This report features the findings from research into 45 Privacy Policies from UK-based charities. Following the ICO’s actions against two major charities in December, we’ve analysed each one against a set of 9 measures that:
- Are of concern to the ICO.
- You will need to have in place for GDPR in May 2018.
Please find the formatted PDF here or continue reading for the plain txt version below.
Privacy Policies & GDPR: How Does Yours Measure Up?
In response to the Information Commissioner’s Office (ICO) ruling on the British Heart Foundation and the RSPCA, we have put together this report. We wanted to do something to help our charity clients and the whole sector, when it comes to data management.
We are not lawyers, and wouldn’t begin to advise charities on the wording of Privacy Policies. Especially as every policy should be unique to an organisation, an explanation of its own processes regarding how they collect, store and use data.
Since 1998, we’ve had the Data Protection Act in place. Next year we will have the EU General Data Protection Regulation (GDPR). And with these rulings by the ICO, it feels like the spotlight has been placed on charities. To ensure they demonstrate best practice. To show that they’re doing their very best by their beneficiaries and supporters.
We thought about what we could do to help charities identify any gaps in their own Privacy Policies. To make sure that they’re as good as they can be.
That’s why we’ve produced this report ‘Privacy Policies – How Does Yours Measure Up?’
We’ve looked at Privacy Policies across 45 different UK-based charities. We’ve read the findings of the ICO rulings and established where they considered the two charities to be lacking. We’ve also researched the requirements of GDPR in an aim to help you prepare ahead of 25th May 2018.
We’ve aggregated the results and presented the percentage findings based on nine different measures. Using these could help you to make a comparison. To find out if you are protected. To see what steps you need to take to communicate with your supporters, and to increase engagement between you. To strengthen the trust they place in you.
For more information about how we help charities rethink supporters’ data and improve outcomes, drop us a line or give us a call. We’d be delighted to help.
In this research, we’ve assessed the Privacy Policies of 45 UK-based charities against the following nine measures
The use of profiling is one area of data analysis that can be misconstrued by the market. Donor profiling should be about communicating with supporters by presenting them with the right message, at the right time. The ICO expresses that you need to be transparent about the personal information you collect. Especially, if you use it for insight by adding to it with other consented publicly available information. This is the opportunity that consent provides for charities. If you can engage with supporters, if you can let them explicitly grant use of their data for specific purposes, then deeper engagement and trust can follow.
The sharing of data was part of the ICO’s ruling. One reason why charities might not include the reference to sharing data is because it is prohibited, without explicit consent, in the Fundraising Regulator’s Code of Fundraising Practice: “Even if not for payment, organisations MUST NOT share the personal data of an individual with any other organisation for that organisation’s marketing or fundraising purposes without the explicit consent of that individual to the sharing of the personal data with that other organisation or other specified types of organisation.” 
As charities prepare for GDPR next year, we thought it would be useful to look at what practices and policies need to be in place for the 25th May 2018. One of the fundamental principles of GDPR is including how data will be used. This overlaps with current legislation and the ICO rulings.
This is more than preferences for communication use, it covers the use of personal data, anonymised or identified, in research, for insights and for fundraising or service provision.
In the past how data was collected was relatively straightforward. However, as the number of channels of communication continue to gather momentum, so has our potential to gather data from multiple sources. This presents an opportunity but it is also the area that raises most concern with supporters and the public. Transparency about how data is collected is essential.
8 Does your charity give details of how long you keep data on record?
The current regulation and guidance from the ICO, says data should be retained for “no longer than is necessary for the purpose you obtained it for”. Research from Data IQ in 2016 showed that 21% of consumers believe that consent is only valid for 6 months .
While this enables data to be disposed of, it does present a challenge for charities to have a system that allows for the stamping of when consent for data was obtained, and therefore allowing the safe and secure disposal of data. This element is key for the new GDPR. It is essential charities consider how long they retain their data for and can show this period has been considered and documented.
 Source: GDPR – Identifying its impact on marketers and the consumer’s moment of truth Data IQ 2016
9 Do you include a Data Controller or Processor contact?
Only a couple of charities gave a named contact who controls or processes data. This is one of the most significant changes of the regulation. By naming a controller or processor, charities need to be aware that sanctions can be brought against the controller or processor, as well as against the charity itself.
Privacy, Trust and GDPR
We hope that our research of these nine different measures will help you to identify the gaps, if you have them, in your own policies and procedures. It sets out the requirements as they currently stand and what charities need to do in preparation for GDPR.
In May 2018, charities will need to show
- What data has been collected?
- Why is the data being collected and its purpose?
- Who is using the data? • When was the permission granted or changed (date)?
- Where was the permission granted (source)?
These measures focus on compliance. No wonder, as there is a considerable risk to charities if they get it wrong. So, of course, compliance is important but compliance should be the baseline, not the aspiration.
Complying with GDPR is inevitably going to involve increased work, time and cost in implementing strategies and processes to comply. Yet, if done in the right way, the opportunity it creates to build or strengthen trust could well outweigh these issues.
Trust can mean many things, from transparency of how much the charity’s CEO is being paid, to what percentage of the funds raised are being spent on good causes or who the charity is sharing data with.
There have been reports that trust in charities is in decline. Research by the NCVO shows that 36% of people show a lack of trust that charities will only make contact where permission has been granted.3 The highprofile rulings of the ICO may only exacerbate this sense of distrust.
Now is the time not just to protect your charity but to go a step further. To build and deepen the trust your supporters have. Improving your consent capturing procedures and updating your policies will provide you with an excellent opportunity. An opportunity to seek your supporters’ permissions. An opportunity to engage at a deeper level. An opportunity to create a value exchange where both the supporter and you – the charity – benefits. And therefore, your beneficiaries.
 Source: NCVO Working Group Recommendations – Sept 2016