How Cancer Research UK is preparing for GDPR
In the first of a new series on how marketers are approaching the new EU data regulations, we talk to Cancer Research UK about its preparations and the opportunities around GDPR.
There are now less than nine months to go until the EU’s General Data Protection Regulations come into force and yet many marketers are still in the dark about the potential impact.
Research released just last week by the World Federation of Advertisers found 70% of brand owners do not feel marketers at their organisations are fully aware of the extent of the laws, and just 65% expect to be fully compliant when the GDPR comes into force in May 2018.
Cancer Research UK, however, is one of the brands well on the way to ensuring they will be compliant come May. It was one of the first UK charities to shift strategy so supporters opted-in to receive communications, rather than having to opt out. That is just one sign, says its director of individual giving Graham White, of the importance of the upcoming laws to the charity.
“At CRUK we take things in terms of our supporters and their wishes very seriously,” he tells Marketing Week. “We don’t see this so much as a revolution as an evolution of what we’re already doing. We’ve got stringent processes, governance and controls that exist and awareness around how we handle data. This isn’t a bolt from the blue.”
Preparing for GDPR
Nevertheless, the charity says it still has work to do to ensure its GDPR-compliant come May. With this in mind, it has formed a cross-functional GDPR team and a steering committee that oversees all of its marketing work from a governance perspective.
The working group is headed up by the charity’s compliance boss, whose job it is to understand the regulations. She then has a team from across the business that looks at the regulations and works out the implications for their department and ensures there is enough resource to make the changes – when it comes to marketing and fundraising, this is White’s job.
Ensuring GDPR compliance also involves a lot of conversations with internal teams as well as external suppliers. White says the a lot of the work the charity is doing is around educating staff so that everyone is clear on the importance of GDPR and its likely impact.
The charity is also undertaking audits so that it can see where it might need to change practices and identify any issues or shortfalls, and understand what the implications might be for changing those. Training is also a big focus to ensure everyone in the business knows what they are doing.
It is going to cause us some challenges, of course, but actually the way I see it is it will make us more efficient because we’ll be talking to the right people.
Graham White, CRUK
“Essentially it is finding out what we need to know, making the changes and then making sure people are properly trained on it. The GDPR message is being very clearly communicated from the senior team to everyone here so that everyone is on board and when it comes to making time for doing this, it is a priority,” he explains.
“I can’t tell you that everything is hunky-dory yet but I can tell you that the processes we have in place will get us there.”
Putting supporters first
There are also more specific processes CRUK is working on. It has already gone opt-in so the issue of consent is well on the way to be covered. But White admits there is more the charity wants to do on giving supporters access to their own data. At the moment people can update their details but they have to call the charity. It is now working on something that is in the early stages that will “vastly improve access” online.
“By giving them better access we truly are putting their wishes at the heart of what we do,” he adds.
It is also looking at how it communicates to supporters around how it uses their data. White says there is a lot of misunderstanding here made worse by the issues that plagued the sector two years ago over Olive Cooke – a pensioner who killed herself after being hounded by letters asking for donations.
A lack of transparency isn’t the case at CRUK, White claims, but he admits it needs to be more “up front” in the way it communicates with the public.
“It is going to help all the teams here to talk to the people that want to hear from us, which should make us more efficient. It is going to cause us some challenges, of course, but actually the way I see it is it will make us more efficient because we’ll be talking to the right people.
“We need to get money to fund research to beat cancer sooner and we do that by talking to millions of individuals. There is appetite for a huge number of people to show support for the cause in this way, it’s not that we are looking at a closed door. It just means that we need to be as transparent as possible.”
One of the big challenges has been that the UK’s Information Commission Office still has not clarified its thinking on every area of GDPR. White says the key here is to ensure an open dialogue with the organisation so that it knows the charity is trying to do the right thing.
READ MORE: Marketers call for ‘clear and consistent’ guidance on GDPR
“In simplistic terms it’s about making sure we understand what is in their heads,” he says. “If we don’t get clarity from the ICO and then we do something they deem to be in contravention there is a chance we could get fined even though we are trying to do the right thing.
“Like any regulations they can be misunderstood or misinterpreted. So we need the ICO to see we are working to get things right.”
Yet overall, White believes the impact of GDPR on CRUK and marketing in general will be positive.
“It will create more trust in marketing, especially in charities. And it will make marketers grow up and be responsible with the data they have. Not that they aren’t grown but they need to understand that they have to be conscious with what they are doing with people’s data now,” he concludes.
“People should know it is the law that we have to do these things and anyone that doesn’t will be found out. They should then have more trust in knowing that when they give people their data how it will be used and a stronger voice in what they give and how it gets used.”
Giving people access to their data is the biggest problem with the GDPR, because
On the one hand they have new rights such as “Data Portability” (The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. You must provide the personal data in a structured, commonly used and machine readable form).
On the other hand you need to securely identify the people making the requests, to keep stalkers and data thieves at bay.
And on the gripping hand, identification is a real problem, because you need to provide their data even to people who have visited very briefly and not yet providing an email address or a credit card. If they are in the EU and you hold personally identifiable data about them such as their location, that’s enough.