GDPR – What do not-for-profits need to know?
Do you work in the third sector? If you’re involved with a charity, whether this means you work for a not-for-profit organisation or volunteer for one, then you’ve probably heard about the strict GDPR legislation coming into practice in May 2018. But amongst all the noise and confusion, we ask the question – what do Not-for-Profits really need to know?
m-hance is a leading voice in the not-for-profit sector, with vast experience implementing Microsoft technology within charities to improve processes and connect sporadic workforces.
This m-hance not-for-profit blog series will explore the boundaries and constraints put in place by the GDPR and how your NfP organisation can best adhere to these rules and regulations. Join us as our not-for-profit specialists, with over 20 years’ experience in the industry, break down the jargon. Tory Cassie, Senior Business Development Manager at m-hance, has worked with numerous charity organisations, fundraisers and members of the NfP community across the UK throughout 2017, exploring and advising on GDPR and the changes it will bring.
So, what do you need to know?
The General Data Protection Regulation (GDPR) is the most radical change to data regulation in over two decades – since the Data Protection Directive (Directive 95/46/EC) was introduced in 1995. By bringing this law into common practice the government will ensure the protection and safety of personal data. As the world was not as technologically advanced back in 1995, the current data protection laws have since become outdated and irrelevant in a digital world.
The key changes to data protection will take into account notable breakthroughs in technology and the ways in which organisations engage with their prospects. However, this becomes difficult when you are a charitable organisation that regularly reaches out to key audiences and donors and supporters through means of data segmentation.
Under the new rules and regulations, charities will need to ensure that day-to-day they are protecting their supporter’s data and personal information in all that they do. This means ensuring an individual’s confidential data is not lost, altered, disclosed or given access to by an undisclosed party.
Therefore, it is imperative that controls and processes are implemented to avoid a charity being liable for a data breach by means of financial penalty.
What happens if you breach the terms of the GDPR?
The penalties for breaking the GDPR have the potential to bring huge ramifications for your not-for-profit organisation. Fines of up to 4% of annual global turnover or €20 Million, whichever is greater, will be enforced. There is also the potential for companies to be fined 2% for simply not having their data records in order. Unfortunately, this has the potential to bankrupt many small charitable organisations who are caught out by the strict terms of the GDPR.
What is considered a breach of the GDPR?
An example of breaching the GDPR can mean anything from a lack of data organisation and protection, not informing the authority about a data breach or not conducting an impact assessment. As you can see, there are many ways in which an organisation can fall down against the strict details of the GDPR. Take a look at the GDPR FAQs here.
So then we must ask NfP organisations, how you do you handle your supporter data?
Transparency within organisations will be a key factor when complying with the GDPR. Ensuring strong information governance within charities is now a requirement by law. As many charities hold sensitive personal data such as bank details, health records and home addresses this information must be guarded. Although the GDPR seems to have come with a real sting attached to it, due to the number of changes that will need to be made and the financial threats it brings, there is a great opportunity for forward-thinking change within organisations.
An advanced streamlining system that improves and protects fundraising and marketing practices such as a CRM (Customer Relationship Management) solution can take the pain out of the GDPR. By implementing an integrated data management system that tracks each and every touch point with your customers, a CRM system such as Microsoft Dynamics 365, seamlessly manages engagement, fundraising, and even social media accounts all in one place. Successfully and safely interact with your supporters with real-time records of all communications to protect yourself from breaching the terms of the GDPR.
Our second installment in this three-part series will explore research, and what research you can be doing externally and internally to ensure you are up to speed with and prepared for the GDPR.
In the meantime, to read more, please download our GDPR success in 5 steps eBook.