has come into force in the UK and will stay in force after Brexit. In its February 2018 Brexit whitepaper, the government said it would seek to “maintain the stability of data transfer between EU Member States and the UK” as it recognises the stability of data transfer is important.
The ICO wants to first educate organisations before giving huge fines but ultimately if your church or charity is not compliant, you will be fined. It’s also worth noting that The Charity Commission is becoming increasingly stringent in the area of compliance.
GDPR might seem complicated but it’s simpler than you may think. Ultimately it involves 5 key steps and GoodtoGive can help you with each of them:
GoodtoGive can support you with the implementation of your GDPR processes. We have a number of Charity Compliance Events & Training each month and our G-Flow software also helps churches and charities manage GDPR. Contact us to find out more