GDPR for not-for-profits: Do your research.
In our last blog, we covered what GDPR actually is, why as a charity, or not-for-profit organisation, you need to be concerned with the GDPR and what the implications are should your charity not comply with the regulation.
In this blog, we are talking about research, and what research your not-for-profit organisation should do to ensure you are up to speed on GDPR and are prepared for when the regulation comes into force.
The conversation surrounding the GDPR is flooded with varying information and advice, so you need to be confident that your not-for-profit organisation is obtaining its information from a reliable source to ensure you know the facts!
A great starting point is the homepage of EU GDPR. Here you will find a wealth of information on the legislation, including FAQs, key changes and even a GDPR timeline. Another vital source of information is the Information Commissioner’s Office (ICO) website. Again, a plethora of information to aid you in your GDPR research, including checklists, preparation guides and a 12-step guide on how to prepare for May 2018.
Further questions have obviously come into the spotlight when taking into consideration the UK’s vote in June 2016 to leave the EU, and whether the GDPR will affect the UK after all. It is important to understand if your NfP organisation holds data on those situated within the EU, your charity must still comply with the GDPR. The UK Government has since confirmed that once the UK has successfully left the European Union (scheduled for 29th March 2019), similar legislation will be brought into practice in the UK, regardless of Brexit.
Research within your not-for-profit organisation
It’s not just external research that you need to conduct when kicking off your GDPR project. You also need to look internally, at your data and at your processes. Firstly, you will need to implement an internal data audit to document what personal data you hold, where it came from and who you share it with.
You will also need to review how you currently process your data. How you manage your data could be in any number of ways, depending on the size and management of your not-for-profit organisation. As part of your review, you will need to look at how you manage your data now and establish what changes you may need to make to comply with the upcoming regulation.
As part of this, you will need to review your current privacy notices, ensuring that you communicate how you intend on using any personal data that you hold on an individual. You will also need to ensure your data procedures cover individuals’ rights to their data – for example, how you would provide access to an individual’s data should they request access? Or how would you erase it should they ask you to delete their data?
Additionally, as a not-for-profit organisation or charity, you will also have to review how you seek, record and manage consent under the new law, and again, whether you must make any changes to the way you currently manage all permissions and consents.
These are just some of the areas of internal research that you need to think about before you start your GDPR review, a full list can be found on the ICO website. However, although it may seem like there is lots to do, the incoming GDPR is a great opportunity for organisations to review current outdated systems and investigate how best to work within these new guidelines. Some may view GDPR as a strict inconvenience to not-for-profit organisations, but on the other hand, it is a brilliant excuse to reorganise practices and better serve your supporters.
A dedicated CRM (Customer Relationship Management) solution acts as a data audit within any not-for-profit. Permissions and consents can be set and tracked within Microsoft Dynamics 365 to ensure compliance with the Fundraising Preference Service and the GDPR with robust audit trails. Consolidating all sporadic data in a single coherent source is a vital part of compliance with the GDPR and a CRM solution, such as Dynamics 365, will give you the tools to achieve this.
Keep a lookout for our third blog in this series which will explore the role CRM plays in ensuring your charity or not-for-profit organisation is GDPR compliant.