With less than a month to go until the new General Data Protection Regulations (GDPR) comes into force on 25 May 2018, it is becoming increasingly clear that many charities remain uncertain and not fully prepared for the roll out, despite an obvious keenness to comply. In January this year, research carried out by the Department for Digital, Culture, Media and Sport found that only 44 per cent of charities had even heard of GDPR and only 26 per cent of those had taken steps to address it.
Considering how close the deadline is and the associated fines for non-compliance, we recently hosted a GDPR webinar aimed at sharing information and guidance to third sector organisations to help ensure they do not fall foul of their legal responsibilities before time runs out.
Nearly 500 people from charities registered for the event with 300 attending on the day for a workshop which included best practice advice from a panel of leading charities, who all discussed their successful journey to GDPR compliance, management of consent and what they felt were the most important aspects of the plan to meet regulation by the deadline.
During the webinar, attendees took part in a survey about their own GDPR planning, with worrying statistics revealing only five per cent felt truly ready for the new regulations and more than three-quarters (76 per cent) admitting there is still work to be done before they achieve full compliance.
In the face of these figures, and led by Charles Bagnall, our Head of Product for Charity solutions, the webinar highlighted how some of the country’s leading charities have successfully navigated their path to GDPR compliance, including the Muslim Charity, RSPB and Woodland Trust. For the Muslim Charity, getting data in one place by completing a rigorous data audit has been key to enable them to answer any questions about the data they hold.
When it comes to consent, which was identified as the biggest GDPR concern facing charities, top tips from the RSPB and Woodland Trust focused around robust and engaging communications. For the RSPB, its approach to consent has involved a continual and comprehensive programme across email and website in order to capture the relevant permissions. While the Woodland Trust has focused a lot of energy on consent message testing to identify the communications most likely to engage and drive action.
Data retention was another important point raised by the Muslim Charity and the RSPB; for the Muslim Charity, an effective data retention policy which explains why data is being held and for how long is critical. Similarly, the RSPB has linked their data retention to finances to take into account potential Gift Aid claims and financial audit requirements.
Despite the work that the Information Commissioner’s Office (ICO) has done on GDPR preparation, it’s clear that a cloud of ambiguity still exists across the third sector. Uncertainty around consent and data retention seem to be the resounding worries for charities, with many concerned that their potential fundraising totals will be affected.
The attendance figures for our webinar suggest that GDPR remains at the top of the charity sector agenda and it’s a comfort to see such a keenness to achieve compliance ahead of the deadline. However, while progress has been made, there is still a way to go before many are GDPR ready.
There is a wealth of information available to charities on GDPR – arguably, too much of it which has caused levels of uncertainty about precise details and resultingly has become a barrier to adoption. Hopefully, the charities who joined our recent webinar will have gone away armed with relevant information and insights they need to move forward with their GDPR plans with confidence and efficiency in time for the 25 May. We’ll be holding further seminars on GDPR, to share best practice on reviewing success of compliance, so please do get in touch if you would like to take part – or indeed share your successes and learnings.
