Interview: How Friends of the Earth is UX testing for GDPR

The General Data Protection Regulation (GDPR) is fast approaching. From May 25th there will be a step-change in how every company in the EU uses and stores personal data. And with this new framework, there’s a new regime of fines imposed by The Information Commissioner’s Office (ICO) for any infringement.

So you may be noticing a sudden shift in tone from the marketing emails you receive, as companies realise they need to refresh how they initially gained your consent – especially if they didn’t meet the new GDPR standard.

Many are asking honestly and politely for you to continue receiving emails, others are offering incentives to remain on a list, some are coming off a bit desperate. Or if you’re Wetherspoons, you’re just deleting your marketing list entirely.

However for most of us who have a GDPR plan, yet may still be confused as to how best to stay on the right side of compliance while still growing a marketing database, there are still some questions that need to be asked. Particularly around how best to ask for consent.

I recently chatted to Joachim Farncombe, Digital Product Owner at Friends of the Earth about what GDPR means for one of the biggest names in the charity sector.

We discussed the very real hit that FOE’s and other organisation’s marketing lists will take, how Joachim and the team are mitigating the effect by recapturing consent, the vagaries of the GDPR guidelines and how this should theoretically benefit everyone in the long-run.

But first, a pop quiz…

Here’s a challenge, can you describe GDPR as succinctly as possible?

GDPR is a new regulation that came from the EU, which is designed to protect individual’s data more rigorously. It replaces the Data Protection Act which is now deemed to be insufficient for the digital age.

Was the Data Protection Act something that was as ‘strongly policed’ as it seems the GDPR will be?

I think it was policed to a certain degree, but you could call into question its rigour. Whereas the ICO has already listed out the potential fines if you’re found to be in breach of GDPR and so multiple sectors are taking this incredibly seriously because it’s scary; there’s a lot of risk involved. However, the key point around GDPR is that it’s a good thing. The regulation isn’t being forced upon us in an onerous way, it’s an opportunity for all organisations – especially in the charity sector – to clean up their act and be much more transparent about what data they hold on people and how it’s used.

What’s your involvement with FOE’s GDPR progress right now?

I sit on the GDPR working group, which encompasses all sorts of people across the organisation, including fundraising, data-insight, the activism fundraising team. I’m also representing the digital delivery team, so I’m responsible for the front-end digital marketing. We’re basically a cross multi-disciplinary team and we’re looking at everything from how we store data on the database to our email channel opt-ins, which we’re trying to optimise. Our focus is to mitigate against the potential hit we’re going to take to our marketing lists. But with a mandate that we’re looking at it with the mandate that it’s an opportunity rather than something to be terrified of.

How calm are you right now about GDPR? On scale of 1 = placidity to 10 = shrieking alarm – how panicked are you?

We’re about 7. There’s a lot of pressure. I think we’re doing well, because we’re taking it very seriously and there’s a steering group that’s headed up by our senior leadership team and there’s budget assigned, there are resources assigned. We have a project manager assigned to it, who’s been in the post for the last seven months, so we’re perhaps taking it more seriously than a few other organisations.

Are you aware of how seriously other, similar organisations are taking it?

The large charities such as RSPB, Oxfam and RNLI are a way ahead of us. Especially in terms of their optimisation and user experience of forms – I think they’re a long way ahead and there’s a lot of learning we can take from them. Inevitably the smaller charities, who we meet during conferences, tend to say, “yeah we should do something about that” and then a look of terror spreads across their face when you tell them how much you’ve done so far. So I think we’re doing okay, but I’m slightly concerned that we are going to take quite a hit – especially on our email list.

RSPB’s current channel consent form

What kind of hit do you think you’ll take?

Big, judging by the initial testing that we’ve done so far. I’m actually surprised how many people opt-in to email. For example, in the current set-up we have, which is very rudimentary – we basically made our opt-in channel preferences bigger and more upfront, as opposed to greying them out and putting them down the bottom of a donation form. However it is noticeable that we have taken a hit – our list has reduced since implementing changes in the last few months. But as a user myself, I don’t want an email that means nothing to me.

How has FOE traditionally collected data in the past?

I think there’s a wider conversation about how we’ve operated as a charity, there was a big emphasis on street collection and telephone marketing until very recently. A few years ago we were still doing hawking on the street, which we’ve stopped doing now – it was no longer cost-effective and there was a real conscious decision to take supporter experience more seriously. We don’t like bothering people and it’s more valuable to acquire supporters in a much more engaged way, who are already interested in a specific issue. So as a result of that, online digital acquisition has suddenly shifted and we’re still playing catch-up to try and bridge the gap, especially around telephone marketing. It was very profitable to call someone up and ask them to set-up a Direct Debit, but under GDPR, telephone marketing is really difficult in terms of the consent that we currently have and we’ve basically said we’re not going to do it anymore.

How do even get consent for telephone marketing?

That’s part of the problem. We will still do it, based on other channel opt-ins. So for example, our petitions very often ask for a phone number, in which case we have to ask permission to use it. Some of our forms have four channel opt-ins. We will still be able to do telephone marketing, but we recognise there’ll be a shift away from it, so we have to think about how we’re going to plug that gap; how do we upgrade regular givers via email. And that’a a real worry for fundraising at the moment.

Related reading: Six agreeable examples of GDPR ready opt-in forms