We have been through an extensive process of scenario testing with iMIS and Progress CRM (the two systems we have clients using in the UK and EU) to examine likely issues that may come up. In terms of Progress, this has led us to enhance some functionality around communication preference management that is being released over the summer. In terms of iMIS, we went through a very similar process a couple of years ago when new DP protection and email legislation was introduced in Canada, at which point a couple of future-proof tools were added to the software that are equally applicable to consent management under GDPR.
Future plans and client support
ASI will continue to support its clients to be aware and prepared for GDPR which comes into force next May. In terms of client advisement, we have already organised some sessions for our UK and EU-based clients to discuss some of the implications of the new regulations, and these have been well attended. In terms of discussion, we are really focusing on three-key messages:
- Internal policies – make sure you engage with the new regulations as early as possible and think about their impact on your work. The GDPR has been deliberately drafted so that it is not ‘one-size fits all’, which means that organisations have a responsibility to decide on and articulate their own policies for data protection that will be appropriate within the new framework. A balancing exercise (e.g. the ‘Consent Self-Assessment tool’ recommended by the Fundraising Regulator) is a great tool that organisations should consider undertaking to look at the specific issue around consent and legitimate interest. For instance, many database tools (including iMIS, if configured in a particular way) enable organisations to deliver a degree of automation to processes or to undertake supporter profiling with the data they control. Organisations need to consider the implications of using these tools, when it is appropriate to do so and when it’s not, and ensure their policies adhere to the safeguards set by the regulation. This also applies to questions such as the right to be forgotten (‘the right to erasure’) where organisations will need to make decisions about how they will respond to requests for personal data to be removed or deleted from their systems. (Obviously, this is also a task that iMIS and Progress supports.)
- In terms of some of the more technical requirements – make sure you have a robust system and find time to test your processes, especially around responding to subject access requests, the (improbable, but possible) need to deliver data portability, and requests to enquiries/complaints about how communications preferences have been collected and recorded.
- Self-service – Recital 63 of the GDPR explains “where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data” and the UK’s ICO has interpreted this as being a new best-practice to provide self-service access to data and communication preference management. While this won’t necessarily be appropriate for all not-for-profit organisations immediately (although it certainly should be for larger organisations), we are talking to organisations about how they might practically manage supporters comms preference (on- and off-line), and there are obviously several ways to approach the challenge. Regardless of the approach, aiming high in terms of self-service is bound to help as individual organisations and the sector juggle the regulatory and ethical factors driving the changes.