Remind me – what is GDPR?
GDPR stands for General Data Protection Regulation and it came into force on 25 May 2018. It's designed to strengthen the protection for people's data and means that we need to make sure that we know what data we hold on people, why we are holding it and have their agreement for our use of it.
Why is it important?
In terms of data protection, the rules are the same for charities as they are for any other organisation. Under the GDPR, the Information Commissioner’s Office (ICO) has a range of enforcement powers, from performing a data protection audit to levy a fine for serious incidents (up to 4% of income). Recently, it has been particularly focused on the use of data for purposes other than that for which it was collected: a number of prominent charities have had action taken over their fundraising activities because of this. The important thing to remember is that you should be only using data for the purposes that you told the person whose data it is when you collected it.
Do I need to worry about it?
Not worry, but you need to have considered it. You need to be confident that if you hold anybody’s personal data for work purposes, such as an email address, that you can demonstrate why you have that and why it’s ok to contact them.
I’m hearing a lot about us needing to gain consent from individuals. When and how do I do this?
Consent should be the last basis we consider for holding data. We should try to rely on other legal basis first such as having a contract with them or having a ‘legitimate interest’ (see below) before turning to consent. GDPR sets a high standard for consent. Genuine consent means offering people real choice and control regarding their data: that individuals have been given the information they need to be clear on exactly what they are signing up to. It is important to do this up front, such as on a web form when someone signs up to a campaign or newsletter.
Relying on vague or too broad a consent could destroy trust and harm our reputation – and may leave CPRE open to large fines.
Do I always need to gain consent to contact individuals?
No. You won’t always need consent. For example, you don’t need it for postal marketing but you will need consent for some calls and for texts and emails. You can rely on ‘legitimate interests’ for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.
What does ‘legitimate interests’ mean?
Legitimate interests is the most flexible lawful basis, but you cannot assume it will always be appropriate for all of your work. This refers to when we decide we have people’s permission to contact them because of their degree of involvement in the past with us. For example, national CPRE wrote to all our supporters to confirm we will still contact them because they have a ‘legitimate interest’ in hearing from CPRE due to their past or current involvement. However, please note that legitimate interest is not a possible option for email and telephone marketing contact – only for post.
If you choose to rely on legitimate interests, you take on extra responsibility for ensuring people’s rights and interests are fully considered and protected.
Legitimate interests is most likely to be an appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact.
You should avoid using legitimate interests if you are using personal data in ways people do not understand and would not reasonably expect, or if you think some people would object if you explained it to them.
But isn’t that all in thankQ (the national CPRE database from which branches receive their membership movement reports)?
Yes, for the majority of cases it would be. However, we understand there may be occasions where branches hold data on individuals in other ways such as spreadsheets or on paper. If this is the case, this should be highlighted in your ROPAs.
What are ROPAs and why did we have to do them?
The Record of Processing Activities (ROPA) document is a tool for each branch to think about the data you hold and process, the reasons behind collecting the data, how you use the data, how its stored - and to assess if the current methods across these areas are compliant or not. If they aren’t, you need to ensure you are looking at how you can become compliant.
What have we already done at national CPRE to become GDPR compliant and what is planned?
CPRE have recruited a data protection specialist company, Protecture, to support CPRE following all the necessary processes to ensure we are compliant. Most branches attended their presentation and you can find the copy of the webinar here and the slides here.
A national CPRE project group was set up along with a sub-committee of the Board, which included two trustees. These groups are making sure we are all working towards compliance across the CPRE network.
All national CPRE departments and branches were asked to complete their ROPAs (Record of Processing Activity). From this, information was gathered with regards to how data is currently obtained, stored and used. ROPAs have also been linked into the Privacy and Data Protection Policies written.
For individuals we have on our ThankQ database that have a postal address, national CPRE sent them a letter explaining that they will continue to receive marketing materials/information from us under legitimate interest. In this letter, where possible, we also asked individuals to provide their consent via other methods of contact (that is, email and phone).
A series of four emails went out to those we have email addresses for, beginning on Saturday 5 May 2018 and finishing a day before the deadline (24 May). This email asked individuals to opt-in to receiving email marketing from CPRE (that is, both national CPRE and branches). For our members that do not opt in, they will still automatically receive information we must legally provide them (such as AGM information), but they will not be able to receive any email marketing information from now on.
The Data Protection Policy was reviewed by the sub-committee of trustees on 11 May 2018 and subsequently approved by the national CPRE Trustee Board.
All external-facing avenues we currently collect data on (such as web forms on the CPRE website) have been assessed to make sure there is appropriate wording on all platforms.
We have been supporting the network to ensure branches are also compliant, via training, a toolkit of resources and a webinar.
Is there anything I won’t be able to do after 25 May 2018 that I do now?
Quite possibly. For example, you won’t be able to contact a supporter for marketing purposes if you haven’t since asked them to re-consent.
What happens now (after 25 May 2018)?
It is important to note that the work around GDPR does not stop after 25 May 2018. This piece of work is ongoing and it is essential that everyone within the organisation understands the important part they play in this. Further work will continue on new policies and procedures to ensure we are using data appropriately.
OK, I’m panicking – so I’ve decided to ignore it…
DO NOT IGNORE IT. You need to think carefully about how and why you are using data to ensure CPRE is not at reputational risk or at risk of being fined. If you have any questions please use the Protecture membership portal, available at: https://members.protecture.org.uk/ . You will need the following details to gain access:
Username: This email address is being protected from spambots. You need JavaScript enabled to view it.
Password: CPREGDPR2018
This will provide you access to useful templates, policies, guidance and further information – please do have a browse around.
