The General Data Protection Regulation (GDPR) is a new law that will replace the Data Protection Act 1998 and will apply in the UK from May 25th 2018. Although compliance cannot be enforced solely by IS systems, there is no doubt that the fundraising software and CRM systems which charities use should be able to help organisations manage their compliance needs.
In May 2017, I therefore approached the UK charity sector’s leading software suppliers and asked them the following: “What are you doing to advise your clients on how they should use your system(s) to manage their GDPR requirements? Are you developing or planning to develop any specific functionality?”
The list below contain the current responses I have received; more are expected and I will update this page as I receive them.
What are you doing to advise your clients on how they should use your system(s) to manage their GDPR requirements?
Understanding that our customers need to be ready by May 2018, Access has been delivering awareness seminars and webinars about the impact of GDPR on NFP CRM since October 2016. We launched the GDPR Resource hub on our website last month, where visitors will find white paper resources including: A Guide to GDPR, a 5 step plan and a checklist to becoming GDPR compliant.
GDPR is going to have a major impact on how our customers manage data. A year ago in May 2016 we engaged with specialist advisors Gary Shipsey and Paul Ticher and since then we have been working to design GDPR compliance into thankQ. We continue to present the changes needed to meet GDPR in a range of GDPR seminars. Using webinars and the thankQ user conference we have provided guidance on how thankQ clients should store GDPR compliant consent in current versions of thankQ. Further documentation, due for release shortly, will confirm how consent should be stored and how it can be applied. We will then provide a software update which will automatically apply the new consent to outbound communications.
Are you developing or planning to develop any specific functionality?
Yes. The first phase of thankQ GDPR developments will be released to thankQ customers for testing in the next few weeks [as of June 1st, 2017]. The initial release will include updates for both GDPR and the new Fundraising Preference Service, as well as updating the Web API. This will be followed by a consent portal. We continue to showcase these options to new customers at seminars. At the time of writing, the next one is next week (June 7).
GDPR has been embraced as a core part of the thankQ roadmap in 2017. The first set of GDPR changes will focus on allowing our customers to define, store and apply their communication purposes. We are also making available to customers with thankQ CRM integral GDPR compliance reporting and archiving in line with the new regulations.
What are you doing to advise your clients on how they should use your system(s) to manage their GDPR requirements?
– We started our preparation over 9 months ago.
– We are actively engaging with all our customers on this specific topic.
– All our customers have had opportunity to participate in our regular webinars, with several this year covering the topics of GDPR, FPS and data cleaning.
– Several customers came forward to specifically engage in a 1-2-1 and workshop format.
– We have been busy attending industry conferences/workshops as a delegate or exhibitor to improve and update our knowledge of the GDPR requirements to pass onto our customers, as well as inviting customers on a complimentary basis to some events.
– We have participated in discussions and surveys, both as contributors and receivers, with the Institute of Fundraising (of who we are a corporate member) FPS and the ICO.
Are you developing or planning to develop any specific functionality?
Earlier this year we released the first update of AdvantageNFP for charities and membership organisations to record communication preferences at a granular level, allowing them to make selections by channels, methods and store the dates and source of that preference. The second release due out in September this year, i.e. well in advance of the May 2018 deadline, will provide the functionality to use this preference data to validate mass communications against opt-in and/or opt-out data. AdvantageNFP supports both the “legitimate interest” opt-out model for direct mail, the preference “opt-in” model and, in the right circumstances, a hybrid of both.
ASI is confident that our systems have sufficient functionality to enable our clients to remain compliant with the new GDPR regulations, and we always aim to be ahead of the curve on issues related to data security. We have been through an extensive process of scenario testing with both systems to examine likely issues that may come up. In terms of Progress, this has led us to enhance some functionality around communication preference management that is being released in the next couple of months. In terms of iMIS, we went through a very similar process a couple of years ago when new DP protection and email legislation was introduced in Canada, at which point a couple of future-proof tools were added to the software. In terms of the new regulations, we remain fully capable of keeping our clients at the cutting-edge.
For FPS, we’re looking forward to seeing the new service when it launches, but we have been encouraged by the seeming move towards a realistic system that came out of the Fundraising Regulator’s consultation. Obviously, this remains an area to monitor, but we are keeping very close tabs.
Regarding client advisement, we have already organised some sessions for our UK-based clients to discuss some of the implications of the new regulations, and these have been well attended. In terms of our messaging, we are really focusing on three-key messages on this:
1) Internal policies – make sure you engage with the new regulations as early as possible and think about their impact on your work. The GDPR has been deliberately drafted so that it is not ‘one-size fits all’, which means that organisations have a responsibility to decide on/articular their own policies for data protection that will be appropriate within the new framework. The balancing exercise recommended by the Fundraising Regulator (the ‘Consent Self-Assessment Tool’) is a great tool organisations should consider undertaking to look at the specific issue around consent and legitimate interest.
2) In terms of some of the more technical requirements – make sure you have a robust system and find time to test your processes, especially around responding to subject access requests, the (improbable, but possible) need to deliver data portability, and requests to enquiries/complaints about how communications preferences have been collected and recorded.
3) Self-service – Recital 63 of the GDPR explains “where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data” and the ICO has interpreted this as being a new best-practice to provide self-service access to data and communication preference management. While this won’t necessarily be appropriate for all charities immediately (although it certainly should be for larger organisations), we are talking to organisations about how they might practically manage supporters comms preference (on- and off-line), and there are obviously several ways to approach the challenge. Regardless of the approach, aiming high in terms of self-service is bound to help as individual organisations and the sector juggle the regulatory and ethical factors driving the changes.
At the end of June , the Blackbaud consent and preferences management roadmap for the remainder of 2017 will be released, detailing new product development and current capabilities which are specifically tailored to enable non-profits to capture and evidence consent and accommodate other data subject rights in accordance with GDPR and the ePrivacy Regulation.
Blackbaud recognises that advanced preparation for legislation like GDPR is critical for operational continuity, which is why all new solutions and best practices will be available in time for customers to prepare for compliance.
Blackbaud have published extensive materials on GDPR on their website here.
We engage daily with our donorflex client base on their requirements to comply fully with their GDPR and Preference Services obligations.
Our close, active involvement with the Fundraising Regulator and the FPS Project team – as part of the development period that has shaped the service’s operational details – has both enabled us to ensure that those dealings with clients are current and on-point, and honed the new functionality, preference protocols and controls designed into the donorflex CRM system.
We hosted a sell-out Preferences & Compliance masterclass – with the Fundraising Regulator, Information Commissioner’s Office and the Direct Marketing Association on the top table – as a prelude to our donorflex National User Conference last September.
That enabled us to bring front-line users together in the same room as the policy-makers to share insights and anxieties at that crucial point in the preferences debate.
In March , the donorflex functionality for managing preferences in the new era was unveiled to around two-thirds of the client base at a season of nine regional training days across the UK.
At the same time, we rolled out a special data appraisal utility to clients as the first step in a process that will enable them to engage with us, individually, on the readiness of their data to meet the new preference standards.
Away from those client-specific moments, we’ve also been delighted that our standing in the preferences debate has brought invitations to speak with a supplier’s perspective on Institute of Fundraising and National Association of Hospice Fundraisers discussion panels at national conferences.
Our motivation is simple. We regard it as our responsibility to promote awareness – regularly and consistently – of the challenges that charities face in dealing with the new regulations, now and in the future.
As a relatively new solution Donorfy was designed with some of the demands of what has become known as GDPR in mind – specifically consent-based marketing, which comes down to storing and respecting peoples’ wishes when it comes to producing communications. But as we all know GDPR extends beyond the question of consent, so we are taking a holistic view, reaching into the the other areas of the regulations that go beyond consent.
We’re not giving legal advice, obviously, but we are trying to understand what best-practice looks like so our clients’ reputations are enhanced by their response to GDPR, not damaged by sailing too close to the wind. To do that we’re attending seminars, reading the guidance and asking our clients. We held a client panel meeting on this in early May, and will continue to do so as we design and build out the new features. Like many solutions Donorfy could be configured using the product’s built-in flexibility with custom fields, tags and attributes and so on. However, we intend it to be purpose-built functionality that is easy to understand and consistently applied across our client base. This means it will be easier to support and extend in the future.[However] The legislation is still not settled, and the sector’s understanding of it is still developing. We will definitely end up creating new Donorfy features, and adapting existing ones. The great thing about being a native cloud solution is that when we roll out our monthly product updates all clients are immediately and automatically upgraded to it, so no one gets left behind.
We are certainly ahead of the game and that’s also according to Microsoft! We do have preconfigured functionality within our NFP 365 template and any existing clients who are using the NFP365 template can get the module as part of a current enhancement plan.
Evidence of this:
– Our first GDPR webinar was held in May,
– Thursday 11th May, we held a GDPR specific event at NCVO offices for clients and prospects, where Adapta and Microsoft talked about their view and approach on GDPR and data security.
– M-hance presented at the IoF conference on Friday demonstrating D365 and our NFP365 configuration with GDPR functionality.
– We have another GDPR webinar coming up on 22nd June:
You can download our latest eBook “GDPR Success in 5 steps: A Fundraising Managers’ guide to becoming GDPR compliant“.
Training and ongoing awareness – our NFP consultants are attending specific training courses so that we can ensure we are knowledgeable during implementations, providing the correct advice and guidance. All our discovery’s now include GDPR specific workshops. Commitment is there from m-hance.
CiviCRM is an open source solution, unlike proprietary software, Open source software is crowd developed and therefore has a far larger pool of resource and support. More importantly with respect to issues such as GDPR the larger pool of resource allows the product to react quickly to new requirements. This was demonstrated during the move to online Gift Aid submissions, CiviCRM was the first major fundraising software to be ready for HMRC’s new online system at the time. The added benefit was that the functionality became available to all installs of CiviCRM immediately without cost and we would expect the GDPR work to be tackled in the same fashion, with thousands of charities benefitting from the collaborative model.
Specific to GDPR, CiviCRM is normally deployed with supporter facing interactions, ensuring that any changes to communication preferences are reflected immediately within the database and therefore reduces the risk of communicating with supporters who have requested opt out, from the channel, group or any combination thereof. The GDPR directives have highlighted the need for security and best practise to also be considered in the overall compliance, therefore the following sections of the document detail the approach that Veda NFP consulting will be taking as well as some core enhancements to CiviCRM to ensure GDPR compliance is achievable in all scenarios.
Our role is to guide our clients through the best practises and follow our planned implementation roadmap over the coming 6 months. The GDPR guidelines do require clarification in some areas, however we feel there is enough information to begin the process, reaching the final industry agreed best practise in time for the May 2018 implementation deadline.
Veda Consulting have prepared a detailed document on CiviCRM and GDPR which you can download.
We are working with our clients on an individual basis to discuss the requirements for GDPR and how it affects individuals data held in alms.NET. Our clients are at different stages of GDPR adoption in terms of their understanding and preparation so we are reviewing each one to see how far they have progressed and what their challenges are so that we can guide them.
We have developed a communication plan to include regular updates via email, our help site, blogs and gatherings for our clients to keep them up to date. We are also in communication with the ICO and the IOF to develop our understanding of the GDPR requirements which we will relay back to our clients. The GDPR relates to personal and sensitive data collected and used by organisations. Each organisation is responsible for making sure that the data protection principles for processing are met – lawful, transparent, legitimate purpose collection, accurate, identifiable to the data subject and secure whilst also keeping in mind the individuals’ rights. The current version of alms.NET – Horizon already has functionality to support the key requirements of the GDPR and we are developing alms.NET further to incorporate any remaining requirements.
Managing consent is one of the biggest challenges our clients and other charities are facing with respect to the GDPR. It doesn’t just mean obtaining consent to send their individuals direct marketing communications; it is also about obtaining consent to hold personal data. alms.NET Sourcing and Auditing functions provide organisations with the means to do this – any contact data change in the system is stamped with a date, user and descriptive – manual or automated depending on the process from which the data was added. Our clients can view the audit trail to see what data was changed/added and when.
Several of our clients obtain sensitive data such as medical or household information as well as holding data about children and other vulnerable groups. Consenting to hold sensitive data or to be profiled or any other requirements can be held in alms.NET against the contact. Sensitive data can be secured so that only relevant personnel in the organisation has access – this can be done at a data record or individual contact level.
With regard to consent for direct marketing communications, alms.NET provides consent against a channel (email, telephone or postal), purpose, e.g. direct marketing, campaigning, events – and the associated email address, telephone number or postal address. Where the individual has exercised their right to object, this can also be recorded here alongside the source.
When it comes to communicating with individuals, it may be direct marketing. This can be managed by consent or under the ‘legitimate interest’. Either way, the alms.NET Communication process will allow you to include/exclude individuals depending on the type of communication.
Individuals will have the right to access their data and this can be done by using the alms.NET Contact report and/or allowing a supporter portal sign on where they are able to view their information.
The main area of development is to introduce an improved function which will comply with the individual’s ‘right to erasure’.
Web Service for Consent Management
We have developed a cloud based service which enables clients either to use APIs from their web-site allowing their supporters to manage their preferences/consent or have direct access to our preference/consent service logging in via social media or email.
This service is part of our new cloud product, GiftedMatrix. A core part of GiftedMatrix is the AffiliationPoint which allows you to plug-in any people based system you have so that information can be shared and managed across GiftedMatrix. This means that existing systems can be affiliated to GiftedMatrix and can take advantage of all the services and functions available including Consent Management.
Other useful resources
- Microsoft has a dedicated page on GDPR detailing how Dynamics 365 (and other Microsoft Cloud services) can help with GDPR requirements.
If you represent a supplier who provides fundraising software to charities and you would like to add your feedback to this page then please email me at firstname.lastname@example.org.