The legislation on data protection was shaken up in 2018. In this post, we set out the key requirements relevant to the marketing activities of UK clubs, associations, societies and other membership organisations so that you can be confident you are in full compliance.
Introducing (the) GDPR
Data protection legislation that applies to membership and voluntary organisations is based on The General Data Protection Regulation (GDPR), which came into force in the UK from 25 May 2018 (enacted into UK law through the Data Protection Act 2018) and lays out general rules about data protection.
The GDPR contains no exemptions for non-profit organisations. This post addresses common questions about GDPR relevant to non-profit organisations like clubs, associations, societies and charities.
Why your organisation should care
You should care for two reasons:
What do I need to know?
As you communicate with your members you don’t need to know everything about the legislation but you need to be aware of certain key points.
Principle-based not rule-based
The old Data Protection Act 1998 was a principle-based legal structure and the GDPR continues that approach. This means that rather than a set of rigid rules, the law gives broad principles that will be applied differently by different organisations depending on their circumstances.
Here are the six data protection principles contained in the GDPR:
Many of these GDPR principles are similar to the preceding data protection principles but we’ll discuss below some key data protection changes. We have a post and free template explaining what to include in your Data Protection Policy.
To process data you need a ‘lawful basis’
The GDPR sets out six lawful bases for processing personal data:
GDPR - the biggest change is consent
Some of the data processed by non-profit organisations will be covered by the 'contact' or 'legitimate interests' bases and in those cases no consent is needed. But most marketing activity done by non-profit organisations will rely on consent as its lawful basis.
Consent means offering people genuine choice and control over how you use their data and the new rules are much clearer about exactly what this means.
Under GDPR, consent must be:
The GDPR also introduces special considerations to make privacy information clear when targeting children.
How does GDPR affect my members?
Collecting member information
When you collect member information on your website you must give the member clear information about how you will treat their data. As part of your contract with your members you can contact them about their memberhip but for marketing activities you'll need to ask them to give clear consent for a specific purpose. If you don’t get consent at this point, through a clear opt-in, then you don’t have permission to use that data for marketing. For example, on a membership form, you will need an unchecked checkbox asking whether the donor would like to receive updates about events, etc.
On newsletter subscription forms you’ll need to explain clearly what the subscriber will receive.
Storing supporter information
Storing information securely is already important and will only become more so. GDPR requires you to keep records demonstrating that your supporters have actively opted in. This means that across all the systems in which you store personal data you need to also be storing communication preferences and be able to associate those preferences with the communication through which the supporter actively opted-in. This will require a new level of integration and data management for many small organisations.
A simple solution to this will be to store a note on the person’s record in your charity database or membership management software, referencing the way they signed up and how they opted in. However, you will also need a robust system for managing changes in preferences when requested by supporters. Many email marketing systems offer these as standard, though bringing that data back to your database can be difficult. A manual approach would be to run monthly reports from your email marketing software listing who has unsubscribed. Users of the White Fuse platform can manage everything in one place from consent collection on forms to email recipients managing their communication preferences.
Communicating with supporters
When you send communications to supporters you will need to be confident that they have opted-in to the particular type of communication you are about to send. Knowing this relies on robust integration between all the systems you use, as mentioned in the last section. You must also be confident that you are giving your supporters a simple way to opt out of communications. For email newsletters, this should come in the form of an ‘unsubscribe’ or ‘manage preferences’ link at the bottom of the email.
Existing members and contacts
GDPR applies to historical data, not just data that has been collected after GDPR came into force. Depending on the quality of your existing systems and the way you collected data in the past, this means you may have to pro-actively contact your existing members and contacts to ensure that they have actively opted-in to your organisation's marketing communications.
Do I need a Data Protection Officer?
You already need to have someone in your organisation responsible for data protection and the GDPR does not change that. However, it does introduce a new more formal role called a Data Protection Officer (DPO). This role is unlikely to be required in most small organisations. A DPO must be appointed if you:
GDPR compliance summary
Download the checklist
We have condensed this post into a checklist for easy reference. If you find this useful please consider sharing this post.
More data protection resources for membership and voluntary organisations
Membership and voluntary organisations have a wide range of relationships with people and so inevitably end up collecting and storing a range of personal data. We have created a number of resources to help membership and voluntary organisations deal with their data protection responsibilities effectively.
This post explains the role of the Data Protection Policy as an internal document that explains how your organisation protects data and ensures compliance with your legal obligations in this area. The post and template provide a simple framework for carrying out this exercise thoroughly but efficiently.
A ‘cookie’ consists of information downloaded on to your computer when you visit a website. Cookies are widely used and can do a number of things, such as remembering your preferences, recording what you have put in your shopping basket, and counting the number of people looking at a website. This post explains, in plain language, what you need to consider as a membership or voluntary organisation in relation to the data your website holds through cookies.
As well as giving people information about how you will process their data, you also need to hold it securely. This post covers what you can do to ensure your website is as secure as possible and to avoid having your website hacked.
Alongside data protection, there are a bunch of other legal issues that membership and voluntary organisations should consider. This post gives an overview covering topics such as company information and fundraising best practice.