Background
Comic Relief is a major UK charity that was founded in 1985. It hosts a major event every year; either Red Nose Day or Sport Relief which take place on alternate years. For these events, members of the public are encouraged to fundraise by getting sponsored to do challenges or activities. The charity also gets support from corporate partners like Sainsbury’s and BT – the BBC acts as its broadcast telethon partner.
Members of the public who want to participate are sent fundraising kits in advance of the day and supporters are sent one email per month. On the day of the event, donation volumes are extremely high, with Comic Relief processing more transactions per second than Amazon. According to business process manager Liz Curry: “It’s simple, but it’s massive.”
The problem
The ICO will begin to enforce the General Data Protection Regulation from 25th May 2018 and issue severe fines to those who breach it. Although GDPR passed into UK law in April 2016, there was a lack of clarity around its proper legal interpretation, for example, on legitimate interest versus consent as the basis for data processing. Although the ICO is working on publishing guidelines, it is also dependent on the timescales set by the Article 29 Working Party, leaving organisations to make decisions on data protection policies based on their own understanding (or that of their legal advisers).
Comic Relief carried out a data audit to identify where it kept personal data, who had responsibility for it and how it was protected. Across its data assets, Comic Relief holds customer data, grants data and employee data. In its supporter database of 7 million people, it holds transactional information as well as name, address and email address. In the grants database, it holds the personal data of the applicants and trustees.
Comic Relief has many videos and photographs of beneficiaries. There are also consent forms, but they are not necessarily linked to the images. Furthermore, lots of historical material, from documents to photogaphs as well as memorabilia, had accumulated in the office, as well many items in a storage facility in Woolwich. It was not known if there was any sensitive material among these items.
Comic Relief set itself a deadline of September 2017 to be fully GDPR-compliant to ensure that the 2018 Sports Relief campaign operates well within the regulations.
Who’s who
Liz Curry was the CRM manager at Comic Relief when she was asked to move into a team which looked at the whole organisation and all the data within it. Curry works in a team with Mark Hoult-Allen (head of BPP) sharing the data protection officer role alongside her “day job” as business process manager.
Identifying the solution
Curry attended a GDPR briefing and decided that, in the absence of clarity from the ICO, Comic Relief would establish its own data protection policies, review all its privacy notices and set data retention periods. She decided to take a risk-based approach and looked at what might “come back to bite them in the future”, such as a complaint from a disgruntled member of the public. This helped to clarify what issues needed to be addressed as a priority and which could wait until later.
Implementing the solution
Comic Relief already had data stewards in place – these roles are held by volunteers alongside their day-today responsibilities. Curry made sure that all data stewards were senior enough to make decisions.
Comic Relief had made an early start on the process of becoming compliant in September 2015, led by its business planning and processes (BPP) team. A Data Steward Working Group (DSWG) was set up in November 2015 with the aim of ensuring that the charity’s use of data and information conforms both to existing and upcoming legislation and also industry best practice. An important consideration was the brand’s reputation – Comic Relief is trusted and known by 99% of the British public.
The DSWG is chaired by the Data Protection Officer (the head of BPP) with a representative from each team in the business and meets monthly to review and approve changes to policy and data retention periods. The first task of the DSWG was to carry out a data audit to identify where they keep personal data, who has responsibility for it, and how they keep it safe.
Awareness raising around GDPR began in June 2016. Under instructions from the new CEO, Liz Warner, the charity’s offices were tidied and cleared. The items in the warehouse in Woolwich were sorted through, physical mementos were removed and anything with personal details was destroyed. In addition to reducing the data protection risk, within a month the charity had saved £33,000 on storage costs.
All staff, including the executive board and trustees, have been given presentations, tailored to each team, about the impact of GDPR. This enabled the staff to see things from the public’s perspective. New staff get a 15-minute induction with the core message of, “don’t be stupid, think about what you’re doing, and if any of these things come up, talk to us”. BPP has done training around what to do in the case of a data incident and how to share data safely. It has published information about data policies and processes on the staff intranet.
The BPP team worked with legal, business and IT to ensure all data policies are fit for purpose and created a data retention schedule. BPP has introduced mandatory Privacy Impact Assessments for all new projects and processes involving personal data. The BPP has also worked with the DSWG to ensure that the Subject Access Request process complies with the shortened timelines of GDPR.
In September 2016, a Data Awareness Week was held for all staff. This involved “Lunch and Learn” sessions given by external speakers, including “Data science tips for success” from data analyst Orlando Machado, “Protecting your digital footprint” from DataIQ editor-in-chief David Reed and an overview of data protection from Lesley Tadgell-Foster. Barclays Digital Eagles did a live “Hack me” which included tips on how to avoid social engineering hacks, such as posting birthday party photos on the day which can reveal your date of birth.
There were also mandatory sessions to introduce the new data protection, retention and disposal policies and drop-in sessions with the DSWG. Internal communications using posters and cartoons around the offices encouraged staff to stop and think about personal data and their role in protecting it.
Curry has written an online data protection course, which includes a quiz, as well as a guide that is specific to Comic Relief. A single sign-on identifies which members of staff, including grant assessors and consultants, have taken the course.
Next steps and conclusion
Curry has done an audit with staff about what they do with data with a view to writing a marketing code of practice which will be public-facing. It will explain to supporters clearly why Comic Relief wants their data and what are the benefits of agreeing to share it.
Comic Relief ihas contracted a licence from OneTrust, a provider of security software, to help with data mapping and linking PIAs and subject access requests. It is also reviewing the options for creating a customer preference centre where data can be reviewed and permissions updated, but supporting technologies are currently prohibitively expensive.
In June 2017, Comic Relief won the DataIQ Talent Award for Best GDPR Programme (Data Controller) and the overall Grand Prix. In the words on one judge, “I wish we were doing it this well.”