“Data Protection: THE PARADOX.” (*Read in film trailer voiceover voice*) “Everyone’s “interested”, but nobody wants to know. Data Protection: THE ENIGMA; after GDPR can we mail people? No, definitely not. Wait…ummm, maybe? It depends!”
I’m sorry. I can’t make Data Protection entertaining. As a guest (and first-time) blogger, I felt obligated to try. Be gentle with me.
I’ll just quietly abandon Data Protection: The Movie and hope no one noticed…
Instead I’d like to bring you on a journey to share with you my thoughts on why it’s imperative that we (charities and specifically fundraisers) prioritise data protection compliance.
- Because it’s the law
Just because it’s first doesn’t mean it’s the most important. I can think of (and have noted below) many more reasons why it is crucial for us to get this right. However, I hope you’ll allow that “The Law” is worth at least a mention.No need to wait until GDPR becomes enforceable next May (the 25th to be exact) to get all your ducks in a row. The basic principles of data protection are already the law of the land, and have been since 1988. You won’t remember that, of course. Some of you weren’t even born. For the rest of us, it was somewhat overshadowed by the release of Cocktail, the first Die Hard movie and Big in the same year.
“You know what else is big? GDPR Fines” is what people with bad grammar trying to sell you some magic silver bullet compliance tool will tell you. This is misleading (maximum fines are unlikely) and its purpose is purely to exploit your fear and uncertainty so that you part with your cash. But the happy news is that the doesn’t need to fine you millions to render you inoperative. They can currently impose that could bring your fundraising operations to a standstill, like blocking data from use for certain purposes or requiring you to erase it altogether.
- Because it’s the right thing to do
We are a hardworking and formidable bunch. We fight for child welfare, for animal welfare, for the disabled, for the homeless, for people struggling with addiction, for those with no country, for the wrongfully imprisoned, for those on their own, for the elderly, for the physically and mentally unwell, for those that find themselves suddenly in difficult circumstances, for those struck by disaster at home and overseas. We fight to protect the rights of all.The right to privacy (the basis of data protection) is a fundamental human right.I cannot reconcile how we can do all of that good stuff and then deliberately choose to ignore the rights of people who support or might support those causes.
- Because it’s an opportunity (or a PR nightmare – your choice)
We have been moving glacially past some far-reaching scandals in our sector. According to the latest ICEM research, people trust banks more than they trust charities. BANKS! ( have a lot to answer for). There is a lot of ground for us to make up. Intransigence and inertia in relation to our data protection obligations, particularly with regard to direct marketing practices will not move us forward on that road.The ODPC must investigate every complaint it receives. In 2016 they received over 1,400 of them (the highest number in ten years). It takes just one for them to investigate your organisation. Alternatively, just one person’s account of their experience in a high-profile forum can cause the media to turn its gaze towards the sector. Where the media’s focus turns, the ODPC’s attention may follow. In the UK, it was the media coverage of Olive Cook and Samuel Rae that caused the Information Commissioner’s Office (The UK’s ODPC equivalent) to investigate data practices within the charity sector there.
Charities addressing data protection requirements now are creating competitive advantage. If we move as a sector though, data protection compliance presents an opportunity to win back trust; to move the sector forward in terms of governance and regulation and to get ahead of the curve in terms of best practice. Don’t let this opportunity pass you by.
- Because it’s sort of like donor-care
Yes. It is. Inform your donors, have a conversation, ask their opinion, put some control back in their hands, give them a choice over the things you must, and maybe a few other things that you can pull off operationally. Listen. And, most importantly, comply with their wishes.
- Because it makes business sense
Why do you want to spend money to keep contacting people who do not want to hear from you? Why communicate your message over and over to a more and more disengaged supporter base? Or worse, have your message land in the wrong place each time because your database is inaccurate and out of date? Why wouldn’t you want to document policies and procedures that provide guidance and reference to staff and certainty during periods of cover for absence or transition? Why are you prepared to keep losing money through operational inefficiencies that would be addressed by taking steps to become data protection compliant?
- Because we have always innovated to meet change and challenge
There is passion and creativity and ingenuity and commitment in bucket loads within the sector. Colleagues, you are nothing short of inspirational. Things evolve, and the sector constantly adapts to turn advances and challenges to its advantage.
All this is not to say that I don’t share the frustrations of many in the sector. I do. The law seems restrictive; GDPR appears wide-ranging and complex, without practical and informed guidance; it requires a sea-change in culture; you feel like you need to employ a GDPR-Whisperer (like there’s budget for that!). Where do you even begin?
Take a deep breath.
There are no special measures for us. Yes, we have the best of intentions, but that is not enough. We need regulatory compliance as well.
Let’s try to accept that GDPR is happening and that data protection is a boardroom issue. Let’s move beyond howling at the moon and let’s take back some control.
We don’t have to stop fundraising. Our hands are not tied. There is some detailed groundwork to do at first, and then we need to funnel some of our creative energy into how to fundraise whilst meeting our legal obligations.
Let’s start a discussion and work together to share knowledge, insight and ideas on how we might do this.
As Simon has kindly allowed me another post, next time I am going to share some practical advice to kick-start the journey towards compliance, in IMAX style clarity. 3D glasses to the ready. (Not really, of course. Although there might be a diagram. In colour. With arrows. And other surprises. Just keeping things interesting. And mysterious.)
Thanks for reading this far, if you have.
Join me next time, won’t you?
Caroline Cummins is a fundraising professional, certified data protection practitioner, and former lawyer. You should follow her on Twitter @Dandering