The Key to Understanding GDPR

Data protection law heralds opportunities for enhanced fundraising and engagement in Europe and beyond

By Kerry Rock

The Key to Understanding GDPR


New European privacy rules, effective May 25, 2018, require nonprofits to let donors know what kind of data they're collecting and how they plan to use it. The regulations apply to institutions anywhere in the world that have European alumni, donors, supporters, or prospects. 

The new General Data Protection Regulation (GDPR) rules may seem complicated and cumbersome, but they give us the perfect opportunity to get our institutional data protection houses in order. The basic tenet of GDPR is that organizations should have a privacy-by-design approach, which puts data privacy considerations at the forefront of all operations. A strong, open, and honest relationship with donors is at the heart of good fundraising. The way university fundraisers handle the personal data of alumni and other supporters is key to cultivating confidence and trust. It's something we all should want to do well—privacy by design should be our natural state. It's just that we now need to document how we do it in our fundraising systems and processes.

That is what's great about GDPR. Because we have to better communicate what we do with data we collect, GDPR affords us an opportunity to educate our constituents about the role of philanthropy in our missions. The principles of GDPR—including the idea that the data we gather should be accurate, relevant, and minimal—force us to think about the information we really need, which should improve our efficiency and effectiveness.

The ABCs of GDPR

Charities must have a legal basis to process donors' data. There are six grounds to do so under GDPR, but the two that you can generally use for fundraising and prospect research purposes are:

  • Legitimate interest: Organizations must demonstrate that they have a legitimate interest in a person's data, but it must be balanced against the rights of the individual. You are making sure that your supporter is being treated fairly and in line with their expectations. Legitimate interest for prospect research may include understanding if a person has the means to support an organization's charitable cause and assessing their likelihood of donating. In defining a legitimate interest, you need to make a good case that the data processing is necessary. How much income is derived from the major donor program and supporting research? How would its loss affect your ability to achieve your objectives? 

  • Consent: Organizations can process personal data if the constituent has given permission. Some activities absolutely require consent, including marketing emails and certain telephone calls. Required consent under GDPR is granular—that is, you can't lump a number of activities together and get consent for all of them. You need specific consent for each activity and dated proof of that authorization. 
Demystify Fundraising

Whether relying on consent or legitimate interest, nonprofits need an updated privacy notice that articulates all the ways they may use an individual's personal data. In plain, straightforward language, the privacy notice should explain, among other things, the type and source of data being collected and how data subjects can opt out. Being open and transparent with supporters is an essential element of compliance. It is also exactly what we as fundraisers need to do to build good relationships.

Since we're required to review and update our privacy notices, we can use the opportunity to communicate how we gather data on donors, what we are doing with it, and more important, why we are collecting it.

Fundraisers worry that donors will be alarmed to know that we possess data on them that they didn't supply. Fundraisers are also concerned that donors will shut down queries if they know that we use third-party companies to research their wealth, business ties, and charitable and social interests. Research service firm WealthEngine has shuttered its U.K. office, and some fundraisers fear that GDPR is the end of prospect research. However, this is our chance to explain to constituents that "we need to understand you better as a donor." Describe the impact that efficient fundraising will have on your university's ability to provide better teaching facilities, groundbreaking research, and support for disadvantaged students. Conveying what the use of data will help you achieve is a legal requirement, but it is also an opportunity to deliver the message in a positive and open way.

We shouldn't fear the worst. Major donors expect you to do your research before approaching them for a gift. Among the numerous studies to demonstrate this are the findings from donor interviews in Richer Lives: Why Rich People Give by Beth Breeze and Theresa Lloyd. In it, the authors explain: "Donors feel that fundraising has become more professional over the past decade, especially in terms of the right research being conducted before approaches are made, and a better understanding of how different donors might want to engage with causes."

Focus on What You Really Need

Just because donors may expect to be researched doesn't mean we have free rein. GDPR forces us to ask questions about what information we collect on people and why. As a fundraiser, are you asking prospect researchers to provide information that is not at all relevant to the issue at hand? If you're asking a donor to support Alzheimer's research, for example, how helpful is it to know that the donor owns three border collies? Are you collecting data that you shouldn't, such as information on health and religion? Do you request or complete a full profile when all that's really needed is a short biography and an indicator of wealth?

We also need to think about how long we hold on to data. Maybe you have a profile of a donor or potential donor from five or 10 years ago. Is that information still relevant? You will need a data retention policy to comply with GDPR. From a prospect research perspective, fundraisers should think through the information they need at each point in the solicitation. This helps uphold the principle of data minimization and frees up room for more effective and targeted research.

The key is understanding the background information you need about your prospect at each stage of the process. At the discovery stage, a brief evaluation of wealth, connection to the charity, and basic biographical details are enough to decide if someone belongs in the major donor pool.

As relationships develop and opportunities to ask for major gifts emerge, you'll want more details about donors' business and philanthropic interests. You need the right facts to assess their capacity and propensity. Data on family might also come into play, but it must be relevant.

When it comes to the ask and the decision to accept, it might be time for more heavy-duty research. You need to know what capacity potential donors have to make a major gift and, on the other side, be confident that it is a gift you can accept. How did they make their money? What are their business interests and connections? At this stage, in-depth due diligence is essential, and in the U.K., it's also a regulatory requirement.

By staging your research and clearly linking it to specific junctures along the solicitation cycle, you can demonstrate that you are a data minimalist and that you understand the data you are using. You are taking a privacy-by-design approach.
The updated data protection law is heralding new, more donor-centered fundraising. While fundraisers will have to overcome short-term hurdles, we can see a future that achieves the principles of robust relationship fundraising.

For more about GDPR, visit Also see the U.K.'s Information Commissioner's Office site

Road to Compliance

Under GDPR, institutions must establish a legal basis for collecting, holding, and processing data about their European alumni and donors. Most educational institutions will do so in one of two ways: by establishing a legitimate interest in the data or securing the consent of alumni. Here’s how two institutions approached compliance using these options.

Legitimate Interest
Brunel University London

Brunel University London has 133,000 alumni and donors worldwide. Figuring out how to get each of them to give the university permission to hold and process their personal information, including conducting wealth screenings, seemed overwhelming. The development and alumni office was short-staffed, with only five of seven positions filled. "We didn't think that a full-blown marketing campaign to ask people to opt-in to all data processing was feasible," says Jessica Kath, senior development and alumni research officer.

Another challenge: GDPR goes into effect in May 2018, but the guidance on how to comply wasn't complete. Brunel wanted a system that allowed it to be flexible. Instead of asking every alumni for permission to process their data, Brunel determined that what it needed and wanted to do with alumni data met the criteria for using legitimate interest as the legal basis for processing alumni information.

How It Works
To determine legitimate interest, institutions must answer a few questions designed to help them weigh their need to communicate with alumni and handle their data against personal privacy rights ensured under GDPR. The assessment looks at the organization's purpose and why alumni data is necessary to institutional objectives. It should be made available for review in the case of complaints or audits from the Information Commissioner's Office.

Upside to This Approach
Skipping the opt-in campaign means Brunel is not forever excluded from communicating with alumni who didn't respond or give their permission to be contacted.

"Having the legitimate interest assessment is a good exercise," Kath adds. "It served us well in thinking through and recording what we're doing and why we're doing it." The legitimate interest summary, prepared by Brunel's Development and Alumni Relations Office, notes that under its "charitable purpose as an education provider, we fundraise to support students and the work of the University." The summary also notes that the office is focused on the "employability of alumni" and lists activities to further that goal, such as providing career support, networking, mentoring, and other opportunities.

Legitimate interest only covers some uses of data. "It's not just that we say, ‘this is something we need to do,' and then we can do it," Kath says. "Communicating is another piece. The risk of this approach is that email, text, or phone campaigns still require an opt-in from alumni, which we must gather and record. Consent is still required for the majority of the communications one would traditionally send out of our department, so we have to be extra careful about the content and methods in which we contact our alumni."

New Policy
All institutions, including those that establish a legal basis for collecting alumni data through legitimate interest, also have to update their privacy policy notices in plain language—no legalese—so that alumni know what kind of data is being collected and how they can opt out of the system.

Brunel's privacy policy clearly explains that the development and alumni relations office conducts wealth screening and research to help the university understand its alumni and donors, gain insight into their philanthropic interests, and gauge their ability to support the university. Some fundraisers feared donors would be alarmed to learn about wealth screening after the university widely distributed the plain-language privacy policy update via social media and the university's magazine. But Kath reports that "we have seen no measurable change in the way our constituents contact us with updates or unsubscribe from our mailing lists. It has had much less of an impact on our day-to-day interactions than we anticipated."

The university established a GDPR taskforce, headed by the institution's data protection officer. In addition, Kath's office created a working group in summer 2017 to tackle the issues specific to fundraising that would not have otherwise been covered by the universitywide preparations. The group will review everything and have a plan in place this spring.

Final Thoughts
Kath recalls a major U.K. charity conference presentation about the opt-in approach. The presenters talked about losing donors but noted the remaining ones would be more engaged. "That's great for a massive charity, but as a university we are required to hold records on and have a potential relationship with anyone who's graduated from the university, because that's a lifelong relationship," Kath says. "We've approached it in a different way for that reason."

Edinburgh Napier University

The sourcing on alumni and donor records at Edinburgh Napier University in Scotland was lacking. Did the contact information on an alumna come from her parents? Did the information on an alumnus get transferred from the student records system or come from a third-party service? Did the university have permission to hold the data on these alumni? In order to comply with GDPR, Edinburgh Napier decided to seek consent from alumni, donors, and other constituents to contact them and process their personal data.

"We thought that with everything that's changing, consent was going to be the way forward for us," says Stephanie Miller, operations and support engagement manager in the Office of Development and External Relations. "It's going to let us target our resources and focus on the people who have stuck their hand up and said they really want to hear from us."

From November 2017 to May 2018, the institution is running an opt-in campaign to get constituents' permission to process their personal information and contact them for events, university news, volunteering, and fundraising, among other things.

The Campaign
To get alumni to opt in, Napier was clear about the benefits of staying involved. In a video and print campaign, five alumni shared stories about their relationship with the university and encouraged their peers to keep in touch and find ways to give back, such as becoming a mentor or giving a guest lecture. A recent issue of the alumni magazine, which went out to 56,000 people, featured a story about the opt-in campaign. An ad on the back cover told alumni, "Don't let this be the end." Napier is promoting the campaign on its website and social media with #OptIn, #GDPR, #OurGradsAreAmazing, and #GlobalNetwork. When it ends, Miller says, "we'll do a little postcard reminder that they need to let us know what their preferences are if they want to keep hearing from us."

Campaign Goal
Napier has records on 73,000 people, but its opt-in campaign is focused on already engaged alumni—people who have updated their contact information, given money, volunteered, opened email from the university in the past three years, or responded positively to a telefund call regardless of whether they gave. People meeting that criteria total 16,700, or 22 percent of the database.

Upside to This Approach
"We're not going to be spending time and energy sending things to people who don't care," Miller says. "What we'll end up with is, sure, fewer people we can contact, but they'll all be people who are actually committed and want to be involved."

At the end of the campaign, if an alumnus has not given explicit permission to be contacted, the institution cannot call, email, or send postal mail. The prospect of not being able to reach the other 78 percent of the database, Miller concedes, is "a little bit scary."

Other Strategies
Napier has been collecting consent during all telefund calls over the past two years. Soon-to-be graduates seeking to participate in commencement have to fill out an online registration form, which will now have opt-in questions.

The institution's governance office created a universitywide data-management working group to address the different areas of the university that deal with people's data. All 13 members of the development and external relations office have played a role in crafting the internal policy for holding and using alumni and donor data. Video and photo production cost about £8,000. "Other than that, it's really just staff time," Miller says.

As of January 2018, Napier received 6,144 opt-ins, putting the institution at about 38 percent of its goal.

Final Thoughts
"People aren't going to forget where they went to university," Miller says, "so if they've told us that they're not interested in hearing anything right now and then they change their mind five or 10 years later, we are still going to be here." TC

Key Takeaways
1. GDPR applies worldwide

Whether you're an alumni director in New York or a fundraiser in Sydney, Australia, if you're trying to communicate with an alumna in Europe or conduct wealth screening on a prospect there, the law applies to your institution. "We would face the same fines," says prospect research consultant Helen Brown, referring to U.S. institutions. "Those fines aren't small either. They can be up to €20 million ($25 million) or 4 percent of annual global turnover." Annual global turnover refers to revenue, including fundraising income, an organization makes from its various worldwide operations.

Brown, the principal of the Helen Brown Group in Massachusetts, doesn't think the fines will go that high but predicts some penalties will be assessed to ensure that institutions are complying. How would it know? A constituent could complain about an unapproved communication, or regulators could proactively check that every organization has an updated privacy policy on its website.

2. Get your data house in order

Alumni and donors have the right to access, correct, and limit what you do with their personal data. They can request deletion of their personal data. Let's say a person has asked to be forgotten, but the message didn't reach the athletics department, which maintains a separate database on previous ticket-holders, or another institution-affiliated program that has the person's contact information.

"You can't forget what you don't know. Organizations don't know all the data they have on you," says David Lawson, co-founder and CEO of NewSci, a cognitive computing company that offers insight into data. "You have to get more involved in your data in order to govern it better." Institutions that can't control their data are at risk of committing inadvertent infractions, which is why Lawson suggests advancement take a seat at the university-wide data protection table.

Brown advises institutions to "conduct a data-mapping exercise to determine what they have, where they're holding it, and how data is being processed." She also suggests institutions brush up on what information they're allowed to keep. "On a profile, we might put what someone's religion is. In Europe, that's not something that you're allowed to track unless you have a legitimate interest to do so."

3. Prepare to give donors what they want

Not only can donors see what's in their file, they can take the data with them. A "subject access request" entitles donors to know what information is held about them, why, how it was obtained, and who has seen it. While this right is not new, the updated rule is a good reminder to be careful about what you put in donors' files. They may not look kindly on notes about their mental status or impending divorce.

"I think we would all be shocked or offended by some things mentioned in our notes if they were said about us," says Stevie Michelle Cline, senior development executive at the American College of Obstetricians and Gynecologists in Washington, D.C. "I believe we owe it to our supporters to have a great deal of discretion."

Given the amount of media attention around fundraising and GDPR, Laura Owen, a prospect researcher for the U.K. anti-poverty group Christian Aid, says she wouldn't be surprised to see an influx of people wanting to know what data are held on them. She predicts GDPR will force researchers and fundraisers to be more conscientious about what they're gathering and how. Fundraisers will be asking themselves: "Did I get the information in an ethical way? In a way that isn't intrusive? Would this individual be surprised that I have this data? If they are surprised, can I explain where I got it?"

"We've got to be mindful," she adds, "that we're collecting data that people won't find intrusive, surprising, or offensive." Toni Coleman

About the Author

Kerry Rock is director of business development at Prospecting for Gold.