With international research growing in importance for many organizations, the privacy laws of the UK and the European Union have been of increasing concern. In this article, Tim Wilson of Harvard Business School discusses what these laws mean for our profession, and presents useful resources for learning more.
Panicky in the U.K.: The Impact of Data Protection Laws in the European Union
and the U.K. on Prospect Research
by Tim Wilson
I recently attended Helen Brown’s engaging and informative NEDRA program on “International Research: United Kingdom.” As a board member, I was delighted to see a great turn-out, with representation from many institutions and fields within prospect research and management, such as healthcare and higher education. Helen’s presentation focused on two aspects of prospect research in the United Kingdom (U.K.) – one being available resources, and the second being the recently enacted European Union (E.U.) privacy laws that have caused anxiety in the U.K.’s philanthropy sector, with some of that nervousness now bubbling up in prospect research colleagues here in the States.
While the privacy laws didn’t create “Anarchy in the U.K.” – a tip to the 40-year-old punk anthem – fundraisers are a bit more panicky since this legislation’s approval by the E.U. in spring 2016. Greater awareness about the data protection law and its ramifications for fundraising made its way across the pond and splashed on Yankee shores earlier this year.
Due to the complexity of the issue and implications for our industry, links are embedded in this article for additional reading. In her workshop, Helen Brown encouraged attendees to educate themselves on these regulations and prepare for how this will impact the ways in which we work and where we store data.
To start, what is this data privacy law? Its full name is The General Data Protection Regulation (GDPR), a piece of European Union legislation going into effect in May 2018. It is being enacted to thwart even the appearance – let alone the outright intent - of a 21st century “British Invasion” of any donor’s personal information by charitable organizations, corporations, or other entities in various industries. Its reach and impact are certainly wide-ranging. The GDPR’s policy predecessor had been in place since 1995, and as we know, data collection, philanthropy, and online resources have undergone a Thames River-esque torrent of transformation over the last two decades.
While the GDPR will be enforceable throughout the 28-member European Union, most of the media’s – and the philanthropy world’s – attention has focused on the GDPR’s impact within the U.K., for various reasons. The proportion of many institutions’ international donors who live and/or work in the United Kingdom (England, Scotland, Wales, and Northern Ireland), coupled with the bevy of English-language resources for researchers, in a world of limited guides for non-U.S. regions and countries), have ensured that U.S. institutions are quite curious about what’s to come, as well as what events coincided with the E.U. enacting this policy. As quick background: Public dismay over U.K. charity scandals the last few years reached an apex after the 2016 death of 92-year-old Olive Cooke, who allegedly received over 3,200 charity solicitations in a year. Sadness and anger over Cooke’s death and other bad philanthropic optics led to a staggering drop in the level of trust that people in England and Wales held in their charities.
So, what will the General Data Protection Regulation do, exactly? This regulation seeks to securely protect personal data – “names, photos, e-mail addresses, bank details, medical information,” per the E.U.’s General Data Protection FAQ website. Thus, many data points that prospect researchers have access to, and store, are protected by this regulation.
One major sticky wicket at the dawn of the GDPR era is: What will happen when the U.K. leaves the European Union, the final straw in the 2016 Brexit shockwave? In anticipation of the E.U. losing the U.K. as a member by March 2019, the E.U.’s General Data Protection website has an FAQ section addressing the Union Jack-draped elephant in the room. Once Brexit is complete, the GDPR will not have affect in the United Kingdom. The U.K. government will “implement an equivalent or alternative legal mechanisms” similar to GDPR, according to the FAQ website.
How concerned should U.S.-based prospect researchers be about Brussels-based legislation? Read this sentence from the E.U. website: “The GDPR not only applies to organisations located within the E.U. but it will also apply to organisations located outside of the E.U. if they offer goods or services to, or monitor the behavior of, E.U. data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” Gulp! That’s us!
Not jolly good, indeed!
But we shouldn’t walk around in a perpetual London fog or panic over the data protection news! In her presentation, Helen highlighted two United Kingdom-based philanthropy organizations for their excellent coverage of the data protection issue: the Factary and the Institute of Fundraising (IOF).
One of the Factary’s staff members, research director Nicola Williams, recently posted two highly informative articles (one in August, another a recap of a survey just two weeks ago) that offer cheerier assessments on our industry’s future. Looking ahead, Nicola summarized the feelings of many in Factary’s poll that GDPR “will help to promote prospect research within organisations and institutions” while making our industry “more efficient and effective” as a result of required modifications to data collection, reporting, and usage.
IOF is another stellar reference for understanding the data protection policy. Searching for “GDPR” yielded over 100 results, including the highly engaging “Get Ready for GDPR” (with graphics, PDFs, timelines, and other goodies), the A-to-Zed “GDPR At a Glance,” and the thorough “GDPR: The Essentials for Fundraising Organisations.”
As I perused these resources, I was gobsmacked by the wealth of information, all relatively easy-peasy to follow and comprehend, that describes what GDPR will do and the “Who, When, How, and Why” of its impact. I am grateful both to have these resources at my fingertips and for colleagues like Helen and the research colleagues at the Factary and the Institute of Fundraising who have devoted considerable time to understanding this privacy regulation, cleared away the Brussels-ease policy lingo, and contextualized what GDPR means for the prospect research profession.
The General Data Protection Regulation represents a sea-change in the prospect research and wider non-profit management worlds. One looming question is, “How will the EU be able to, or seek to, enforce the General Data Protection Regulation in the U.S.?” That weighty concern likely will become clearer in time. Until then, we’re left to ponder implications for our day-to-day work, such as “How will researching and collecting info on non-donors change, since non-donors may not already be in our database?” In addition, institutions may need to separate non-sensitive data from sensitive information in their databases, in order to be in compliance with this regulation.
By British calculations, we have approximately 11 fortnights (or, under six months) to educate ourselves with the General Data Protection Regulation and determine within our institutions what changes we will need to make to be in compliance. Action items can include looping in database management and advancement services colleagues to familiarize them with this impending news, as well as assessing which data points would be included in this data protection coverage. Quick-win steps include bookmarking the Factary and the Institute of Fundraising’s sites and checking them regularly for further GDPR-themed insights over the coming months.
The best of British to you…err, I mean, “Good luck!”
© 2018 New England Development Research Association