Cancer Research UK has embraced the looming GDPR regulation early as it looks to turn what could be a threat to fundraising into an opportunity to reconnect with its core supporters.
Commercial brands will find consumer perceptions dented should they introduce clunky measures to help users navigate the forthcoming EU General Data Protection Regulation (GDPR) legislation. However, this risk is higher for charities given that donations, their lifeblood, are deeply linked to supporters' prior interactions with their businesses.
Cancer Research may have begun early to ensure it meets the most disruptive changes under the GDPR directive, namely the need for people to opt-in to all communications. But, with mere months to go until the deadline it is still working to ensure patrons are placed front-and-centre as it edges closer to compliance with other stipulations set out
Speaking to The Drum in December, six months ahead of the May deadline, the brand’s director of brand marketing Jo Cooke – who spearheads fundraising and health marketing – relayed how any changes implemented as a result of GDPR could come to impact supporters’ experiences.
“The most important thing for us to be aware of is how we put our supporters at the heart of everything we do,” she said, explaining the charity is now only able to contact consumers who have given it specific permission to do so.
When it shifted towards opt-in marketing in 2016, it recognised that it could lead to a short-term dip in fundraising, but said over time it should swing the other way as it honed on those who expressed a desire to be contacted.
“That [decision] was really driven by our desire to provide the best possible supporter experience,” Cooke added.
“We’re taking that tenet into our approach to GDPR. The organisation as a whole is very focused on it, we’ve got a team of people working across it all to make sure that we are delivering where we should be but also making sure that the supporter sits at the heart of that.”
Indeed, consent, is only one aspect of GDPR. Other key components include the ability of the Information Commissioner’s Office to levy fines on organisations for data protection breaches of up to 4% of their turnover or €20m (£18m), whichever is larger as well as limitations around automated profiling of individuals, Another major factor for charities like Cancer Research is training volunteers as they would employees around accepted data processes.
To ensure it is up to spec on these, Cancer Research has enlisted an internal cross-functional GDPR team. The multi-disciplinary group, comprised of 15 individuals, includes project manages and business analysts, and is supported by subject matter expertise with staff from data governance, information security, legal and tech.
Overseeing this initiative is a steering committee of decision makers, which alongside the charity’s compliance board provides permanent governance to data compliance.
Both of these groups are chaired by the organisation's chief financial officer – a role which Cancer Research UK is looking to fill since the departure of Ian Keynyon at the end of 2017. The initiatives are also led by head of data governance in Zoe Rowland.
The ICO itself has also set up an advice service to help charities and other businesses ensure they’re GDPR ready, and has been releasing guidance over a period of time about the different requirements of GDPR.
At the end of last year, Ilja de Coster, a fundraising data strategist at Amnesty International, warned charities that one GDPR fine could put them out of business.