The General Data Protection Regulation (GDPR) is a new law that will replace the Data Protection Act 1998 and will apply in the UK from May 25th 2018. Although compliance cannot be enforced solely by IS systems, there is no doubt that the fundraising software and CRM systems which charities use should be able to help organisations manage their compliance needs.
In May 2017, I therefore approached the UK charity sector’s leading software suppliers and asked them the following: “What are you doing to advise your clients on how they should use your system(s) to manage their GDPR requirements? Are you developing or planning to develop any specific functionality?”
The list below contain the responses I have received.
[su_spoiler title=”The Access Group – thankQ” style=”fancy”] What are you doing to advise your clients on how they should use your system(s) to manage their GDPR requirements?
Understanding that our customers need to be ready by May 2018, Access has been delivering awareness seminars and webinars about the impact of GDPR on NFP CRM since October 2016. We launched the GDPR Resource hub on our website last month, where visitors will find white paper resources including: A Guide to GDPR, a 5 step plan and a checklist to becoming GDPR compliant.
GDPR is going to have a major impact on how our customers manage data. A year ago in May 2016 we engaged with specialist advisors Gary Shipsey and Paul Ticher and since then we have been working to design GDPR compliance into thankQ. We continue to present the changes needed to meet GDPR in a range of GDPR seminars. Using webinars and the thankQ user conference we have provided guidance on how thankQ clients should store GDPR compliant consent in current versions of thankQ. Further documentation, due for release shortly, will confirm how consent should be stored and how it can be applied. We will then provide a software update which will automatically apply the new consent to outbound communications.
Are you developing or planning to develop any specific functionality?
Yes. The first phase of thankQ GDPR developments will be released to thankQ customers for testing in the next few weeks [as of June 1st, 2017]. The initial release will include updates for both GDPR and the new Fundraising Preference Service, as well as updating the Web API. This will be followed by a consent portal. We continue to showcase these options to new customers at seminars. At the time of writing, the next one is next week (June 7).
GDPR has been embraced as a core part of the thankQ roadmap in 2017. The first set of GDPR changes will focus on allowing our customers to define, store and apply their communication purposes. We are also making available to customers with thankQ CRM integral GDPR compliance reporting and archiving in line with the new regulations.
[/su_spoiler] [su_spoiler title=”AdvantageNFP” style=”fancy”] What are you doing to advise your clients on how they should use your system(s) to manage their GDPR requirements?
– We started our preparation over 9 months ago.
– We are actively engaging with all our customers on this specific topic.
– All our customers have had opportunity to participate in our regular webinars, with several this year covering the topics of GDPR, FPS and data cleaning.
– Several customers came forward to specifically engage in a 1-2-1 and workshop format.
– We have been busy attending industry conferences/workshops as a delegate or exhibitor to improve and update our knowledge of the GDPR requirements to pass onto our customers, as well as inviting customers on a complimentary basis to some events.
– We have participated in discussions and surveys, both as contributors and receivers, with the Institute of Fundraising (of who we are a corporate member) FPS and the ICO.
Are you developing or planning to develop any specific functionality?
Earlier this year we released the first update of AdvantageNFP for charities and membership organisations to record communication preferences at a granular level, allowing them to make selections by channels, methods and store the dates and source of that preference. The second release due out in September this year, i.e. well in advance of the May 2018 deadline, will provide the functionality to use this preference data to validate mass communications against opt-in and/or opt-out data. AdvantageNFP supports both the “legitimate interest” opt-out model for direct mail, the preference “opt-in” model and, in the right circumstances, a hybrid of both.
[/su_spoiler] [su_spoiler title=”ASI Europe – iMIS & Progress” style=”fancy”] ASI is confident that our systems have sufficient functionality to enable our clients to remain compliant with the new GDPR regulations, and we always aim to be ahead of the curve on issues related to data security. We have been through an extensive process of scenario testing with both systems to examine likely issues that may come up. In terms of Progress, this has led us to enhance some functionality around communication preference management that is being released in the next couple of months. In terms of iMIS, we went through a very similar process a couple of years ago when new DP protection and email legislation was introduced in Canada, at which point a couple of future-proof tools were added to the software. In terms of the new regulations, we remain fully capable of keeping our clients at the cutting-edge.
For FPS, we’re looking forward to seeing the new service when it launches, but we have been encouraged by the seeming move towards a realistic system that came out of the Fundraising Regulator’s consultation. Obviously, this remains an area to monitor, but we are keeping very close tabs.
Regarding client advisement, we have already organised some sessions for our UK-based clients to discuss some of the implications of the new regulations, and these have been well attended. In terms of our messaging, we are really focusing on three-key messages on this:
1) Internal policies – make sure you engage with the new regulations as early as possible and think about their impact on your work. The GDPR has been deliberately drafted so that it is not ‘one-size fits all’, which means that organisations have a responsibility to decide on/articular their own policies for data protection that will be appropriate within the new framework. The balancing exercise recommended by the Fundraising Regulator (the ‘Consent Self-Assessment Tool’) is a great tool organisations should consider undertaking to look at the specific issue around consent and legitimate interest.
2) In terms of some of the more technical requirements – make sure you have a robust system and find time to test your processes, especially around responding to subject access requests, the (improbable, but possible) need to deliver data portability, and requests to enquiries/complaints about how communications preferences have been collected and recorded.
3) Self-service – Recital 63 of the GDPR explains “where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data” and the ICO has interpreted this as being a new best-practice to provide self-service access to data and communication preference management. While this won’t necessarily be appropriate for all charities immediately (although it certainly should be for larger organisations), we are talking to organisations about how they might practically manage supporters comms preference (on- and off-line), and there are obviously several ways to approach the challenge. Regardless of the approach, aiming high in terms of self-service is bound to help as individual organisations and the sector juggle the regulatory and ethical factors driving the changes.
[/su_spoiler] [su_spoiler title=”Blackbaud” style=”fancy”] At the end of June , the Blackbaud consent and preferences management roadmap for the remainder of 2017 will be released, detailing new product development and current capabilities which are specifically tailored to enable non-profits to capture and evidence consent and accommodate other data subject rights in accordance with GDPR and the ePrivacy Regulation.
Blackbaud recognises that advanced preparation for legislation like GDPR is critical for operational continuity, which is why all new solutions and best practices will be available in time for customers to prepare for compliance.
Blackbaud have published extensive materials on GDPR on their website here.
[/su_spoiler] [su_spoiler title=”Care Data Systems – Donorflex” style=”fancy”] We engage daily with our donorflex client base on their requirements to comply fully with their GDPR and Preference Services obligations.
Our close, active involvement with the Fundraising Regulator and the FPS Project team – as part of the development period that has shaped the service’s operational details – has both enabled us to ensure that those dealings with clients are current and on-point, and honed the new functionality, preference protocols and controls designed into the donorflex CRM system.
We hosted a sell-out Preferences & Compliance masterclass – with the Fundraising Regulator, Information Commissioner’s Office and the Direct Marketing Association on the top table – as a prelude to our donorflex National User Conference last September.
That enabled us to bring front-line users together in the same room as the policy-makers to share insights and anxieties at that crucial point in the preferences debate.
In March , the donorflex functionality for managing preferences in the new era was unveiled to around two-thirds of the client base at a season of nine regional training days across the UK.
At the same time, we rolled out a special data appraisal utility to clients as the first step in a process that will enable them to engage with us, individually, on the readiness of their data to meet the new preference standards.
Away from those client-specific moments, we’ve also been delighted that our standing in the preferences debate has brought invitations to speak with a supplier’s perspective on Institute of Fundraising and National Association of Hospice Fundraisers discussion panels at national conferences.
Our motivation is simple. We regard it as our responsibility to promote awareness – regularly and consistently – of the challenges that charities face in dealing with the new regulations, now and in the future.
[/su_spoiler] [su_spoiler title=”Centrepoint Computer Services – oomi” style=”fancy”] oomi already has the functionality and the framework to support the key requirements of the GDPR and we are developing oomi further to incorporate any remaining requirements.
One of the key challenges organisations are facing is managing consent with respect to GDPR. oomi’s comprehensive consent management functionality enables our clients to record the consent received for different types, channels or purposes e.g. Marketing, holding personal information, email and telephone etc. Any changes to the data is added in the Audit Log with the details of who made the change, when it was made, what was changed etc. oomi’s allows the clients to enable security on highly sensitive data, so it is only accessed or modified by relevant personnel within the organisation. Individuals will have the right to access their data from clients website connected to oomi’s consent management web service. Clients can also quickly and effectively respond to individual’s access requests using flexible report templates.
Later this year, we are releasing an update to oomi’s functionality allowing clients to mark and process individuals requests to be forgotten. This will allow the clients to remove all the data of the individuals expect which is required for legal purposes e.g. Donations, invoices etc.
[/su_spoiler] [su_spoiler title=”Dizions – Charitylog” style=”fancy”] What are you doing to advise your clients on how they should use your system(s) to manage their GDPR requirements?
At Dizions we’re focused on making sure our clients can easily and efficiently manage any required change due to GDPR. In order to do this we’ve published a document which outlines our development to the software and how it enables them to meet the requirements of GDPR more easily. We have also organised a series of live webinars, which describe and illustrate the aspects we’ve included so far, mainly based around what items of data specific users are allowed to see.
Are you developing or planning to develop any specific functionality?
We are developing additional functionality within our Charitylog system to make it easier to manage GDPR for those organisations that need to keep track of their clients and the services they provide to them.
Phase 1 is to allow a system administrator to define what items of data a user can see, based on the projects they work on. This gives a high degree of control over the visibility of specific data fields at the individual level – different users of the system can have different sets of data fields that they are allowed to see and this can be controlled by the needs of the projects they work on.
Phase 2 which is due to be released in February , will focus on consent and how it affects the activities that can be carried out, for example is there permission to refer a client to a specific organisation. We’ve also developed a new product, “Charitylog Local”, based on Charitylog. Which is designed to make a fully GDPR compliant system more accessible to micro and small charities.
[/su_spoiler] [su_spoiler title=”Donorfy” style=”fancy”] Donorfy is equipped with purpose-built features to enable users to operate within the regulation.
All GDPR features are available now for Donorfy users at no extra cost*.
Two Preference Centres are provided, enabling supporters’ permissions and preferences to be applied:
- Preference Centre in the Donorfy constituent form – so that members of the charity’s staff can update permissions and preferences on behalf of a supporter
- Self-Service Preference Centre widget – so that supporters can update their preferences for themselves from the charity’s website.
Within the preference centres, the following can be set:
- set Channel permissions (can Mail, Email, Phone, Text)
- set Preferred Channel
- set Purpose permissions (e.g. Fundraising Communications, News, Membership updates – admins have full control over the purposes that can be made available)
Donorfy automatically maintains a history of all changes and confirmations, including the data protection statement that the supporter had access to when making those choices (link to web page or attached doc).
Permissions and preferences are respected when making selections for comms. The user sets the purpose and channel(s) of the communication to be sent and Donorfy automatically includes or excludes supporters from the selection based on their permissions, and outputs the selected supporters according to their preferred channel.
Users can still send direct mail using Legitimate Interest regardless of supporter permissions, at their own discretion.
Data retention policies are applied according to legal requirements, best practice and customer-specific requirements.
Donorfy is hosted in Microsoft Azure’s northern Europe data centre, within the EU. This means that data does not need to travel outside the EU.
You can also see a video of Donorfy and GDPR.
* Note: the self-service Preference Centre is not available in the free Donorfy Essentials product.
[/su_spoiler] [su_spoiler title=”Giveclarity – Salesforce” style=”fancy”] Giveclarity have delivered a number of GDPR consent management solutions on the Salesforce platform over the past year [2017-2018], including Guide Dogs, Greenpeace UK and RSPCA. See http://www.giveclarity.org/gdpr.html for more information.
[/su_spoiler] [su_spoiler title=”m-hance – Dynamics 365″ style=”fancy”] We are certainly ahead of the game and that’s also according to Microsoft! We do have preconfigured functionality within our NFP 365 template and any existing clients who are using the NFP365 template can get the module as part of a current enhancement plan.
Evidence of this:
– Our first GDPR webinar was held in May,
– Thursday 11th May, we held a GDPR specific event at NCVO offices for clients and prospects, where Adapta and Microsoft talked about their view and approach on GDPR and data security.
– M-hance presented at the IoF conference on Friday demonstrating D365 and our NFP365 configuration with GDPR functionality.
– We have another GDPR webinar coming up on 22nd June:
You can download our latest eBook “GDPR Success in 5 steps: A Fundraising Managers’ guide to becoming GDPR compliant“.
Training and ongoing awareness – our NFP consultants are attending specific training courses so that we can ensure we are knowledgeable during implementations, providing the correct advice and guidance. All our discovery’s now include GDPR specific workshops. Commitment is there from m-hance.
[/su_spoiler] [su_spoiler title=”Veda Consulting – CiviCRM” style=”fancy”] CiviCRM is an open source solution, unlike proprietary software, Open source software is crowd developed and therefore has a far larger pool of resource and support. More importantly with respect to issues such as GDPR the larger pool of resource allows the product to react quickly to new requirements. This was demonstrated during the move to online Gift Aid submissions, CiviCRM was the first major fundraising software to be ready for HMRC’s new online system at the time. The added benefit was that the functionality became available to all installs of CiviCRM immediately without cost and we would expect the GDPR work to be tackled in the same fashion, with thousands of charities benefitting from the collaborative model.
Specific to GDPR, CiviCRM is normally deployed with supporter facing interactions, ensuring that any changes to communication preferences are reflected immediately within the database and therefore reduces the risk of communicating with supporters who have requested opt out, from the channel, group or any combination thereof. The GDPR directives have highlighted the need for security and best practise to also be considered in the overall compliance, therefore the following sections of the document detail the approach that Veda NFP consulting will be taking as well as some core enhancements to CiviCRM to ensure GDPR compliance is achievable in all scenarios.
Our role is to guide our clients through the best practises and follow our planned implementation roadmap over the coming 6 months. The GDPR guidelines do require clarification in some areas, however we feel there is enough information to begin the process, reaching the final industry agreed best practise in time for the May 2018 implementation deadline.
Veda Consulting have prepared a detailed document on CiviCRM and GDPR which you can download.
[/su_spoiler] [su_spoiler title=”Westwood Forster – alms.NET” style=”fancy”] We are working with our clients on an individual basis to discuss the requirements for GDPR and how it affects individuals data held in alms.NET. Our clients are at different stages of GDPR adoption in terms of their understanding and preparation so we are reviewing each one to see how far they have progressed and what their challenges are so that we can guide them.
We have developed a communication plan to include regular updates via email, our help site, blogs and gatherings for our clients to keep them up to date. We are also in communication with the ICO and the IOF to develop our understanding of the GDPR requirements which we will relay back to our clients. The GDPR relates to personal and sensitive data collected and used by organisations. Each organisation is responsible for making sure that the data protection principles for processing are met – lawful, transparent, legitimate purpose collection, accurate, identifiable to the data subject and secure whilst also keeping in mind the individuals’ rights. The current version of alms.NET – Horizon already has functionality to support the key requirements of the GDPR and we are developing alms.NET further to incorporate any remaining requirements.
Managing consent is one of the biggest challenges our clients and other charities are facing with respect to the GDPR. It doesn’t just mean obtaining consent to send their individuals direct marketing communications; it is also about obtaining consent to hold personal data. alms.NET Sourcing and Auditing functions provide organisations with the means to do this – any contact data change in the system is stamped with a date, user and descriptive – manual or automated depending on the process from which the data was added. Our clients can view the audit trail to see what data was changed/added and when.
Several of our clients obtain sensitive data such as medical or household information as well as holding data about children and other vulnerable groups. Consenting to hold sensitive data or to be profiled or any other requirements can be held in alms.NET against the contact. Sensitive data can be secured so that only relevant personnel in the organisation has access – this can be done at a data record or individual contact level.
With regard to consent for direct marketing communications, alms.NET provides consent against a channel (email, telephone or postal), purpose, e.g. direct marketing, campaigning, events – and the associated email address, telephone number or postal address. Where the individual has exercised their right to object, this can also be recorded here alongside the source.
When it comes to communicating with individuals, it may be direct marketing. This can be managed by consent or under the ‘legitimate interest’. Either way, the alms.NET Communication process will allow you to include/exclude individuals depending on the type of communication.
Individuals will have the right to access their data and this can be done by using the alms.NET Contact report and/or allowing a supporter portal sign on where they are able to view their information.
The main area of development is to introduce an improved function which will comply with the individual’s ‘right to erasure’.
Web Service for Consent Management
We have developed a cloud based service which enables clients either to use APIs from their web-site allowing their supporters to manage their preferences/consent or have direct access to our preference/consent service logging in via social media or email.
This service is part of our new cloud product, GiftedMatrix. A core part of GiftedMatrix is the AffiliationPoint which allows you to plug-in any people based system you have so that information can be shared and managed across GiftedMatrix. This means that existing systems can be affiliated to GiftedMatrix and can take advantage of all the services and functions available including Consent Management.
[/su_spoiler] Microsoft Dynamics 365 and Salesforce
- Microsoft has a dedicated page on GDPR detailing how Dynamics 365 (and other Microsoft Cloud services) can help with GDPR requirements.
- Salesforce has a dedicated GDPR Compliance Page.
Other Useful Resources
- ICO FAQs on GDPR for charities https://ico.org.uk/for-organisations/charity/charities-faqs/
If you represent a supplier who provides fundraising software to charities and you would like to add your feedback to this page then please email me at email@example.com.