Running helplines under GDPR – what charities need to know
Ron Moody, CEO of Connect Assist, says you must ensure your helpline provider’s systems are fully in line with GDPR before contacting donors or users.
The charity sector is responsible for large quantities of data and therefore will be widely impacted by the introduction of the GDPR next month.
With the threat of large fines for breaching the regulations and the risk of significant reputational damage, it is crucial for organisations to update all policies and procedures to ensure they are fully compliant in time for the deadline on 25 May 2018.
As a sector already under heavy scrutiny, errors could prove disastrous for public trust and confidence.
While everyone’s personal data is important and should be treated as such, information held by charities, by its very nature, is often even more sensitive than in other organisations.
Scandals surrounding the mishandling of sensitive information can be catastrophic, and ultimately could result in the breakdown and closure of vital services. To prevent this from happening, charities must ensure that proper procedures are in place and staff are fully trained in data protection before handling any information.
Charities must consider multiple factors when assessing whether current data practices are compliant with GDPR legislation. If your charity handles service user information in-house, a clear policy must be created and implemented at all levels.
Policies should state how information is collected and used and must include a clear strategy for protecting it. Any staff or volunteers handling data of any sort must also be fully trained how to handle data under the GDPR.
If your charity outsources service delivery, it’s important that you are confident your provider has this covered, as any potential mistake could be have serious repercussions.
Ensure your helpline provider’s staff are fully trained in compliance. Any provider you choose should be preparing for the GDPR by ensuring their systems are in line with the legislation.
Any provider you use must have a good understanding of the following basic tenants in GDPR before contacting any users or donors.
One of the most significant changes charities will face following the implementation of the GDPR will be the changes to consent requirements.
It will no longer be sufficient for charities to use open-ended consent to cover future processing when collecting personal data – charities will need to clearly explain how and why information is being used.
Separate consent must also be secured for separate activities, for example when information is passed on to a third party or used for a different cause. Vague or presumed consent won’t be enough, so being explicit is vital.
Many charities are likely to be facing a challenge with gaining consent for the data they already hold. If this data is not GDPR compliant, which encompasses how it was collected, stored and shared, it’s highly advisable that it’s deleted.
To ensure you can still communicate with service users and supporters, it is also important to approach them again for updated consent.
There have been concerns that the GDPR could have a significant impact on fundraising, as many charities rely on regular communication with donors and potential donors to raise money.
Although clear consent will be needed for emails, text messages and automated calls, charities will be able to contact individuals by post and real phone calls if they can demonstrate a legitimate interest.
Marketing is considered a legitimate interest under the GDPR, however it is important to consider the rights of the individual. New rights will allow them to have more control over their data, including accessing it and having it erased.
The GDPR will also introduce a duty on all organisations to report personal data breaches to the relevant authority.
As there have been a number of high-profile data leaks in the sector, charities should ensure they and their providers have secure systems in place to detect, report and investigate data breaches.
If data breaches do happen, organisations must report them to the Information Commissioner’s Office within 72 hours of becoming aware of the breach. If the breach is at a high risk of affecting individuals’ rights and freedoms, they must also be informed immediately.
As the Data Protection Act already requires data to be processed fairly and lawfully, charities should only have a small amount of work to do to ensure they are GDPR compliant.
However, there’s no need to panic – charities should approach the changes as an opportunity to review all data processes, including deletion policies, and ensure they are as secure and watertight as possible. Ultimately though, when it comes to storing personal data, one lesson that has stood the test of time is if you don’t need it, delete it!
Ron Moody has more than 12 years of experience in the charity sector, contact centres and fundraising. He heads up Connect Assist, which was established in 2006 and delivers dedicated helpline services to the charity and public sectors.