What is GDPR, and how does it affect us as prospect researchers and prospect managers? How does it affect our fundraisers or senior leadership? Does GDPR affect those of us based in the U.S. or just global organizations? What policies do we need to create to accommodate GDPR?

According to the Chartered Institute of Fundraising in the UK, the General Data Protection Regulation (GDPR) is an EU-wide regulation that came into effect in the U.K. on May 25, 2018. It replaced a previous law on data protection (the Data Protection Act of 1998) and gives individuals more rights and protection in how their personal data is used by organizations.

The key areas to keep in mind for our work as PD professionals are consent and personal data storage:

• Consent: Opting In or Opting Out?
  • For any fundraising or direct marketing activities, you need to get consent.
    • This means that whenever you collect and use an individual’s personal data — including their name, contact information and any other information about them (even if you are just holding the information in your database) — you need consent.
    • This requirement includes all methods of communication: writing to someone, sending an email or calling on the phone.
  • Has the potential donor/individual given their consent by taking a positive action to opt in?
    • Under the GDPR, to get consent from an individual for direct marketing, you must take some form of unambiguous positive action that shows that the person is happy to receive future communications.
    • That action must be separate or additional to the act of donating.
    • So, consent means that the individual has taken some form of positive action to ‘opt in.’
    • Consent can be a check box, a written communication or even a spoken message — there is a spectrum for it!
  • Then it gets even more complicated with “Legitimate Interest?”
    • Under the GDPR, there are different legal conditions under which direct marketing can be sent to an individual.
    • Legitimate interest enables you, in certain circumstances, to be able to send direct marketing to an individual without having their prior consent.
    • But if you use legitimate interest, you will also need to ensure that they have the opportunity to say ‘no’ or object to future direct marketing, which is often done through an ‘opt-out’ tick box.
  • Strategically, each organization needs to decide whether it wants to go the opt-in or opt-out route.
• Data storage and timelines: How long will we keep donor or potential donor information?
  • GDPR does not set out any specific time limits on how long consent lasts or for how long you can use legitimate interest. This will depend on your purpose for processing the data and what you have told the individual about why you need to process that data.
  • Personal data must only be kept as long as necessary to fulfil the purpose for which it was processed.
    • Think carefully about the reasons you may need to process an individual’s data.
    • Let the individual know what those reasons are, usually either at the point of seeking consent — or in the case of legitimate interest — in privacy information provided to the individual about how their data is used.
    • Stop using the data if your original purposes for processing it no longer apply, or renew your consent or update the privacy information you send to the individual under legitimate interest if your purposes change.
    • You also need to give people easy opportunities to withdraw their consent or to stop hearing from you, and keep it under review to make sure your purpose for contacting them hasn’t changed.

We may not have all the answers, but these are the key principles regarding consent and the storage of personal data that prospect research should consider. It's important to make these decisions in advance and have policies in place within your team and throughout your organization:

• Does your organization have a privacy policy?
• Does your organization have data retention policy?

What other questions do prospect development professionals have about GDPR? Contact the Ethics & Compliance Committee at ethics@aprahome.org.