Denial, anger, bargaining, depression and finally acceptance…? Saying goodbye to unreliable donor data has been a long and painful grieving process for many charities. After years of sector reliance on questionably sourced personal information there were whispers that the new GDPR requirements would mean the closure of some charities and the end of fundraising communications as we knew them.
So, after all the heartache and fear, what better way to mark 6 months of GDPR than to reflect on learning to date… And absorb a 6-month warning for the next piece of data protection legislation?
Learning from GDPR
With the new ePrivacy legislation slated for May 2019*, it’s time to look at what we can do as a sector to ensure we’re ready. At the Fundraising Regulator, we want to help ease charities through the transition. But if the process is to be smooth, we need to collectively learn the lessons from the process of communication that preceded GDPR.
An IoF member survey in September 2017 highlighted the inconsistent way in which information on GDPR reached the sector. It showed that with less than a year to go, the ‘vast majority’ of medium and large charities were implementing changes. In contrast, around a third of smaller charities said they had done nothing to get ready. This may not mean that they didn’t know about the changes, but it certainly suggests there were some barriers to them engaging with the changes and taking action. Perhaps more telling, regardless of the charity’s size, over three quarters of respondents cited a lack of clear guidance regarding the new requirements as a challenge in preparing for GDPR.
Research carried out more recently by consultants, NfP Synergy, suggested higher levels of GDPR readiness but this was by no means universal. On average, organisations rated their current level of GDPR compliance as 7.5 out of 10. While this may indicate some improvement over the year since the IoF research was published, it shows that many organisations still lack confidence in their data protection policies.
ePrivacy legislation is coming
The ePrivacy Regulation will supersede the Privacy and Electronic Communications Regulation (PECR), which applies to electronic communications such as email, text and automated telephone calls, with the aim of bringing it up to date and making it consistent with GDPR. There’s a way to go before its content is firmed up, but business-to-business marketing, telemarketing and instant/social media messaging services are among the areas likely to be affected. (You can find out more in this DMA article).
This time we need to ensure that the third sector is ahead of the curve, not playing catch-up, when the new legislation comes into force. Communications about the emerging ePrivacy regulations need to be timely, clear and consistent to organisations of all sizes. But we also need ongoing and constructive dialogue between charities and regulators about the impact of changes, support needs and how those charities ahead of the curve are mitigating the risks, so that learning can be shared. The earlier the sector engages with the challenges, the more chance organisations will have to implement the necessary changes in good time.
As the detail of the ePrivacy rules becomes clearer, the Fundraising Regulator wants to hear from you about what the implications of the changes are for your charity and what you need to know to adapt your fundraising processes.
There’s still a lot of ground to cover before the ePrivacy legislation comes into force. Nevertheless, it’s time to start thinking about getting things in order for new data protection legislation…again.
Gerald Oppenheim and Stephen Service from the Fundraising Regulator will be hosting a workshop “Fundraising & GDPR: 6 months on” at the DSC’s Fundraising Now Conference on 28 November 2018.
*May 2019 is the earliest deadline for the legislation to be agreed. Following that there will be a grace period of 6-12 months for implementation.