Some great questions
about CRM, Members and Databases, including USA!
QUESTION
I am planning to write to all members… but what about the
people who have given gifts – anything, big or small. Since January 2018 we
input their details into our new CRM (name, address, amount given) even if they
are only one-off donations. Do I have to go to them and say their info is
stored on our database?
SHORT ANSWER
Yes
LONG ANSWER
You need to explain how you manage people’s data private,
safe and secure. It would be wise to do this in a comprehensive document,
agreement, contract or membership form that covers everything in one place
where possible.
See also previous Q&A which are relevant
http://gdprjersey.blogspot.com/2018/01/sports-clubs-do-i-need-privacy-notice.html
QUESTION
When we receive notification that someone has made an online
donation, is it ok to email them and thank them directly (rather than just the
automated thank you that goes out)?
SHORT ANSWER
Yes
LONG ANSWER
GDPR will not stop emails, letters, thank-you and correspondence.
You can send a personal or an automated reply. GDPR is about how you manage people’s data private, safe and
secure. So sending an email “Thank you
Mr Jones for £50000” is fine, but writing “Mr Jones gave us £5000, and here is
his email address” is not!
QUESTION
I have checked with our CRM hosts, Blackbaud (eTapestry)
about where the data is held. When sending out the letters to members, should I
get explicit consent that they are ok with this….?
Our eTapestry data is hosted in either California or
Boston. Blackbaud are certified under Privacy Shield, which replaced
the old Safe Harbour Agreement. You can find out more information on this
here: https://www.blackbaud.co.uk/privacy-shield
ANSWER
This is messy because according to many US privacy-shield will
NOT acceptable to EU GDPR and there are real doubts and concerns about use of
US systems. So much so that many US data businesses (eg DropBox) are actually
moving their services to Europe to comply!
In this scenario you are the data-controller and Blackbaud
(eTapestry) are the data-processor. You are responsible for their actions!
See also previous Q&A which are relevant
You have to take a risk-based decision, and you have to
alert your customers, members, users (whoever’s data is being put at risk) what
decisions you have made and what measures you have taken. In most cases there
will be a GDPR compliant alternative.
If the data is simple name and address, and business is
reputable with security etc., you may be OK, provided that people fully
understand and agree the risks. If the
data is sensitive or high-risk you may be wise to find another supplier who is
GDPR compliant.
However you still have the issue how you and they work
together in the event of subject-access-request or a breach notification. Do
they have procedures and processes to satisfy this need?
Don’t rely upon people being reputable – must of the big
data breaches are by household names!!
A final thought – what if it was your data. What if your
name, email, address and other (possibly sensitive) data was in a place that was
not private, safe or secure? What if that data was lost or stolen? What would
be the impact?
FURTHER ADVICE AND SUPPORT
If you need more specific support (for example a meeting) I
know the Jersey Community Partnership and Association of Jersey Charities are
looking to co-ordinate some resources with various local suppliers. Where
necessary grant funding may be available.
USEFUL LINKS
Jersey Data Protection Association
There is a list of Jersey Data Protection events here
For a general understanding of GDPR I highly recommend the
guidance of Jersey’s Data Protection Authority
No comments:
Post a Comment