Picture your marketing file, those thousands — maybe even millions — of names and related information. Think about where that information came from. Was it expressly provided by individuals for the purpose of being solicited? Did privacy policies disclose how and for how long information would be used and maintained? How would that file look if your organization took an opt-in, as opposed to opt-out, approach?
Such questions have been on the minds of European fundraisers and marketers for more than a year now. The European Union’s General Data Protection Regulation (GDPR) was adopted in April 2016 and will become enforceable on May 25, 2018. The regulation applies broadly, including nonprofits, for-profits, and public entities, noted Daniel Fluskey, head of research and policy at the Institute of Fundraising in London, U.K., a membership organization representing 3,000 British charities. The institute has been involved in the GDPR process including writing to members of European Parliament, Fluskey said via an email.
The GDPR builds on previous data protection policies, namely the Data Protection Directive of 1995, so European Union (EU) charities should already have robust data protection policies in place, with many organizations taking this opportunity to review and refine. One of the biggest challenges the institute has heard about from the membership is the principle-based rules around things such as consent. These gray areas are challenging because there is no easy “yes” or “no,” according to Fluskey.
Direct marketing and fundraising communications for email and text require consent under the regulation, but mail and telephone communications can still be lawfully conducted on an opt-out basis provided a charity can justify it under a “legitimate interest.” That legitimate interest essentially allows entities to process individuals’ personal data without affirmative consent, direct marketing being one such interest. Some charities are playing it safe by moving toward an opt-in model for all communications, according to Fluskey. Those that have made such a switch have done so with large-scale, detailed marketing and communications plans that have been rolled out over several months.
“It’s got to be thought through and a longer-term process. If you try and switch from ‘opt out’ to ‘opt in’ overnight you’ll probably give a poor experience to people and lose contact with a lot of supporters,” Fluskey said.
Other elements of note include risk assessments and mitigation actions that might be required for activities of higher risk for individuals’ data and limitations on donor profiling. Charities must understand that data protection covers more than fundraising activities, but also data on beneficiaries, service users, volunteers, and the like, Fluskey said. Organizations are currently in the process of evaluating and upgrading administrative systems and constituent databases with an eye on better recording and securing data.
Profiling donors is not prohibited under current law or the GDPR, according to Fluskey but organizations must have a lawful basis for profiling and must inform individuals that their data is being used to target them. Individuals must also have the ability to object to such efforts. Charity leaders are adjusting by reviewing and redrafting privacy policies and actively communicating with supporters and prospective supporters with an eye on transparency.
Fluskey noted that it is possible that European charities will see a reduction in fundraising revenue while seeking to comply with the new regulations, but much can be done to mitigate those negative effects. Opt-out communication is still viable, provided “legitimate interest” is satisfied, so it won’t be as if organization fundraisers and marketers will wake up on the morning of May 25 with a slashed-and-burned file.
One area that Fluskey sees some issue with is long-term supporters. The GDPR will likely make it more difficult for organizations to remain in contact with individuals over several years without some sort of reconfirmation that they wish to continue hearing from the charity — passively reading newsletters and emails without an affirmative action such as donating being an example of such a supporter.
Much of the GDPR stems from the 1995 directive, said Joe McNamee, executive director of European Digital Rights (EDRi) headquartered in Brussels, Belgium. The problem with the directive was that it obligated member states to implement legislation and rules respective to the directive. The directive was interpreted in a variety of ways – leading to 28 different laws and member states possessed differing implementation bodies capable of sanctioning poor behavior to disparate degrees. Clarity on how the rules applied to digital data collection and use were also unclear, according to McNamee.
Charities that are transparent about their use of data and respectful of those whose personal data they process have little to fear from the regulation. — Joe McNamee, European Digital Rights (EDRI)
In addition to being more directly-applicable across nations, the regulation is more detailed and features new elements, such as the rules on profiling. McNamee described emphases on consent as a lobbying spin and said that the legal grounds for processing data are largely unchanged from 1995. Organizations tend to misunderstand “free and informed consent,” he said, which does not include practices such as pre-checking check boxes, not explaining how data will be used, and collecting unnecessary data.
Similarly, the “right to be forgotten” existed in the directive – meaning that entities are already required to comply with requests for data deletion, only use data for the purposes in which it was collected, and only store data needed for specific reasons. Organizations not doing these things are in breach of existing law, McNamee said.
“Charities that are transparent about their use of data and respectful of those whose personal data they process have little to fear from the regulation,” McNamee said via an email. “However, charities with bad security practices, bad habits like pre-checked boxes as ‘consent’ and inadequate information about the sources of and use of data should very carefully consider the reputational cost of failing to update their practices.”
McNamee added that EDRi works in cooperation with numerous peer organizations worldwide. The GDPR, like the 1995 directive, encourages non-EU nations to adopt similar rules to share data across borders and avoid potential restrictions. At the same time, there have been efforts both inside and outside the EU to undermine the GDPR, he said.
For Oxfam International, secretariat of a confederation of 20 affiliates including nine in European nations, data protection applies to the identifiable information of millions of individuals, according to Michael Duggan, global chief information officer. Some of the most sensitive information charities hold relate to program beneficiaries, of which Oxfam has 25 million worldwide. Additionally, Oxfam affiliates handle the data of supporters and a combined 10,000 employees and 52,000 volunteers.
Oxfam International affiliates operate as separate entities. Fundraising asks are conducted on a nation-by-nation basis. A fundraising ask in Germany is conducted by Oxfam Germany. A donor in one country might occasionally donate to a different affiliate, but efforts are made to ensure that residents’ data remains with their respective affiliate.
European affiliates have complied with the data protection laws of each respective country, Duggan explained in an email, but the GDPR’s harmonizing of those rules and imposition of new requirements has presented several challenges. For one, each affiliate is an independent entity with its own governance structure and is thus required by the regulations to comply as its own entity – including the appointment of an organizational data protection officer. The GDPR also has Oxfam International leaders evaluating work in responding to the continent’s migrant crisis as it applies to all EU residents, including migrants.
Oxfam International has offered confederation- wide support, training, and best practices to help affiliates comply with the regulation. One step has been the rolling out of Privacy Impact Assessments for systems holding personally identifiable data. Standardized examinations’ focuses include technology, business rules, auditability, security, and legality. This process is made complicated by the increasing use of cloud-based solutions, according to Duggan, making it possible that processes are removed from the actual location of the data. The movement of data must be understood and reflected in contractual agreements with providers to ensure compliance. These assessments might lead to changes in the data stored, software, and cloud or on-premises equipment used by affiliates, Duggan said.
Steps are also being taken to ensure that online and offline asks for personal information are clear and permission- based. The so-called “right to be forgotten” has some associated challenges as it intersects with conflicting legal requirements such as holding on to banking transactions.
The key to complying with the GDPR through organizational practices will be to have “privacy by design,” he said. That means being able to quickly and easily locate and manage personally identifiable data.
Mercy Corps Europe uses a compliance tracker and coordinates with its Audit & Risk Committee, retained legal firm, statutory auditors, and peer organizations to follow legislation relevant to its operations, according to Alexandra Angulo, director of compliance. Those efforts meant that the new regulations did not come out of nowhere.
The Edinburgh, Scotland-based organization already operates under an opt-in model for both email and phone communications, Angulo said in an email. Mercy Corps Europe is also working to obtain opt-ins for direct mail purposes and are giving individuals an opportunity to opt out of any communication at any time. Relating to one’s “right to be forgotten,” Mercy Corps Europe is committing to the deletion of all records at individuals’ request with the exception of financial information that must be retained by law for a period of seven years.
U.K.-based organizations such as Mercy Corps Europe will still be held to the European standard despite Brexit, Angulo said, a recent House of Lord’s Committee meeting confirming as much.
“We believe that [organizations] can build stronger relationships with their donors by having two-way conversations and it is best practice to engage with supporters in a responsible, consensual manner,” Angulo said, adding that Mercy Corps Europe agrees with the new regulations. “The regulations will contribute to increased professionalism and trust in the fundraising industry and empower fundraisers to find new wages to engage with donors.”
Steps on the data-storage side include a new high-security, cloud-based option. All organizational devices, including laptops and mobile phones, are also encrypted. Mercy Corps Europe already has policies in place relating to data storage including the deletion of data that is unnecessary are past the date of retention. Such policies are reviewed annually.
Mercy Corps’ Portland, Ore.-based office has not had to face the reviews and pressures associated with the new regulation as the organization has a clear, legal division between its U.S. and European donor bases, Angulo said. That means that if a European donor is interacted with, that contact is managed in its entirety by the organization’s European office. Mercy Corps leadership, from a global perspective, has taken the EU GDPR as a barometer to assess policies and procedures from a best-practices perspective.
American organizations have largely been unaware of the new European regulations, according to Elizabeth Zeigler, CEO of Graham-Pelton Consulting, a firm with offices in the U.S. and U.K. specializing in fundraising and nonprofit management. Some key elements for unfamiliar parties to understand include the evaluation of risk and consent.
Understanding the risk associated with data activities comes down to three questions according to Zeigler: What data is the charity holding? How is it being used? and, How is it being stored? Above all, charities must provide clarity, added Christian Propper, senior consultant in the firm’s U.K. office. That means receiving permission to hold data, responsibly storing it, and providing transparency on how that data are being used.
Propper described consent as a complex area — one that direct marketing won’t be able to protect as a catch-all. For instance, U.K. law states that direct marketing is advertising directed at particular individuals. In other words, if marketers are throwing spaghetti at the wall hoping something will stick — that isn’t direct marketing. Deciding how to go about receiving consent is something that organizations will have to evaluate based on the preferences of their constituencies, Propper said. Are donors more likely to be receptive to numerous, incremental requests for permission or one, giant all-or-nothing policy?
Propper additionally noted that, during the implementation process, he’s been struck by the different perceptions around data usage among organizations and individuals. A charity might, for instance, think it obvious that they would use a donor’s information to try to deduce their individual giving capacity. The donor, on the other hand, might have given $10 just because they felt like it and thought of no greater effect.
“It’s a great opportunity for charities to build trust in their brand by explaining and being clear about how they use individuals’ data,” Propper said.
Not taking such matters seriously could put a large dent in organizations’ wallets. Fines for failure to comply can reach up to 4 percent of the organization’s global annual revenue or €20 million ($23.5 million U.S.), whichever is greater. High-end fines generally relate to high-volume violations in which thousands are affected and the organization knowingly did something wrong, like continuing to phone individuals who opted out of such contacts. The U.K. Information Commissioner began fining charities toward the end of 2016 for acts such as selling or buying data without permission, Propper added. The fines were later significantly reduced, but grabbed the attention of organizations.
Many potential issues can be avoided so long as U.S. organizations with constituencies in the EU inform their constituents how data is being used, Zeigler said. Doing both avoids infuriating European supporters and demonstrates a level of understanding by coming off as an informed party. U.S. fundraisers often take for granted available information under the belief that it is their job to engage and cultivate supporters. Zeigler herself didn’t think of many of the issues from the donor perspective until researching the GDPR.
“To me, it’s communication and awareness and the sensitivity people feel,” she said. “In Europe, there is a different sensitivity to data. When you think about the tools fundraisers have at their disposal, especially in the United States, and how common it is for nonprofits to screen participants on how much money they make…it’s a very personal topic for a lot of people.”