Looking back at the implementation of the General Data Protection Regulation (GDPR) with nearly 2 years of hindsight, it seems that almost everyone went crazy on the issue of consent and that pendulum is only now just starting to swing back to sanity.

What was lost in the scramble and panic over consent was any serious attention to the ultra-important issue of owning your own data.  This is a lesson not only for those organizations subject to GDPR but for everyone, everywhere who will increasingly be faced with privacy regulations.

GDPR makes a quite strong distinction between being a ‘data controller’ and being a ‘data processor’. The controller is the ‘owner’ who ‘determines the purposes and means of processing personal data (Article 4.7 GDPR); the ‘processor’ is a more technical provider who does something with the data on behalf of the controller, but only under instruction of the controller (art.4.8).  Of course reading The Agitator is far easier than reading legal texts, but do take time to read Chapter IV of GDPR here.

In theory, the organization can freely decide who is the ‘processor’ and who is the ‘controller.’  In practice, the charity should always be –and remain– the only controller. Any F2F agency, TM agency, DM agency, online platform (yes, even the DonorVoice Feedback Platform…) should always and only be the processor. Processors have no right to determine what to do with or share your data – that is your role as controller. Unfortunately, in my experience several F2F agencies and DM agencies claim to be the controller, and few charities seem to care.

The Important Distinction Between ‘Controller’ an ‘Processor’

Why is this an important distinction?  One of the main—and best– provisions in GDPR is that it makes clear the controller is the boss; the processor should always do what the controller says.

What happens if the nonprofit isn’t the controller?  Any of the following:

• Your DM agency uses your donors to send gift requests on behalf of another charity, even without you having to give them your donor data for this swap. As the controller, they hold the power.
• Your F2F agency can choose to share with you only the net signups: only those donors who remain after any quality checks or welcome calls. You might think this is only what you need. But if this is the case essential quality issues will be hidden from you: you don’t see early no shows and you’ll never get valuable feedback from those donors who felt forced into giving or otherwise had a lousy giving experience. Consequently, you’ll never be able to fix that part of the donor experience.  And you won’t be able to work to re-recruit those donors, whether as monthly or one-time donors.
• Your payment processer would only share the total recurring direct debit income for that month. Enough for your accountant, but you’ll never see exactly who is staying or leaving. And you can’t initiate any specific intervention if you don’t have that insight.
• Your social media platform will give you names and amounts of online donors, but no contact details. No worries, you think: we can just use the ‘communicate to my donors’ button on that platform, but outside that platform you’ll have no way to reach out to your donors. And, as Nick has discussed, this has become more and more where you need to pay every time you want to reach these donors.

Owning Your Data is Key to Building Donor Relationships

Owning your data is the key to building donor relationships and to sharpening your donor experiences. Only when you have the full data can you independently analyze and understand what is happening with your donors. From this, you can generate insights to act on.

Whenever I meet a fundraising agency for the first time, I’m quite direct with them: “Hey guys – I’m not interested in your reports; I might trust you, but your reports are useless for me. I’m interested in your raw data, all of it. And remember, I’m the controller, you are the processor – so don’t start to argue on privacy or data security: all that data is mine, give it to me or I won’t work with you.”

Why? Because having the raw data is what’s necessary to do predictive analytics (and build donor identity on your own terms).  When you have the raw data, you can benchmark against other agencies and historical data.  Benchmarking based on reports an agency generates when you have multiple agencies is like comparing apples and oranges.

The extreme of not owning your data is data hijacking by vendors. Roger talked a lot about this here and here. It is about vendors trying to prevent you from leaving them for another vendor, creating unethical barriers to exit.

Yes, having a decent legal contract in place making clear you are the controller is great, but not enough.

Here are two little secrets to avoid any risks of data hijacking.

• When procuring new data systems ask in detail about its export functionalities: how I can get my data out in bulk, with as little button pressing as possible. I check whether I can get direct SQL access to the main data… I check their API documentation on any ‘GET calls’ I could do… If the system does not give me enough autonomy to get out all data when I like – I simply won’t buy the system.
• Once the system is activated, I regularly do just that: dump all my data out of that system, simply for the purpose of storing it elsewhere. In some case I even automate it using my ETL-server – but if you can’t automate, spending about an hour each month to manually dump everything is worth doing to assure your organization’s autonomy.

No matter how much I trust a vendor, trust is built by being able to act in case of mistrust or misunderstanding. When I know I have my data, only then I can I properly deal with my vendor.

Yes, there is a downside of being your own data controller: you do have responsibilities if you want to earn and keep your donors trust.  Make no mistake.  Whether you are or are not the controller your donors will hold you and you and your organization responsible.

Ilja