ResourceSpace has changed the way the DEC uses content, making it much easier for us to quickly make assets available both internally and externally during our emergency appeals.
Consent management challenges - and how to overcome them
9th August 2023
For charities and other NGOs, fundraising efforts often hinge on telling compelling stories. By focusing on the people whose lives you’ve changed, you can engage with your audience in a way that facts and figures fail to achieve.
But using stories and case studies as part of your fundraising efforts doesn’t come without its challenges. First and foremost, your organisation must have lawful and up-to-date consent for sharing personal information. And with fines for data privacy breaches continuing to grow, the cost of non-compliance could be devastating.
Unfortunately, staying compliant is easier said than done. Your organisation may use a wide range of fundraising materials featuring many different beneficiaries. The teams using these assets may be distributed across the globe. How can you ensure you’re following all the relevant regulations?
Keep reading for an in-depth look at the consent management challenges that charities face — and how you can tackle them.
Digital consent meaning
The first thing to stress is that while we all have a general idea of what consent means, what really matters is the legal definition. Without keeping this front and centre, your consent management processes are destined to fail.
In the UK and EU, consent in the context of personal data is defined by the General Data Protection Regulation (GDPR) and its UK variant, the UK GDPR.
The GDPR defines consent as:
“…any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” (Article 4(11))
As this definition makes clear, the bar for consent under the GDPR is high. You’ll need to approach consent carefully and with these specific requirements in mind.
You’ll also need to be aware that user consent must be easy to withdraw. The general rule is to make withdrawing consent as easy as giving it. If you can consent with a single click, you should be able to withdraw consent the same way.
Let’s look more closely at the specific privacy regulation that charities have to abide by to meet the GDPR’s consent requirements.
8 privacy consent management challenges
Here are eight of the most common challenges associated with modern consent management:
- Abiding by data privacy laws: Different regions have their own data protection regulations, such as the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in California, and many others worldwide. Each of these laws has specific requirements regarding how consent must be obtained, documented, and managed. Ensuring compliance with these diverse and often changing regulations is a significant challenge.
- Ongoing management of consent: Consent is not a one-time process. Users can change their preferences or withdraw consent at any time, requiring organisations to have systems in place that can dynamically manage and honour these changes. This involves continuously updating consent statuses across all data processing and storage systems, which can be complex and resource-intensive.
- Data storage and management: Properly storing consent information in a way that is secure, accessible and auditable is another major challenge. Organisations must ensure that they can quickly retrieve consent records for regulatory audits or compliance checks. This involves implementing robust data management systems that can handle the intricacies of consent data, including its versioning, the specific consents given and the timestamps of when these consents were obtained.
- Consent withdrawal: Handling the withdrawal of consent effectively and promptly is crucial. When a user withdraws consent, the organisation must ensure that the data processing activities related to that consent cease immediately and that the withdrawal is reflected across all systems. This can be particularly challenging when data is distributed across multiple databases or processed by third-party vendors.
- User experience: Balancing the legal requirements of consent management with a positive user experience is a delicate challenge. Making the consent process too cumbersome can lead to user frustration and abandonment, while too simplistic an approach may not meet legal requirements. Designing a consent mechanism that is both compliant and user-friendly requires careful planning and testing.
- Cross-border data transfers: For organisations operating internationally, managing consent for cross-border data transfers adds another layer of complexity. Different jurisdictions have different requirements for international data transfers, and ensuring compliance with these rules while managing user consent can be challenging.
- Integration with third-party services: Many organisations rely on third-party services for data processing, analytics, advertising and more. Ensuring that these third parties adhere to the consent preferences of your users requires robust data sharing agreements and technical integrations that can enforce these preferences across all parties involved.
- Technological changes and new use cases: As technology evolves, new data collection methods and use cases emerge. Keeping consent mechanisms up to date with these changes, ensuring that consent is obtained for new types of data processing, and communicating these changes effectively to users are ongoing challenges.
Effective consent management requires a combination of legal understanding, technological solutions and operational practices that are adaptable to the evolving digital environment and regulatory landscape - or a great consent management platform.
GDPR for charities: the specifics
Most organisations that operate in the EU or UK must abide by the GDPR when processing personal data, but charities face some unique challenges. This is especially true when it comes to sharing stories of people you’ve helped.
These stories will often involve sensitive personal data. For instance, if you work for a healthcare charity, you may be sharing medical information about a beneficiary’s prognosis and treatment. Or, if you’re involved in human rights work, your case studies may reveal details of people’s religious and political beliefs.
As a result, you need to be even more diligent about managing consent. Sharing this kind of sensitive information without proper consent can lead to substantial fines under the GDPR. Most importantly, it can also negatively impact the people whose stories you are telling.
With this in mind, we can consider how to tackle the difficulties you might face with consent management.
How to get user consent
Let’s begin with the initial step for any consent management process: making sure you get appropriate consent in the first place. Falling short at this stage could leave you with powerful fundraising collateral that you don’t actually have permission to use.
As we’ve seen above, consent has a very stringent definition under the GDPR. To make sure you stay compliant, you should:
- Use an appropriate consent form. For consent to be specific and informed, your consent form should clearly state how and why you will be using the subject’s data. If you are putting together a case study, this includes specifying where it will appear and for how long.
- Keep things simple. Don’t combine your consent process with your other terms and conditions. Avoiding legalese is essential, too. If you make giving consent simple and unambiguous, there’s less risk that subjects will misunderstand what they’ve agreed to.
- Be adaptive. Consent forms are great when you’re working directly with a small number of individuals for in-depth story content. But what about if you’re hosting a large-scale event? In this case, getting everyone to sign consent forms will be onerous, if not impossible. In this case, consider alternatives such as an opt-out approach.
- Find the right medium. Written consent forms are standard, but they may not always be appropriate. This is especially true if you’re a global organisation with teams spread across the world. As an alternative, you can get verbal consent over the phone. Just make sure you record it and store the recording somewhere secure.
If you keep these principles in mind, you’ll be well-placed to build a solid foundation for your consent management system. But getting consent is just the first step. Let’s look at how things should unfold once you’re over that initial hurdle.
[Learn more about the different ways of getting consent with our ‘Beginner's Guide to Managing Consent for Charities & Non-Profits’]
Further considerations
Under the GDPR, consent is not a “one-and-done” process. As the UK Information Commissioner’s Office (ICO) puts it:
“Your obligations don’t end when you get consent. You should view consent as a dynamic part of your ongoing relationship of trust with individuals, not a one-off compliance box to tick and file away. To reap the benefits of consent, you need to offer ongoing choice and control.”
There are many reasons why the initial consent you received may stop being valid. This includes:
- A change in how you use a subject’s data. As we stressed above, consent has to be specific. If you initially received consent to use a subject’s data in a certain way — as part of a case study on your website, for instance — and now want to share it in another form — on your social media accounts, perhaps — you’ll need to get updated consent to do so.
- The death of the subject. Unfortunately, robust consent management means preparing for the worst. If a subject passes away, the consent you received to use images of them may no longer be valid. You’ll need to consult whoever is managing the person’s estate to ensure you still have the necessary permission.
- Previously underage subjects. As children cannot consent under the GDPR, you’ll initially have received the consent of their parent or guardian. However, once the subject is of age, you will need their consent to continue using any fundraising materials that they feature in. Note that the age of digital consent is 16-years old.
- Subjects who withdraw their consent. This is perhaps the most common and challenging issue you’ll face. Subjects are free to revoke their consent at any time, and you should make it as easy as possible for them to do so. If they decide to withdraw their consent, you should comply with their wishes as quickly as possible.
Needless to say, there are many considerations to keep in mind here. If you’re dealing with an extensive range of storytelling materials as part of your fundraising efforts, the work involved in keeping track of them all can be overwhelming.
However, there are steps you can take to make your consent management processes more flexible, robust and straightforward.
How to streamline your consent management processes
The go-to strategy for making consent management a more straightforward and intuitive process is to adopt a Digital Asset Management (DAM) platform.
A DAM provides a single, centralised repository for your digital assets. This includes everything from PDF documents and images to audio recordings and video files. Most importantly, it also includes the assets you use to tell your beneficiaries’ stories and the consent forms that relate to them.
Using a DAM to manage your digital assets can offer significant benefits for consent management. You can:
- Store consent forms alongside the relevant assets. This means you can quickly check you’ve received appropriate consent for a piece of fundraising collateral — and that the consent form covers your intended usage. The same applies to voice recordings if you received consent over the phone.
- Link multiple consent forms and images. If you’re using group images, you’ll need multiple consent forms. Linking all the relevant forms to group photos makes it much easier to determine if you have the necessary consent for sharing. On the other hand, if a single subject is featured in multiple images, you can use metadata to link them all to the relevant consent form and make them easily searchable.
- Automated reminders if consent has expired. Without a system for tracking when you need to get updated consent, it’s easy for things to slip through the cracks. A DAM can deliver automated reminders when consent is set to expire, removing the need for time-consuming manual checks.
- Archive files easily if consent is withdrawn. Withdrawn consent can pose a major issue if your assets are not stored in a single system and are being used by multiple teams. A DAM allows you to quickly remove files from active use if you no longer have consent to use them.
Of course, not all DAMs offer these features. It’s important to do your research before deciding on a solution.
Choosing a DAM for consent management
To get the full benefit of using a DAM for consent management, you’ll need to choose a platform that fits your needs. Out-of-the-box solutions like Google Drive may be readily available, but they lack many of the features that support effective consent management.
ResourceSpace is a DAM that has been developed in close collaboration with clients across the NGO space. As a result, it offers a range of features tailored to the needs of charities. This includes a custom-built consent management plugin and a template designed for charities and not-for-profits.
If you’d like to see how ResourceSpace can help your organisation to manage its digital assets, you can use the platform for free. Our free tier offers 10GB of storage with no expiry and no limits on the number of users.
Article hashtags
#LegalCompliance
#Consent
#GDPR
#Charities
#NGOs
#DataPrivacy
#Fundraising
#BestPractice
#ResourceSpaceTips
#PersonalData
#UKGDPR
#IndustryNews
#DataProtection
#ConsentManagement