A few months ago we asked voluntary sector employees to take our survey about the life after GDPR. We are grateful for all the responses and are excited to publish the summary of findings from the survey. Please read the key points below and download the data charts attached:
- GDPR has taken a lot of time, resource and energy
89% of respondents agree or strongly agree that it has taken a lot of staff time to become GDPR compliant. On top of that, we saw 75% agreeing or strongly agreeing that it has taken a lot of money and/or resource to become compliant; so it is hard not to see the total investment in time and resource in GDPR as one of the major downsides of the new regulations. It’s ironic that when people complain about charities spending time on ‘admin’, EU legislation is one of the major drivers of this.
- Many think it has been an opportunity to get their data protection house in order
The good news is that respondents did think that GDPR had been a good driver to get their data protection house in order – 70% agreed with the statement ‘GDPR has really helped us get our data protection policies in order’, and 60% agreed that staff had a good understanding of the new processes. Whether this is sufficient benefit to warrant the investment of time and energy is another matter.
- Few sense that GDPR has improved charities relationship with stakeholders or beneficiaries
We also asked respondents whether they thought that the whole process has improved relationships with either supporters and beneficiaries. Less than 20% agreed that it had in either case, and just 1% strongly agreed that it had improved relationships with beneficiaries. Our qualitative research showed that donors welcomed being put in control of their communications, so there is a mismatch between how charities and donors see the situation.
- Access to databases has shrunk, especially for phone
We asked survey respondents how much their access to supporters through post, email and phone shrunk as a result of GDPR. The reduction in access is quite shocking. Only 38% of respondents said they had the same access as before GDPR by post, 31% by email and 21% by phone. Nearly 40% of respondents said they had seen email access shrink by over 25%, and the equivalent figure by post is just over 20%. That is a lot of donors and supporters to have lost access to – in some cases representing an investment of a lot of money to recruit them in the first place.
- Documenting suppliers and reviewing contracts top list of difficulties and challenges
We provided a list of challenges, and documenting suppliers topped the list with 36% saying it was extremely difficult or quite difficult. Reviewing contracts with clients, suppliers, external agencies and employees came next on the list, followed by conducting GDPR impact assessments. The good news is that appointing a Data Protection Officer was seen as the least difficult task - though it would appear that getting them to do a good job might be a little bit harder, with 26% saying it would be either extremely or quite difficult to train staff on data protection and GDPR.
- There was big variation on the basis of consent used for the same stakeholder groups
‘Legitimate interest’ was the single most frequently used form of consent with nearly 20% using it for every audience we talked about. 50% of survey respondents used to contact donors specifically. However, ‘consent’ was also widely used, for example to contact 62% of donors, and 48% of volunteers. At the other end of the scale we saw ‘vital interest’ and ‘public task’ being unused by 83% and 91% of survey respondents respectively.
- Four types of consent have more than 10% of charities using them for donors, staff and volunteers
One intriguing finding was how inconsistent the basis for consent used was for different stakeholder groups. For donors, the forms of consent were ‘consent’ (62%), ‘legitimate interest’ (50%), ‘contract’ (11%) and ‘legal obligation’ (11%). Similarly, volunteers saw the forms of consent as follows: ‘consent’ (48%), ‘legitimate interest’ (39%), ‘contract’ (16%) and ‘legal obligation’ (10%). It is troubling that the same audiences can have such variation in the routes to consent, not least because legitimate interest is a much less onerous and more reversible form of consent than actively getting people’s consent.
- Supporters and donors dominate the groups that have been in touch about data
Supporters and donors are the groups who are mostly likely to have been in touch about how a charity uses their data. The most common request is about having personal data removed from a charity’s database (at about 30% getting in touch) followed by objections to the use of profiling and the like. However nowhere in the comments did we get the sense that the level of requests was overwhelming.
An interesting takeaway from this report is how much charities' access to supporters through post, email and phone shrunk as a result of compliance. Were those lost contacts really likely to have been committed supporters?
Interesting article, but of course legitimate interest and contract aren't routes to consent, they're grounds for data processing! Might be worth updating the article. Only consent is consent!
Many of our 'lost contacts' had not been actively engaged with for several years so probably not that committed. For the Fundraising Regulator consent is the Gold Standard which we used for the Development Office and although reduced in numbers it gives confidence that the data has meaning.