by Adrian Salmon
GDPR Clarity? In principle, yes!
If there’s one word that has been running through all discussions on the GDPR and the new fundraising regulatory regime for the last two years, it’s been clarity. Is it necessary to go purely opt-in for any kind of communication with our constituents? Is wealth screening against the law?
Most advancement professionals I’ve been speaking to over this time feel the same way — adrift in a sea of guidance notes and opinion pieces, and looking for someone to simply come out clearly and say, ‘You can do this. You can’t do this. End of story.’
Except that this isn’t the way data protection regulation works. And, although this announcement from CASE as explained by Jennie in her email appears to be a hugely encouraging piece of news, if you’re still hoping to have hard and fast answers to all your questions, you may be disappointed. Here’s why.
The current Data Protection Act and new GDPR are both examples of principles-based regulation (PBR), rather than rules-based regulation (RBR). We’re not the only sector who have had to come to grips with this concept — it’s now a model of regulation in the finance sector as well. This paper by Professor Julia Black of the LSE is a good read if you want to explore some of the strengths and paradoxes of this kind of regulatory regime.
I’d highlight two paradoxes that Professor Black identifies in her paper — the compliance paradox, and the internal management paradox. The first is that, although principles-based regulatory systems are intended to allow flexibility in the way people comply, in practice a lack of certainty around specific cases can often encourage the adoption of a very conservative compliance mind-set. I’m sure many of you will have seen that in your institutions in recent months.
The second is the capacity of our own internal compliance systems to cope with this form of regulation. “Compliance systems can be empowered under PBR,” says Professor Black, “but only if they are strong already. Research suggests that compliance systems are the least developed aspect of financial institutions’ internal systems and controls, and are not necessarily in a position to fill the role that PBR gives them.”
I suspect this may be true of our institutions too — particularly if the concept of PBR is new to our internal cultures.
Essentially, PBR requires us to take a ‘risk-based approach to compliance’. We must come to our own best understanding of the 8 Data Protection Principles and set out our approach to compliance with the highest level of clarity from our side that we can provide. And, if there is a complaint, the Information Commissioner will examine our privacy notices and practices, and make a decision. The clearer we are able to be about the uses we make of our constituents’ personal data, and the reasons for those uses, the better.
Which brings me to the quote from George Orwell at the top of this post. We should have no reason to have a gap between our real and declared aims in processing our constituents’ personal data. We are, after all, not insincere and have no need to be. We sincerely believe that it can be as great a benefit for our constituents to be in touch with us, as it is for us to be in touch with them. It is perfectly acceptable for us to want to understand who among our constituents may be able and wish to give us significant philanthropic support, who may only be able or wish to give modestly, or who may neither wish nor be able to give at all at present. It makes things easier for us and for them, and helps make the process of philanthropy a joyful one. We are not seeking to mislead or defraud anyone.
So, I encourage your approach to regulation and compliance to stem from internal capacity and relevance. By seeking the right kind of clarity — how to be clear about your own principles, rather than the ICO’s rules, your decision making will be guided by applicability and purpose.
GG+A is a proud sponsor of the CASE Europe – 2017 Regulation and Compliance Conference