Data Protection and CRM Graham Hewitt, The Access Group
About me Working with NFP CRM since 2004 I am a non-technical user (no hablo SQL) I am not a Data Protection or legal advisor (but I know a couple) Starting with Introductions …
20 years experience in NFP About Access Group 1,200+ Charities, educational establishments, visitor attractions and membership associations use Access 20 years experience in NFP “Access thankQ CRM is the single most important communication tool at our disposal and is fundamental to everything we do.” Access is a UK software business with around 1,000 staff and heading towards £100m turnover. The NFP sector is significant to us, so we have a division dedicate to the supply of NFP systems. We have over 1200 UK NFP clients. 10,000 NFP professionals use Access to manage CRM, finance, HR, payroll, business intelligence, membership and fundraising Over 95% of customers choose to renew their relationship with us every year Around 400 thankQ CRM clients 67 new Access thankQ CRM customers last year Many staff with between 10 and 20 years delivering thankQ
CRM & other systems CRM Skills & qualifications Rostering Service delivery Events Membership Fundraising Cashbook Purchase ledger Sales Social media Mobile Email Budgeting Costing Assets P&L Analytics Employee Volunteer Customer Letters Contracts Stakeholder reports Plans Committees Recruitment Policies Appraisals & absence Process automation Real time information HMRC accredited SIGs Grants I am going to speak about CRM today, but you hold data in a number of other systems. Data Protection is going to impact those as well.
About you Introductions
Your role Digital & Content Campaign Manager for Fundraising or Membership Something else By show of hands … what is your role within your organisation
Your day to day objectives What do you consider your primary aim with social media and email campaigns? Measure Responses to Calls to Action? MORE WORK ON Middle Line – build & colour Encourage Stimulate Engagement Monitor Activity
Your day to day tools Which CRM does your organisation use? These are common brands of CRM in NFP. By show of hands, who uses …?
Your day to day tools Which CRM does your organisation use? There are a few others … Any used that I haven’t mentioned?
Your understanding Implications of GDPR and FPS on your CRM I would like to gauge the extent of your knowledge and understanding when it comes to GDPR, and how you may need to change what you record and how you process data in your CRM and what passes through Engaging Networks.
Personal sensitive information The point of CRM is to touch a wide range of organisation data … and there lies the challenge. Lots of data held. Lots of points of entry
Personal sensitive information What do you record and why do you record it? DOB or Age? Biography – Nationality / Sexuality (Equal Opps) Risk by Association: Animal Rights, Politics, Religion, Conservation, Medical Demographic data
Personal Information developer events SMS API EPOS & Ticketing committees telethon advice barcode retail links The point of CRM is to touch a wide range of organisation data … and there lies the challenge. Lots of data held. Lots of points of entry mobile feedback sponsorship JustGiving API volunteers web integration alumni bulk email API link to accounts VIPs trading grants AUDDIS / SEPA CRM membership fundraising data tools finance
Personal Information developer events SMS API EPOS & Ticketing committees telethon advice barcode retail links Personal data could be held in these areas. Could include Casework? Client beneficiary data? Bank details, Age, etc mobile feedback sponsorship JustGiving API volunteers web integration alumni bulk email API link to accounts VIPs trading grants AUDDIS / SEPA CRM membership fundraising data tools finance
Personal Information developer events SMS API EPOS & Ticketing committees telethon advice barcode retail links What other connected systems need consideration? HR? Website (local data)? Online shop? Etc. mobile feedback sponsorship JustGiving API volunteers web integration alumni bulk email API link to accounts VIPs trading grants AUDDIS / SEPA CRM membership fundraising data tools finance
GDPR General Data Protection Regulation Comes into force 25 May 2018 GDPR: link Let’s start with the basics
3 pillars of the GDPR legal framework Purpose Lawfulness Fairness and Transparency The current law, and the GDPR, contain three core pillars that underpin fundraising and direct marketing. Purpose There needs to be clarity on what you are using the information for. Lawfulness It should be clear whether you need, and have obtained, the consent of the individual to use their personal information in a particular way – or you can claim ‘legitimate interest’ instead. Fairness and transparency When you collected personal information, it was clear how it would be used and how it would be processed – by both your organisation and any third parties that you choose to deal with.
3 pillars of the GDPR legal framework Purpose There needs to be clarity on what you are using the information for. The current law, and the GDPR, contain three core pillars that underpin fundraising and direct marketing. Purpose There needs to be clarity on what you are using the information for. Lawfulness It should be clear whether you need, and have obtained, the consent of the individual to use their personal information in a particular way – or you can claim ‘legitimate interest’ instead. Fairness and transparency When you collected personal information, it was clear how it would be used and how it would be processed – by both your organisation and any third parties that you choose to deal with.
3 pillars of the GDPR legal framework Lawfulness It should be clear whether you need, and have obtained, the consent of the individual to use their personal information in a particular way – or you can claim ‘legitimate interest’ instead. The current law, and the GDPR, contain three core pillars that underpin fundraising and direct marketing. Purpose There needs to be clarity on what you are using the information for. Lawfulness It should be clear whether you need, and have obtained, the consent of the individual to use their personal information in a particular way – or you can claim ‘legitimate interest’ instead. Fairness and transparency When you collected personal information, it was clear how it would be used and how it would be processed – by both your organisation and any third parties that you choose to deal with.
3 pillars of the GDPR legal framework Fairness and transparency When you collected personal information, it was clear how it would be used and how it would be processed – by both your organisation and any third parties that you choose to deal with. The current law, and the GDPR, contain three core pillars that underpin fundraising and direct marketing. Purpose There needs to be clarity on what you are using the information for. Lawfulness It should be clear whether you need, and have obtained, the consent of the individual to use their personal information in a particular way – or you can claim ‘legitimate interest’ instead. Fairness and transparency When you collected personal information, it was clear how it would be used and how it would be processed – by both your organisation and any third parties that you choose to deal with.
GDPR – why comply? Avoid financial penalties Reputation management Effective use of data Picture: marble columns at supreme court
Fundraising Regulator Guidance Fundraising & Regulatory Compliance Conference, 21 February 2017 Videos: link Document: link
Fundraising Regulator Guidance “Charities should also assess what impact their approach to Direct Marketing will have on any existing data management systems (for example, Customer Relationship Management (CRM) systems; databases) in order that these systems support the delivery of the agreed approach.”
ICO Guidance GDPR consent draft guidance Published 2 March 2017 Document: link Consultation closes on 31 March 2017
Impact on CRM Consent management Removal of obsolete data Data sources Managing compliance
Consent
Consent – a timeline Do Not Mail Y/N 1992 Scroll sideways?? Worst case Do Not Mail ONLY What controls of suppressions (for deceased and gone away) Improvements led to Preferences … Opt OUT
Consent – a timeline Method Do Not Mail Do Not Contact 2004 Method Do Not Mail Do Not Phone Do Not Email Do Not SMS Do Not Contact Reason Incorrect Address Deceased Lapsed Membership Scroll sideways?? Worst case Do Not Mail ONLY What controls of suppressions (for deceased and gone away) Improvements led to Preferences … Opt OUT
Evolution of Preferences 2006 Campaigns Events Volunteering Newsletter Lottery/Raffle Suitability and Preferences - Personalisation of content Scroll sideways?? Worst case Do Not Mail ONLY What controls of suppressions (for deceased and gone away) Improvements led to Preferences … Opt OUT
Evolution of Preferences 2006 Campaigns Events Volunteering Newsletter Lottery/Raffle Gala Dinners Race Nights Suitability and Preferences - Personalisation of content Scroll sideways?? Worst case Do Not Mail ONLY What controls of suppressions (for deceased and gone away) Improvements led to Preferences … Opt OUT Golf Days Running Cycling Marathons Triathlons Fun Runs Colour Runs Midnight walk
Evolution of Preferences 2006 Campaigns Events Volunteering Newsletter Lottery/Raffle Gala Dinners Race Nights Suitability and Preferences - Personalisation of content Scroll sideways?? Worst case Do Not Mail ONLY What controls of suppressions (for deceased and gone away) Improvements led to Preferences … Opt OUT Golf Days Running Cycling Marathons Triathlons Fun Runs Colour Runs Midnight walk
Evolution of Preferences 2006 Campaigns Events Volunteering Newsletter Lottery/Raffle Newsletter Staff News Suitability and Preferences - Personalisation of content Scroll sideways?? Worst case Do Not Mail ONLY What controls of suppressions (for deceased and gone away) Improvements led to Preferences … Opt OUT Volunteer News Medical Professionals Service Users Training & CPD Member Interest Groups Vacancy News
Purposes Campaigns Events Volunteering Newsletter Lottery/Raffle Suitability and Preferences - Personalisation of content Scroll sideways?? Worst case Do Not Mail ONLY What controls of suppressions (for deceased and gone away) Improvements led to Preferences … Opt OUT
Christmas Raffle / Lottery Purposes Campaigns General Appeals Events Disaster Appeals Gala Events Suitability and Preferences - Personalisation of content Scroll sideways?? Worst case Do Not Mail ONLY What controls of suppressions (for deceased and gone away) Improvements led to Preferences … Opt OUT Legacy Challenge Events Patron / Friend Scheme Running Cycling Triathlon Fun Runs Retail News Christmas Raffle / Lottery
Take away action #1 Define your Purposes … and the impact on Preferences Challenge Events Running Cycling Triathlon Fun Runs Volunteering Volunteer vacancies Volunteer newsletter Scroll sideways?? Worst case Do Not Mail ONLY What controls of suppressions (for deceased and gone away) Improvements led to Preferences … Opt OUT
Consent Database recording Audit Purpose Preference Method Refined Preferences – very granular. Good to be specific for audience. Now – Consent model?? Specific. User interface? Source Start Date Expiry Date Status
Take away action #2 Database recording Audit Purpose Preference Method Refined Preferences – very granular. Good to be specific for audience. Now – Consent model?? Specific. User interface? Source Start Date Expiry Date Status Granted, Declined
Access thankQ CRM Can remain in deck published after 7 March
Contact view of consent Can remain in deck published after 7 March
Self Service Preference Centre
Engaging Networks Add Gmail – self service link
Engaging Networks
Engaging Networks
Engaging Networks
Take away action #3 Build a self service Preference Centre Scroll sideways?? Worst case Do Not Mail ONLY What controls of suppressions (for deceased and gone away) Improvements led to Preferences … Opt OUT
Consent …[you] shall be able to demonstrate that [they] consented 1. What do ‘opt-in’ and ‘opt-out’ really mean? Art 7 (1) …[you] shall be able to demonstrate that [they] consented …the right to withdraw [their] consent at any time. [This] shall not affect the lawfulness of processing based on consent before its withdrawal. Art 7 (3)
Fundraising Preference Service Can remain in deck published after 7 March
Data Protection and CRM Graham Hewitt, The Access Group
Inbound data Data Entry points: Add New Contact Website sign up Batch Import Email feedback and consent data Retail Purchases Peer to Peer Webshops EPOS (Gamma) Privacy Policy
Take away action #4 Consider all of the incoming data … What is its Purpose? What is the Consent? Scroll sideways?? Worst case Do Not Mail ONLY What controls of suppressions (for deceased and gone away) Improvements led to Preferences … Opt OUT
Take away action #5 Consider compliance reporting and audits How much of this is applied by your system? Vulnerable to human error ? How will you identify staff training issues – and non compliance? How can you demonstrate compliance? Scroll sideways?? Worst case Do Not Mail ONLY What controls of suppressions (for deceased and gone away) Improvements led to Preferences … Opt OUT
Personally Identifiable Information
Pseudonomisation Archiving and Deleting expired data https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-8-pseudonymization/
Forensics Audit trails and Security controls? What happened? Who had access? Who could take your data? Process in the event of a complaint? Still Notes
5 step plan Review your approach to personal information Review the privacy notices wherever you collect personal information Review the quality of consent you currently hold Review the functionality, and use, of your current CRM Plan out your steps to GDPR-compliance
Data Protection and CRM www.linkedin.com/in/hewittgraham e: graham.hewitt@theaccessgroup.com