After what seemed like an eternity leading up to it, GDPR finally came into force on the 25th May 2018 with the aim of standardising the various regulations across the EU. It had a focus in the UK on clarifying how personal data can be used and what consent is required.
It’s tricky to determine what impact the new regulations have had such a short time after enforcement, however with hefty fines being threatened for those who do not comply, it’s crucial that charities move towards compliance if they have not yet achieved that.
A poll hosted on our Twitter account just before the deadline revealed that more respondents were not prepared for the new regulations (33%), than those who were (25%), and an even higher proportion couldn’t say if they were prepared or not (42%).
Earlier this year we sat down with Bilal Ghafoor of Amber Information Consulting to ask him his thoughts on how charities can ensure they are compliant and what the key actions to take might be. One of his points was how organisations need to be able to demonstrate they were rolling out a plan of action at time of the regulations come into force, even if some of the processes had not been completed in full (as there are some elements that may take weeks or months to finalise).
Preparing for GDPR can be split into three main areas:
• Discovery – Understand the data you hold and your gaps against the new regulations
• Plan – Plan your remedial activities based on risk appetite
• Execute – Implement the changes needed to ensure compliance
We also recommend putting an effective risk management strategy in place to help your organisation make sure it is compliant with new regulations.
Being GDPR compliant is particularly important for charities given the fundraising landscape and the frequent control and processing of donor data. A media campaign towards the end of 2016 accused charities of targeting vulnerable members of the public which led to a drop in public confidence in the sector, and the new Fundraising Regulator was born. The regulations they introduced to the public needing to opt in for contact to continue. If the sector can get this right, it could be a real coup but the jury is out on whether the public will engage at previous levels and provide consent to be contacted.