The self-proclaimed experts, fuelled by the press hype, have created a climate of fear around the upcoming EU General Data Protection Regulation (GDPR), which comes into force on 25th May 2018. While not-for-profits, including charities and membership associations, need to take the new regulations on handling personal data very seriously, there is absolutely no reason to panic.

This is the message shared by Allen Reid, Hart Square’s director of client projects to assembled charities and membership organisations at a joint Hart Square and Pythagoras briefing last week.

Here are the slides (below) and the key takeaways from the briefing.

If you missed this week’s session, don’t worry… Hart Square is running another GDPR breakfast briefing on February 28th in Mayfair, London and a Preparing for GDPR webinar on 5th April.

The Dos and Don’ts of GDPR for non-for-profit organisations

Charities, foundations, member associations and other non-profit organisations that behave responsibly and respectively with donor or member data:

  1. Do not need to toss out all donor and member databases.
  2. Do not need to pay a fortune to scare-mongering consultants or rush into a new CRM implementation.
  3. Should not see better, cleaner data, transparent processes and happier donors and members as bad for business.
  4. Have better justification for marketing under legitimate interest than commercial organisations and those that share personal information for commercial gain.

To be responsible and respectful with personal data, not-for profit organisations:

  1. Must be able to prove that the entire organisation, from chief executive down, and all suppliers and partners understand their GDPR responsibilities.
  2. Must evaluate and document the compliance of all processes and systems and the steps taken to rectify them.
  3. Must be honest and transparent about how you use donor or member data.
  4. Must obtain an active opt in/permission from the customer, before storing or sharing personal data.
  5. Must make it easy to unsubscribe / opt out of marketing messages.
  6. Must be able to respond to customer requests for access to their personal data or requests to have records deleted.
  7. Should not panic and rush into anything regrettable.

Next steps:

No matching posts.