Avoid the reputational damage and financial penalties which can come with data protection breaches
62% of companies do NOT comply with the most basic requirements of the GDPR
That is the worrying finding of a 2016 survey which looked at the readiness of European businesses for the General Data Protection Regulation “GDPR”, which came into force in May 2018.
Data Health Check
Bloom Fundraising run what are known as Data Impact Assessments (DIAs) to help charities comply with the law. DIAs identify areas of non-compliance with present and future data protection legislation (including GDPR).
- Each ‘contact point’ where personal data is collected, stored and used is thoroughly audited.
- We look at things like on and offline data capture forms, procedures for moving personal data securely between third parties, and whether marketing campaigns are lawful.
DIAs are not a legal requirement, but, should a breach be reported the ICO may ask an organisation whether it has carried out a DIA. Conducting a DIA is one of the most effective ways to demonstrate to the ICO that you take your donors’ privacy seriously, and that you’re diligently striving to comply with data protection laws and regulations.
Focus on direct marketing (consent)
A Marketing DIA helps you get to grips with all the important issues around marketing consent. The auditing process we have adopted strictly adheres to the ICO’s own best practice guidance for direct marketing.
- direct marketing scrutinised through a GDPR data privacy lens
- donor consent, preferences and security requirements brought up to speed.
We advise you how to swiftly and economically put in place any changes you may need to action to in order to become compliant.
We even help you design policies to guide your staff and help keep your data handling compliant with the law for the time to come.
Focusing on ALL aspects of data compliance (consent + security)
Bloom Fundraising’s Comprehensive DIA is an audit which cover ALL data protection ‘touch points’ throughout your entire organisation. This means that as well as direct marketing, the administrational aspects of your business are audited too.
- Data protection assurance
registration, processing, data quality, accuracy and retention
- Records management
record maintenance and access, storage and disposal
- Information security
mobile working, removable media, access controls and malware protection
- Data sharing & subject access
sharing policy and agreements, as well as compliance monitoring
- Direct marketing
consent and bought-in lists, as well as telephone, electronic and postal marketing
Our audit process is modelled on the ICO’s best practice guidance for small and medium sized organisations.
We advise on practical measures relating specifically to compliance, including guidance in drafting policies and risk assessments.
GDPR: How does it impact your charity?
The General Data Protection Regulation “GDPR” came into force in May 2018
The new regulation from the European Commission will expand and deepen existing privacy UK laws, regardless of Brexit.
The ICO is the government body set up to uphold personal information rights. The ICO is the enforcer of UK data privacy legislation, including the Data Protection Act (now GDPR), the Privacy and Electronic Communications Act (PECA), and the Freedom of Information Act. It has the power to impose fines of up to €100 million or 5% of annual turnover (whichever is higher) for non-compliance of the GDPR.
Since 25 May 2018, a higher standard of consent is required of charities who collect and store their supporter and prospects’ personal data for marketing purposes.
Data Protection DOs and DONTs
- Charities DONT require explicit consent to send fundraising emails to existing supporters who’ve previously given consent. Consent is only needed from new supporters – so there’s nothing new here
- Charities DONT require consent to send POSTAL appeals to prospects – so long as they can show that they have a Legitimate Interest in doing so.
- When seeking consent to use personal data, charities must be “specific” about the “purpose/s” for which they collect data
- Consent must also be “granular” – for instance, stipulating which ‘channels’ … email, phone, SMS, post etc … you will use to communicate with donors and prospects – needs to be made clear when marketing consent is sought
- Consent needs to be built-in to fundraising campaigns and replicated in back-end databases and CRM systems
- Consent is “not for ever” but will have a limited shelf life requiring renewal after a period of time
- Charities DO require explicit consent to use supporters’ personal data to identify and target with high donating propensity (wealth screening)
- Charities DO require consent to obtain additional personal details about their supporters – such as phone, email and postal address in order to maximise marketing opportunities (data appending)
To learn more about how we can help prevent your charity breaching data protection laws, fill in the form below