Ten top tips for getting your data GDPR-ready
A lot of the organisations I speak to are concerned that their supporter data is not yet GDPR-compliant, and that they don't know the right questions to ask to help them get it that way.
Here's my top ten for getting your data GDPR-ready.
1) Do you know what you have?
For example: name, address, phone number, email address, card/bank detail data, and records of interactions. In addition do you know when they first contacted you and what permission they would have seen at the time? It's very easy to underestimate the amount of supporter data you hold but under the GDPR, data must be managed properly or you will face fines, so you need to know exactly what you have.
2) Why do you have it?
It is also necessary to be clear as to why you are holding onto any piece of data. Is it necessary for you to help the consumer, or is it relevant to their interaction with you? If it is not necessary then you need to make a judgement call as to why you continue to hold it.
3) Where is the data held?
You also need to know where every piece of data you hold comes from, and where it is stored so you can access it and prove you have it legitimately if asked under the GDPR. For example, if someone wants to invoke the right to be forgotten, to withdraw consent, or to see what you hold on them, you need to be able to respond to these requests and to do so in a timely fashion. A subject access request for example must be answered within a month of receipt under the regulations.
4) What are your grounds for processing data: are you using consent or legitimate interest?
Under the GDPR, you will need to prove that you have a lawful basis for processing personal data. A lot of people are talking about legitimate interest and questioning what this covers. The GDPR does state that 'the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest', with other reasons including legal obligations such as suppression, so you need to decide if you are going down a consent route or one of legitimate interest and follow the rules accordingly.
5) Can you prove these grounds?
The GDPR requires you to be clear and transparent to individuals about how their data is collected, how it is processed, and the lawful grounds you are doing this under.
6) If someone asks you not to contact them again, can you confidently abide by their request?
Individuals have the right to withdraw consent at any time under the GDPR, so you need to provide easy ways for people to do this. They also have 'the right to erasure' so you must also be able to comply with this, which is where having immediate access to all of an individual's records through a single supporter view can really help.
7) If someone asks you "tell me everything you know about me and do so in 30 days", can you answer:
- When they were recruited
- What channel they were originally recruited from
- What permission statement they saw
- Can you prove all of this?
- Can you also provide any internal emails or comments made pertaining to this individual?
Individuals have the right to see the personal data organisations held on them if they make a subject access request in writing and they are likely to want to know the answers to these questions so you must be able to answer all of them – and more.
8) Do you have a single view?
A single supporter view makes it a lot easier to answer the above points and to meet requests for ceasing contact. It enables you to access every bit of information you have on a supporter and to track all of their communications with you across all channels. This is vital not only for good supporter management but also for helping you comply with the GDPR because it will make it much easier to record and access consent choices, and to ensure that when you interact or communicate with a supporter, every action is traceable.
9) Assess & prioritise
Taking time to answer the above points will help you to assess exactly where the gaps are for your organisation, and what you therefore need to address. Once you have worked this out, prioritise which ones you deal with first, based on those that pose the greatest risk to your organisation.
10) You may not need to re-invent the wheel
Much of what will be expected under the GDPR is already included in the Data Protection Act and Code of Fundraising Practice so the good news is you're unlikely to have to start from scratch. There are some important additions with the GDPR of course, in particular around grounds for processing, levels of proof and accountability rules, with a number of points still requiring clarification. However, once you are able to answer these questions positively, your organisation will be on the road to meeting May 2018 with greater confidence.
Suzanne Lewis, Managing Director, EDM Media UK