Conference presenter warns fundraisers to plan for GDPR-like law in Australia

New privacy laws affecting fundraising came into effect in the European Union in 2018, known as the General Data Protection Regulation (GDPR). Olivia Jary explains what it was like to live through GDPR implementation and how to be ready if something like it comes to Australia.

Olivia Jary, now fundraising and marketing director at Sydney Children’s Hospital Foundation, spent two years helping a London hospital foundation to meet new requirements for how organisations manage and process donor data.

She told a packed room at the FIA Conference 2020 in Brisbane that general data protection regulation (GDPR) law is relevant for every fundraiser.

“We should be getting ready for it to land here,” she said.

GDPR came into effect in the European Union on 25 May 2018. It was the biggest overhaul of data protection legislation for 25 years and introduced new requirements for how organisations process and manage personal data in the EU.

Australian organisations that process and hold donor data about EU citizens (physically or in the cloud) have to abide by GDPR or face stiff fines. They also currently have to follow the Australian Privacy Principles (APP7) around personal data when it comes to direct marketing. Still, Jary believes it’s an opportune time for fundraisers to review processes to ensure they’re ready for legal requirements as well as to help give their supporters a good experience.

While stressing GDPR was complicated, Jary believes that the new law was a good thing for the UK, coming three years after the Olive Cooke scandal in 2015 where the tabloid media blamed aggressive charity fundraising tactics for Mrs Cooke’s suicide.

“The media coverage and public outrage that followed was relentless and brutal towards charities. Mrs Cooke’s death was a sign that things needed to change. Charities live and breathe on trust and need to be authentic. We didn’t have that and were losing ground daily,” she recalled.

“GDPR was about putting the choice and control back in the hands of consumers regarding their personal information. It set a new era in fundraising in the UK, and a lot of positives came from it. The regulation is daunting, and it was hard on those of us trying to raise money, but it’s not all doom and gloom. For charities, it was a real opportunity to rebuild trust,” she said.

“We needed every day of the two years leading up to the implementation to get ready because we had so much collateral and so many people in our database.”

For Great Ormond Street Hospital Foundation, the review and clean-up of their database and processes resulted in reduced costs and timesaving.

“It meant we knew where to put our time. Once we understood our data and who wanted to engage with us, we had better ways to communicate and could focus on the individual donor journey. It was a game-changer and resulted in more money to the cause,” she said.

“You no longer have to worry about uninterested people because you’re only contacting people who want to hear from you. Imagine what that does to your response rates, ROI and fundraising streams.”

Jary also felt GDPR was a significant step in the professionalisation of the sector.

“If your organisation hasn’t been taking donor privacy as thoughtfully as it could, this is an excellent time to review and establish sound policies and practices. Even if you have well-established systems in place, it won’t hurt to check them over.”

Here are a few thoughts from Jary on what you should do to be donor friendly and to get ready for an Australian-style GDPR.

Be prepared. The Australian Privacy Principles already require that donor data be protected. Take this time to review how you process donor data and put plans in place to make any changes that you might need to get ready for. The Commonwealth government would likely give organisations at least 18 months to get their houses in order.

Adopt a whole-of-organisation approach. You need to take a holistic view of all your data. Don’t look at it in isolation or silos. Arrange an audit of the personal information you hold, how you got it, and who you share it with, so you know what steps to take next.

Data is everyone’s responsibility. At first, Jary thought she didn’t need to know about data because her job was “all about relationships.” However, she was quickly disabused of that notion, learning that fundraisers, both staff and volunteers, have the responsibility to ensure the integrity of their data, with everyone trained to protect donor data.

GDPR affects every part of a charity. Think about your solicitation statements and all your collateral because every communications piece will need to change. What will your audit mean for your budget, marketing strategy and beneficiaries?

Clean up your database. Now is the time to focus on data integrity. Clean up your database and de-list the people who don’t want to hear from you. There will be cost savings as then you’ll only be dealing with people who want to engage with you. Recruit a couple of people with data analytics and governance experience to help.

Consider how you are asking for consent. You need to explain why you are collecting personal data from the donor and how you plan to use it. If you plan to make data available to third-party suppliers, you need to get the donor’s consent for that under GDPR.

For consent to be valid, it has to be specific and given through a clear statement or affirmative action such as ticking a box.

Provide access to personal data. One of the key elements of GDPR is the emphasis it places on users’ right to access the data you have about them. This means donors can request at any time to check their information and ask what you do with it. Plan how you will handle any requests so that it is not a difficult task for your staff.

Consider your suppliers/partners. When was the last time you trained them? What quality of processes do they have in place for donor processing and protection? What does your contract with them say about privacy, and who is responsible for what?

“They need to be on your page because they could cause you brand damage if not,” warned Jary.

Be mindful of data breaches. In 2019, the international hotel group Marriott received a $123 million fine in the UK for a data breach while British Airways faced a record $329 million fine for a cyberattack that impacted 500,000 customers. In the UK, you have 72 hours to report it, and individuals whose information might be compromised have a right to be informed. You need to have the right procedures in place to detect, report and investigate a personal data breach. Ensure you understand the definitions and interpretations of data breaches. It will be essential to keep on top of developments in this area.

Australia already has its own Compulsory Data Breach Notification scheme in place. Are you across it?

Have a crisis plan ready in case of a data breach. How well is your organisation equipped to respond if you have a data breach? You need to be prepared with your communications team on how to manage a breach if it should happen.

Work with other charities. Jary said GDPR was complicated and hard to understand. “We spent a lot of time in consortiums with other charities to get on the same page because it’s a whole-of-sector issue. We figured the regulator couldn’t single out one organisation if all of us had the same understanding and interpretations of the law. That support was important.”

Looking back now, GDPR put a strain on the UK sector, but Jary felt it was worth it.

“The media started to back off. There was not a lot they could say when GDPR came into effect.”

Jary concluded that she hoped the Australian media would never be as brutal as the UK tabloids were to their charities. But she warned we could see more negative coverage of the sector if fundraisers didn’t do the right thing by donors.