GDPR compliant? Over one third of charities still need to sort out their data collection before the May deadline.
As the GDPR clock ticks round towards midnight, we thought we’d take a quick look at how the charity sector is shaping up on data collection, specifically the old ‘opt-in' and 'opt-out’.
The deal with GDPR is that consent needs to be actively given and it needs to be unambiguous. 'Opt-out' approaches, where pre-checked tick boxes automatically sign the user up to an email list won't cut it under GDPR.*
For consent to be valid, it will need to be freely given, specific, informed and an unambiguous indication through a statement or clear affirmative action, such as actively ticking a box.
The Guardian
And, neither will tricksy approaches, like asking people to check one box ‘if they want to receive communications by email’ and to check the next box ‘if they do not want to receive communications by post’.
We know the ICO is prepared to fine charities. The difference is that after 25th May 2018 under GDPR regulations the fines could go nuclear! So, do charities have anything to worry about?
The good news is that quite a few have already put their houses in order. However, a big proportion have work to do before 25th May 2018. We checked forms on thirty six charity websites** and here’s what we found:
Twenty-two used the appropriate ‘opt-in’ only approach; eleven used mixed 'opt-in' and 'opt-out' approaches and four used exclusively ‘opt-outs’. So, based on that sample, over one in three charities still need to make changes to comply with the letter and/or the spirit of the GDPR, with under three months left until the data protection law changes.
Will charities lose out as a result?
Probably, yes. Ed Aspel, executive director of fundraising and communications at CRUK, said that an 'opt-in' approach will cost it “tens of millions of pounds” over the next 5-10 years. Although some charities are reporting less of an impact than they expected.
Despite initially predicting losses of “36 million" RNLI are now reviewing their estimates after better than expected opt-in responses. Fundraising director Tim Willet said over 450,000 people have already opted into communications, double the figure projected.
We believe that if you ask well enough, you can still see positive levels of 'opt-in'.
The more complex question, of course, is whether you can continue to message supporters who didn’t actively 'opt-in' when they signed up - perhaps they signed up at a time where you were using an opt-out form. But that's one for another time.
If you'd like our help redesigning your forms to make them compliant AND to minimise drop-off, then please get in touch.
* Some organisations we looked at might have decided that they can use an 'opt-out' for similar product marketing based on the legitimate interests justification. I am not a lawyer, but I don't think that represents the spirit of GDPR in the examples we are seeing in this article. But you decide, the ICO advice says:
"You must balance your interests against the individual’s interests. In particular, if they would not reasonably expect you to use data in that way, or it would cause them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the individual’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the individual."
** The charities we reviewed were: Action for Children, ActionAid, Age UK, Alzheimer’s Society, Anthony Nolan, Arthritis Research UK, BHF, Barnardo’s, Breast Cancer Now, CLIC Sargent, Children’s Society, Concern Worldwide, Dementia UK, Dogs Trust, Girlguiding, Guide Dogs, Independent Age, Kidney Research UK, MS Society, Marie Curie, Mencap, Meningitis Research Foundation, Mind, NSPCC, National Autistic Society, National Childbirth Trust, National Deaf Children’s Society, Parkinson’s UK, Practical Action, RNIB, RSPCA, Samaritans, Scout Association, Sightsavers, Sue Ryder, WWF.
