GDPR Privacy Policies: Does Yours Measure Up To Our Checklist?

This report features the findings from research into 45 Privacy Policies from UK-based charities. Following the ICO’s actions against two major charities in December, we’ve analysed each one against a set of 9 measures that:

  • Are of concern to the ICO.
  • You will need to have in place for GDPR in May 2018.
  • You can use to compare your own Privacy Policy.

We’ve looked at 45 Privacy Policies from UK-based charities. We broke down the rulings from the ICO and checked each Privacy Policy against their findings and in preparation for GDPR next year.

We assigned scores to 9 different measures so we can see how each Privacy Policy stacks up. To see if there’s cause for concern across the market. To provide you with information to check your own policy.

Every Privacy Policy is different because each one should reflect the policies specific to your charity and organisation. These 9 measures let you test your own Privacy Policy and find out how you measure up.

Please find the formatted PDF here or continue reading for the plain txt version below.


Privacy Policies & GDPR: How Does Yours Measure Up?

In response to the Information Commissioner’s Office (ICO) ruling on the British Heart Foundation and the RSPCA, we have put together this report. We wanted to do something to help our charity clients and the whole sector, when it comes to data management.

Following the upheld action in December we had concerned clients calling us about how this ruling would impact their use of data. One of the first questions asked was about their Privacy Policy. As publicly accessible documents, Privacy Policies are coming under intense scrutiny. Not just from the regulators, but also from the public, whose trust has begun to diminish as fast as their awareness of personal data value, starts to escalate.

We are not lawyers, and wouldn’t begin to advise charities on the wording of Privacy Policies. Especially as every policy should be unique to an organisation, an explanation of its own processes regarding how they collect, store and use data.

Since 1998, we’ve had the Data Protection Act in place. Next year we will have the EU General Data Protection Regulation (GDPR). And with these rulings by the ICO, it feels like the spotlight has been placed on charities. To ensure they demonstrate best practice. To show that they’re doing their very best by their beneficiaries and supporters.

We thought about what we could do to help charities identify any gaps in their own Privacy Policies. To make sure that they’re as good as they can be.

That’s why we’ve produced this report ‘Privacy Policies – How Does Yours Measure Up?’

We’ve looked at Privacy Policies across 45 different UK-based charities. We’ve read the findings of the ICO rulings and established where they considered the two charities to be lacking. We’ve also researched the requirements of GDPR in an aim to help you prepare ahead of 25th May 2018.

We’ve aggregated the results and presented the percentage findings based on nine different measures. Using these could help you to make a comparison. To find out if you are protected. To see what steps you need to take to communicate with your supporters, and to increase engagement between you. To strengthen the trust they place in you.

For more information about how we help charities rethink supporters’ data and improve outcomes, drop us a line or give us a call. We’d be delighted to help.

GDPR Privacy Policy Checklist

A Privacy Policy sets out how an organisation collects, stores and uses personal information or data, and should be freely accessible. Any organisations undertaking these actions is required to abide by the Data Protection Act 1998 (DPA).

However, we are not here to give you legal advice. Every Privacy Policy should be created to explicitly state the policies of each individual charity.

In this research, we’ve assessed the Privacy Policies of 45 UK-based charities against the following nine measures

1 Do you have a Privacy Policy?

After extensive searching, there was only one charity where we could not find their Privacy Policy online. Needless to say we have been in touch to give them the heads up that this is something that needs to be fixed. Soon. In this research, we’ve looked at the Privacy Policies of 45 UK based charities.

2 Is your Privacy Policy easy for supporters to find?

Privacy Policies should be readily accessible online for supporters and the public in general. In fact, the DPA stipulates that if you’re only collecting data for specified purposes you need to notify users through your Privacy Policy and that “they can access your Privacy Policy easily”.

So, we put this to the test. Our team of researchers went in search of Privacy Policies. Most charities placed their Privacy Policies clearly on the website, usually at the bottom of the home page. However, 23% made the supporter work quite hard to find their Privacy Policy.

3 Does your Privacy Policy mention the collection of personal data?

The collection of personal data was one aspect the ICO picked up on in its ruling. Our hypothesis before starting this research was that charities would, of course, mention in their Privacy Policy that they collect personal information. However, only 61% of charities stated the collection of personal data in their policy.

4 Does your Privacy Policy mention profiling?

The use of profiling is one area of data analysis that can be misconstrued by the market. Donor profiling should be about communicating with supporters by presenting them with the right message, at the right time. The ICO expresses that you need to be transparent about the personal information you collect. Especially, if you use it for insight by adding to it with other consented publicly available information. This is the opportunity that consent provides for charities. If you can engage with supporters, if you can let them explicitly grant use of their data for specific purposes, then deeper engagement and trust can follow.

5 Does your Privacy Policy reference sharing of data?

The sharing of data was part of the ICO’s ruling. One reason why charities might not include the reference to sharing data is because it is prohibited, without explicit consent, in the Fundraising Regulator’s Code of Fundraising Practice: “Even if not for payment, organisations MUST NOT share the personal data of an individual with any other organisation for that organisation’s marketing or fundraising purposes without the explicit consent of that individual to the sharing of the personal data with that other organisation or other specified types of organisation.” [1]

6 Does your Privacy Policy include how data will be used?

As charities prepare for GDPR next year, we thought it would be useful to look at what practices and policies need to be in place for the 25th May 2018. One of the fundamental principles of GDPR is including how data will be used. This overlaps with current legislation and the ICO rulings.

This is more than preferences for communication use, it covers the use of personal data, anonymised or identified, in research, for insights and for fundraising or service provision.

7 Does your Privacy Policy mention how you collect data?

In the past how data was collected was relatively straightforward. However, as the number of channels of communication continue to gather momentum, so has our potential to gather data from multiple sources. This presents an opportunity but it is also the area that raises most concern with supporters and the public. Transparency about how data is collected is essential.

8 Does your charity give details of how long you keep data on record?

The current regulation and guidance from the ICO, says data should be retained for “no longer than is necessary for the purpose you obtained it for”. Research from Data IQ in 2016 showed that 21% of consumers believe that consent is only valid for 6 months [2].

While this enables data to be disposed of, it does present a challenge for charities to have a system that allows for the stamping of when consent for data was obtained, and therefore allowing the safe and secure disposal of data. This element is key for the new GDPR. It is essential charities consider how long they retain their data for and can show this period has been considered and documented.

[2] Source: GDPR – Identifying its impact on marketers and the consumer’s moment of truth Data IQ 2016

9 Do you include a Data Controller or Processor contact?

Only a couple of charities gave a named contact who controls or processes data. This is one of the most significant changes of the regulation. By naming a controller or processor, charities need to be aware that sanctions can be brought against the controller or processor, as well as against the charity itself.

Privacy, Trust and GDPR

We hope that our research of these nine different measures will help you to identify the gaps, if you have them, in your own policies and procedures. It sets out the requirements as they currently stand and what charities need to do in preparation for GDPR.

In May 2018, charities will need to show

  • What data has been collected?
  • Why is the data being collected and its purpose?
  • Who is using the data? • When was the permission granted or changed (date)?
  • Where was the permission granted (source)?

These measures focus on compliance. No wonder, as there is a considerable risk to charities if they get it wrong. So, of course, compliance is important but compliance should be the baseline, not the aspiration.

Complying with GDPR is inevitably going to involve increased work, time and cost in implementing strategies and processes to comply. Yet, if done in the right way, the opportunity it creates to build or strengthen trust could well outweigh these issues.

Trust can mean many things, from transparency of how much the charity’s CEO is being paid, to what percentage of the funds raised are being spent on good causes or who the charity is sharing data with.

There have been reports that trust in charities is in decline. Research by the NCVO shows that 36% of people show a lack of trust that charities will only make contact where permission has been granted.3 The highprofile rulings of the ICO may only exacerbate this sense of distrust.

Now is the time not just to protect your charity but to go a step further. To build and deepen the trust your supporters have. Improving your consent capturing procedures and updating your policies will provide you with an excellent opportunity. An opportunity to seek your supporters’ permissions. An opportunity to engage at a deeper level. An opportunity to create a value exchange where both the supporter and you – the charity – benefits. And therefore, your beneficiaries.

[3] Source: NCVO Working Group Recommendations – Sept 2016