There is no doubt that the new European Union General Data Protection Regulations will have a significant effect on all types of organisations who operate within or with organisations within the European Union. Worryingly too, thanks to a Chartered Institute of Marketing and YouGov poll it’s become clear that just 11% of organisations have systems in place to ensure that they are compliant with the new regulations.
Steps are being taken however and the Information Commissioner’s Office have recently published draft guidelines on the subject. There have been calls though from the charity sector, whom the new regulations will affect in a significant way for the ICO guidance to be much more clearer along with being less fragmented if charities are going to be able to prepare and implement the General Data Protection Regulations completely by 2018.
The new GDPR regulations are being implemented at the same time across Europe. Whilst many of the new regulations are already part and parcel of countries like Germany’s laws, many of the practices identified as unacceptable under GDPR are commonplace in the UK. Therefore, whilst for some countries implementing GDPR will be a relatively straightforward process, for organisations in the UK and especially charities, it represents a cultural shift and one that they do not have much time to make.
This week has seen both the Institute of Fundraising and the Direct Marketing Association warn that the Information Commissioner’s Office’s guidance on the new General Data Protection Regulations could have a significantly harmful impact on charities and the third sector in general. The issue that the Direct Marketing Association has highlighted is the section of the ICO’s draft guidance that says that organisations “must ask people to actively opt in” and that they should not “use pre-ticked boxes, opt-out boxes or default settings”.
The Direct Marketing Association argues that this interpretation of the GDPR is a misrepresentation of the actual regulations which state that “Silence, pre-ticked boxes or inactivity” do not constitute consent. The difference, although seemingly subtle could have an immense impact on charities and others in the third sector. Commenting on this, the DMA have said: “The potential impact of the implied ban on opt-out consent could be significant for many businesses, but particularly those in the third sector.”
The Institute of Fundraising’s concerns also include the confusion of what constitutes opting in or out but more generally they have said that the draft guidance needs to be much more clearer for charities as well as warning that many charities may simply not have enough time to prepare for the new regulations by the time the ICO’s final guidance is published on GDPR. The Institute of Fundraising has called for a transition period to be introduced to give time for charities and those in the third sector to implement GDPR properly, as well as some charity sector specific guidance on certain areas to be published in the final version of the ICO guidance.