Almost two thirds of charities have no plan in place for GDPR, finds IoF survey

29 Sep 2017 News

Almost two thirds of respondents to an Institute of Fundraising survey said that they do not have a plan in place for new data protection rules that come into force next spring. 

Sector leaders have now called on the government for more support getting ready for the General Data Protection Regulation, which comes into force on 25 May 2018.

The Institute of Fundraising has today published results from its How Charities Are Preparing for GDPR survey, which received 340 responses from charities.

Just over one-fifth said that they have not done anything to prepare for GDPR, and 40 per cent said they have started thinking, but not come to any decisions. Just 2 per cent are ready ahead of schedule, and only 35 per cent say they have a plan in place.

Nearly 65 per cent of respondents to the survey identified as ‘small’ charities with annual incomes of less than £1m. A further 20 per cent of respondents were medium-sized charities, with incomes between £1 and £10m a year, while just under 15 per cent of respondents said they were large charities with annual incomes of more than £10m.

Half of small charities unsure how to proceed

Smaller charities are more likely to be unsure of how to prepare. 

Around a third of small charities “haven’t done anything” to get ready. The survey also found that 48 per cent of small charity respondents were still undecided on whether “they’d be using consent or legitimate interest” to contact supporters by post.

Some 26 per cent of small charity respondents said “they’d only be contacting supporters when they have their consent”, and 25 per cent said they’d be reliant on legitimate interest moving forwards.

Nearly 30 per cent of large charity respondents said they would be using legitimate interest. Some 42 per cent of larger responders said they’d favour consent or legitimate interest for postal direct marketing “depending on different campaigns and activities”.

Over a fifth of respondents said they have not yet decided which approach they will take.  

‘Lack of clear guidance’ biggest challenge

In response to a question about the most challenging aspect of preparing for GDPR, over 70 per cent of respondents of all organisation size said a “lack of clear guidance” from regulators on the issue presented the biggest issue.

Internal skills, capacity and technology were also identified by many respondents as a key challenge, with more than half of those surveyed saying they don’t fell they “have the right level of internal skills or expertise in data protection” within their organisation. A further 38 per cent were “concerned about the limitations of admin/CRM systems” and the associated costs of upgrading such systems.

Nearly half of all large charity respondents said “getting a joined up approach across the organisation” was proving to be a challenge, while 33 per cent said it was difficult to get “the right support and direction from executive or board level”.

Preparations

According to the survey, respondents said discussing GDPR issues “at board/executive level to agree a way forward” was the most common action being taken to prepare by charities of all sizes. Discussing issues at an executive level received 227 responses, followed by “providing internal training for staff on data protection” with received 208 responses. External training for staff received 185 responses.

Large charities were also found to be much more likely to be “recruiting new staff to work on data protection and seek external support” from data protection experts or legal advice. Small and medium-sized charities were more likely to be “providing internal training for staff or have staff attend external events”.

In terms of practical steps, the most common ones being taken by survey respondents was reviewing privacy policies and fair processing notices. Many respondents also said they were undertaking an “audit of current practices and policies”, and had taken steps to confirm supporter preferences as well.

IoF has written to the government 

Peter Lewis, chief executive of the IoF, has written to the government's digital minister, Matt Hancock, calling for a strategic intervention. 

He said: “A large majority of charities are working to prepare for data protection changes but also that there is a clear need for much more support, especially for smaller organisations. 

“It is really important that sector bodies, regulators, and the government all step up to help raise awareness of the changes coming and to ensure there is support in place to help charities through this transition.”

The IoF plans to launch a range of support and materials in the coming months but Lewis said "we also need a wider approach across the sector". 

Mandy Johnson, chief executive of the Small Charities Coalition, said: "It does not surprise me to see that a lot of small charities have not yet decided how they are going to approach the GDPR. It is a complex regulation and there has not been enough support given to help hardworking volunteers and charity workers to understand exactly what they need to do - Small Charities Coalition are working to change that. We want small charities to be able to focus on the vital work they were set up to deliver, and be able to get to grips with the GDPR without drowning in paperwork."

Vicky Browning, chief executive of Acevo, said: “These findings accurately reflect what we’re hearing from Acevo members: they know working towards GDPR compliance is essential but many of them lack the resource and in-house skills to tackle the issue. Members from larger charities tell us they’re having to divert significant funds to dealing with the challenge, but this isn’t an option for smaller organisations. The sector is crying out for clearer guidance.”

 

More on