thankQ CRM

NFP // thankQ CRM

10 questions not-for-profits
should be able to answer
about General Data Protection
Regulation (GDPR)

0845 345 3300 nfp@theaccessgroup.com theaccessgroup.com/thankQ

 thankQ CRM

NFP // thankQ CRM 2

10 point checklist to
prepare you for the General
Data Protection Regulation
(GDPR) which will apply
from 25 May 2018.
If you use personal data for fundraising or marketing purposes, you may be
aware that big changes are on the horizon. From 25th May 2018, youll need
to ensure your organisation complies with the General Data Protection
Regulation (GDPR).

This represents a significant enhancement to the UKs current data protection

legislation and will require not-for-profit organisations to take several steps
in preparation. If you are in the early stages of looking at the implications of
GDPR here are 10 questions you should ask yourself:

1. Does your organisation have a formal action plan in place?

2. Are you compliant with current data protection laws?
3. Are your privacy notices clear?
4. Is consent unambiguous?
5. Have you reviewed the quality of consent you hold?
6. Can you handle individual requests?
7. Are you checking peoples ages?
8. Do you have data breach procedures in place?
9. Can you demonstrate you are taking data protection seriously?
10. Where does responsibility lie?
 thankQ CRM

NFP // thankQ CRM 3

1 Does your
organisation
have a formal
action plan
in place?
It may sound glib to say start planning now but significant changes may well
be required and the clock is ticking! When you look closely at the requirements
of GDPR, May 2018 really doesnt seem that far away. To drive action within
your organisation, youre going to need to generate awareness of the
implications and get internal buy-in.

Reminding people of the potential financial consequences is a good place to

start the maximum fine possible under the GDPR legislation is 20m or 4%
of annual turnover. Given the high-profile nature of these changes, it could
be your reputation that suffers the most however. As the Charity Commission
points out, an organisations approach to fundraising has the potential to
significantly build or damage its reputation.
 thankQ CRM

NFP // thankQ CRM 4

2 Are you
compliant with
current data
protection laws?
If you are already complaint with the Data Protection Act (DPA), you are in
good starting position to deal with the enhancements that GDPR introduces.
However, despite the high expectations on not-for-profit organisations, some
have fallen foul of the regulations in recent times and compliance with existing
legislation should also be reviewed.

The RSPCA and the British Heart Foundation (BHF), for example, were
recently fined 25,000 and 18,000 respectively for serious breaches of the
Data Protection Act. These charities were found to have collected and used
personal information for three activities: data sharing, wealth screening, and
enriching data using other sources. The underlying issues were fairness, clarity
of purpose and having a clear lawful basis in order to use data.
 thankQ CRM

NFP // thankQ CRM 5

3 Are your privacy

notices clear?
The number of ways we can collect information for fundraising and direct
marketing has increased enormously as digital communications methods
continue to expand. The extra transparency requirements of the GDPR mean
you will need to review the privacy notices you have in place wherever you
collect personal information.

You will need to ask yourself if these notices fully inform people about how
their personal information will be used; are they concise, easy to understand
and in clear language? Individuals will also need to be informed that they
have a right to complain to the Information Commissioners Office (ICO) if they
believe their information is being handled incorrectly.

When reviewing your notices, youll need to provide enough detail to explain
the different purposes you will use their information for including activities
that are not typical or which are unlikely to be anticipated.
 thankQ CRM

NFP // thankQ CRM 6

4 Is consent
unambiguous?
If you want to gain the consent of an individual to use their personal data for
fundraising or marketing activities, you will have to ensure that this consent is
freely given, specific, informed and unambiguous. Consent cannot be inferred
from silence, pre-ticked boxes or inactivity.
 thankQ CRM

NFP // thankQ CRM 7

5 Have you
reviewed the
quality of
consent you
hold?
Many not-for-profit organisations will have already populated their CRM
systems with personal data for fundraising and marketing activities. If you
want to use this data after May 2018 however, you will need to demonstrate
that consent for existing data was gained in a manner that is GDPR compliant
and is used for the purpose it was given.

For instance, if an email address was collected for purely administrative

purposes, this does not give you the right to use this for marketing purposes.
Its important to note you dont have the right to use that email address to
ask for the right to marketing to them as that is in itself an act of marketing.
Instead, a careful consideration of what personal data is held for, and the
quality of consents you currently hold, is required.
 thankQ CRM

NFP // thankQ CRM 8

6 Can you handle

individual
requests?
Under GDPR, individuals will have enhanced rights regarding their personal
information. This ranges from the right to ask what information your organisation
holds about them (subject access requests) to the ability to correct inaccuracies
and erase data completely.

Under current legislation, organisations can charge for a subject access

request but this will no longer be the case. From May 2018, you will have to
do this freely and within a month. This has obvious administrative implications,
and not-for-profit organisations will need to ensure their CRM system is up to
the task. Ask yourself does your CRM record proof of consent or provide your
supporters or donors with self-service to make changes? Does it maintain
audit trails and identify which user has amended consent fields?
 thankQ CRM

NFP // thankQ CRM 9

7 Are you
checking
peoples ages?
The new legislation will introduce enhanced protection for childrens personal
data. To lawfully process the personal data of a child, organisations will need to
seek the consent of a parent or guardian.

Organisations will need to put systems in place that can verify the age of the
individuals supplying their personal data. The ICO has indicated that in the UK
a child will likely be defined as anyone under 13 years old.
 thankQ CRM

NFP // thankQ CRM 10

8 Do you have
data breach
procedures
in place?
In the event of a data breach, organisations will need to notify the ICO if an
individual is likely to suffer some form of damage, such as identify theft.
They will also need to inform individuals directly if this breach leaves them
open to financial loss.

Large organisations will also need to have clear policies and procedures in
place for managing data breaches. Failure to comply with these requirements
could result in an organisation facing significant fines.
 thankQ CRM

NFP // thankQ CRM 11

9 Can you
demonstrate
you are taking
data protection
seriously?
Under the GDPR organisations will not just be required to comply with the data
protection principles, but will need to maintain evidence to demonstrate how
they are complying.

Current best practice such as adopting a data protection by design and by

default approach, and reporting of breaches to the ICO will also be a legal
requirement under GDPR.
 thankQ CRM

NFP // thankQ CRM 12

10 Where does
responsibility lie?
The ICO recommends that organisations should assign an individual to
take responsibility for data protection and ensure compliance. In some
organisations, such as public authorities, it will also be a legal requirement
to appoint a data protection officer.

These does not mean other individuals are absolved of responsibility when
it comes to data protection, however. The Charity Commission, for instance,
has stated that trustees have overall responsibility for ensuring compliance.

The reality is responsibility will fall on a combination of individuals including for

example, the head of fundraising, head of direct marketing, the legal team,
trustees, web and administrative staff. They will need to work together to
ensure compliance as they would with any other charity fundraising decision.

To learn more about GDPR and how you can become compliant read
Access Groups essential guide, Do you know what it takes to become
GDPR compliant?
 thankQ CRM

NFP // thankQ CRM

About Access
Access is the number one software solutions supplier to the Not-for-Profit sector. Access helps organisations make the most of their funds by
delivering integrated organisation-wide solutions. Our software enables you to manage your CRM, membership and fundraising, finances, projects
and documents, as well as streamline your HR and recruiting processes.

0845 345 3300 nfp@theaccessgroup.com theaccessgroup.com/thankQ

About Protecture
Protecture is a team of data protection specialists who help organisations ensure data protection compliance in all areas. Protecture have over 12 years
of experience turning the law into practice for charities, schools, local government, corporates and care providers. Protecture work with organisations
of all sizes, supporting them with up to date policies and other template documents that are tailored to suit their needs, backed by on-going support,
training, external audit.

020 3691 5731 help@protecture.org.uk protecture.org.uk

www.theaccessgroup.com
2017 The Access Group