Data protection for supporter stewardship – six steps to getting it right
June saw the ICO slam the UK Metropolitan Police Service for failing to handle personal data requests correctly, for which there could be an eye-watering fine for as much as £17 million. No organisation is immune from scrutiny over its data protection compliance.
It’s a year on from the new regulations coming into force and there’s a sense in our sector of relaxing into post-GDPR fundraising and supporter stewardship, with some confidence in the new systems, staff and processes in place to ensure compliance. But if your charity, big or small, collects and uses supporter data for any purpose, it’s imperative that you manage that data properly, and also regularly check that you are maintaining that compliance.
Times – and regulations – have changed, and the personal data an organisation collects can no longer be considered ‘theirs’ any more. Instead, the data you hold remains very much the property of the individual it came from, which places greater responsibility on you, the caretaker, to look after it. This starts with how you collect it, through how you store, manage, use, and finally dispose of it.
Not only will the Information Commissioner want to see proof of this as part of your GDPR and data protection compliance, but members of the public are also increasingly demanding to be shown how their data is being used and looked after.
Keeping it clean, accurate, and secure then is critical. But it’s also important to keep a close eye on the relevance of your grounds for processing data, the original source, the consents attached to that data, as well as how long you keep it, as even consent does not last forever.
Here are a few steps to help you ensure you look after it properly:
Know your data
Know what you hold and why. Ensure you regularly review it and erase or anonymise personal data when you no longer need it, keeping it no longer than necessary. Enabling a 360 degree single supporter view will help here by giving you access to all your data in one place for easy management.
Right to be forgotten
Ensure too that you have appropriate processes in place to comply with individuals’ requests for erasure under the ‘right to be forgotten’. Here too, a 360 view of your data is essential for helping you meet data protection requirements.
Have a strong and transparent data protection policy
Under GDPR’s data protection principles, you must ensure you use personal data fairly, lawfully and transparently. This means being clear about how you intend to use it – and sticking to that – and restricting your usage to only what is necessary, as well as keeping it safe, accurate and up to date, and retaining it only as long as is really necessary.
This of course needs to be followed through by all your staff. A data protection policy is your organisation’s internal document that details your compliance practice for everyone to adhere to. Most people in your organisation won’t be data or GDPR experts so simplicity and transparency are key – outline GDPR and its data protection requirements as simply as possible, making your employees’ obligations crystal clear.
Regularly verify data quality
Data needs regular maintenance to keep it clean and accurate. People’s circumstances change: they move, and change contact details for example as well as contact preferences, so data quality deteriorates over time. Keep it as up to date as possible by regularly using the basic data hygiene techniques of PAF cleansing, deduplication and applying external suppression files.
Don’t stop there though – look too for additional ways of keeping databases as accurate and up to date as possible, such as encouraging people to tell you if someone’s moved with an easy to fill in section on envelope outers or your website, and checking with supporters when they contact you, or vice versa.
Improve your data security
Ensure you can answer in the affirmative to these questions:
Are your passwords as strong as they could be?
Do you regularly back-up your data?
Do you regularly update and cleanse your data?
Do you restrict access to data to those that actually need it?
Are you also using efficient security and antivirus tools, and multi-factor authentication to ward off hackers?
Do you have data security and reporting policies in place for dealing with breaches and emergencies?
Do you have back-up servers and a contingency plan in case there’s an unexpected problem?
Does everyone know their roles and what procedures are in place should an incident occur?
Choose the right partners
Work only with reputable partners and ensure contracts are clear and detailed. Look for specific ISO accreditations when selecting partners to work with such as ISO27001 Information Security and ISO9001 Quality Management, which means an organisation adheres to scrupulous data security standards and is audited.
Check that they too have back-up servers, contingency plans and are as open and transparent with you about how they do things as you are with your customers or supporters.
There is a lot to consider – and implement – to ensure your organisation is managing its supporters’ data correctly and before you can even begin to work with it in your stewardship programmes. The tips given here are a reminder of the basic requirements, and, in reality, a great deal of work can be done on each to ensure you keep on top of data compliance and best practice.
If your charity doesn’t have a dedicated data department it does need to appoint a Data Officer so that your data responsibilities can be properly managed. Those organisations that put in the work will undoubtedly reap the rewards of better-informed and successful supporter communications.
Suzanne Lewis is founding director of Arc Data and can be reached on firstname.lastname@example.org.
This blog first appeared on UK Fundraising on 27 June 2019.