Consent management challenges - and how to overcome them

For charities and other NGOs, fundraising efforts often hinge on telling compelling stories. By focusing on the people whose lives you’ve changed, you can engage with your audience in a way that facts and figures fail to achieve.

But using stories and case studies as part of your fundraising efforts doesn’t come without its challenges. First and foremost, your organisation must have lawful and up-to-date consent for sharing personal information. And with fines for data privacy breaches continuing to grow, the cost of non-compliance could be devastating.

Unfortunately, staying compliant is easier said than done. Your organisation may use a wide range of fundraising materials featuring many different beneficiaries. The teams using these assets may be distributed across the globe. How can you ensure you’re following all the relevant regulations?

Keep reading for an in-depth look at the consent management challenges that charities face — and how you can tackle them.

Defining consent

The first thing to stress is that while we all have a general idea of what consent means, what really matters is the legal definition. Without keeping this front and centre, your consent management processes are destined to fail.

In the UK and EU, consent in the context of personal data is defined by the General Data Protection Regulation (GDPR) and its UK variant, the UK GDPR.

The GDPR defines consent as:

“…any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” (Article 4(11))

As this definition makes clear, the bar for consent under the GDPR is high. You’ll need to approach consent carefully and with these specific requirements in mind.

You’ll also need to be aware that consent must be easy to withdraw. The general rule is to make withdrawing consent as easy as giving it. If you can consent with a single click, you should be able to withdraw consent the same way.

Let’s look more closely at the specific issues charities face in meeting the GDPR’s consent requirements.

GDPR for charities: the specifics

Most organisations that operate in the EU or UK must abide by the GDPR when processing personal data, but charities face some unique challenges. This is especially true when it comes to sharing stories of people you’ve helped.

These stories will often involve sensitive personal data. For instance, if you work for a healthcare charity, you may be sharing medical information about a beneficiary’s prognosis and treatment. Or, if you’re involved in human rights work, your case studies may reveal details of people’s religious and political beliefs.

As a result, you need to be even more diligent about managing consent. Sharing this kind of sensitive information without proper consent can lead to substantial fines under the GDPR. Most importantly, it can also negatively impact the people whose stories you are telling.

With this in mind, we can consider how to tackle the difficulties you might face with consent management.

How to get consent

Let’s begin with the initial step for any consent management process: making sure you get appropriate consent in the first place. Falling short at this stage could leave you with powerful fundraising collateral that you don’t actually have permission to use.

As we’ve seen above, consent has a very stringent definition under the GDPR. To make sure you stay compliant, you should:

  • Use an appropriate consent form. For consent to be specific and informed, your consent form should clearly state how and why you will be using the subject’s data. If you are putting together a case study, this includes specifying where it will appear and for how long.
  • Keep things simple. Don’t combine your consent process with your other terms and conditions. Avoiding legalese is essential, too. If you make giving consent simple and unambiguous, there’s less risk that subjects will misunderstand what they’ve agreed to.
  • Be adaptive. Consent forms are great when you’re working directly with a small number of individuals for in-depth story content. But what about if you’re hosting a large-scale event? In this case, getting everyone to sign consent forms will be onerous, if not impossible. In this case, consider alternatives such as an opt-out approach.
  • Find the right medium. Written consent forms are standard, but they may not always be appropriate. This is especially true if you’re a global organisation with teams spread across the world. As an alternative, you can get verbal consent over the phone. Just make sure you record it and store the recording somewhere secure.

If you keep these principles in mind, you’ll be well-placed to build a solid foundation for your consent management processes. But getting consent is just the first step. Let’s look at how things should unfold once you’re over that initial hurdle.

[Learn more about the different ways of getting consent with our ‘Beginner's Guide to Managing Consent for Charities & Non-Profits’]

Further considerations

Under the GDPR, consent is not a “one-and-done” process. As the UK Information Commissioner’s Office (ICO) puts it:

“Your obligations don’t end when you get consent. You should view consent as a dynamic part of your ongoing relationship of trust with individuals, not a one-off compliance box to tick and file away. To reap the benefits of consent, you need to offer ongoing choice and control.”

There are many reasons why the initial consent you received may stop being valid. This includes:

  • A change in how you use a subject’s data. As we stressed above, consent has to be specific. If you initially received consent to use a subject’s data in a certain way — as part of a case study on your website, for instance — and now want to share it in another form — on your social media accounts, perhaps — you’ll need to get updated consent to do so.
  • The death of the subject. Unfortunately, robust consent management means preparing for the worst. If a subject passes away, the consent you received to use images of them may no longer be valid. You’ll need to consult whoever is managing the person’s estate to ensure you still have the necessary permission.
  • Previously underage subjects. As children cannot consent under the GDPR, you’ll initially have received the consent of their parent or guardian. However, once the subject is of age, you will need their consent to continue using any fundraising materials that they feature in.
  • Subjects who withdraw their consent. This is perhaps the most common and challenging issue you’ll face. Subjects are free to revoke their consent at any time, and you should make it as easy as possible for them to do so. If they decide to withdraw their consent, you should comply with their wishes as quickly as possible.

Needless to say, there are many considerations to keep in mind here. If you’re dealing with an extensive range of storytelling materials as part of your fundraising efforts, the work involved in keeping track of them all can be overwhelming.

However, there are steps you can take to make your consent management processes more flexible, robust and straightforward.

How to streamline your consent management processes

The go-to strategy for making consent management a more straightforward and intuitive process is to adopt a Digital Asset Management (DAM) platform.

A DAM provides a single, centralised repository for your digital assets. This includes everything from PDF documents and images to audio recordings and video files. Most importantly, it also includes the assets you use to tell your beneficiaries’ stories and the consent forms that relate to them.

Using a DAM to manage your digital assets can offer significant benefits for consent management. You can:

  • Store consent forms alongside the relevant assets. This means you can quickly check you’ve received appropriate consent for a piece of fundraising collateral — and that the consent form covers your intended usage. The same applies to voice recordings if you received consent over the phone.
  • Link multiple consent forms and images. If you’re using group images, you’ll need multiple consent forms. Linking all the relevant forms to group photos makes it much easier to determine if you have the necessary consent for sharing. On the other hand, if a single subject is featured in multiple images, you can use metadata to link them all to the relevant consent form and make them easily searchable.
  • Automated reminders if consent has expired. Without a system for tracking when you need to get updated consent, it’s easy for things to slip through the cracks. A DAM can deliver automated reminders when consent is set to expire, removing the need for time-consuming manual checks.
  • Archive files easily if consent is withdrawn. Withdrawn consent can pose a major issue if your assets are not stored in a single system and are being used by multiple teams. A DAM allows you to quickly remove files from active use if you no longer have consent to use them.

Of course, not all DAMs offer these features. It’s important to do your research before deciding on a solution.

Choosing a DAM for consent management

To get the full benefit of using a DAM for consent management, you’ll need to choose a platform that fits your needs. Out-of-the-box solutions like Google Drive may be readily available, but they lack many of the features that support effective consent management.

ResourceSpace is a DAM that has been developed in close collaboration with clients across the NGO space. As a result, it offers a range of features tailored to the needs of charities. This includes a custom-built consent management plugin and a template designed for charities and not-for-profits.

If you’d like to see how ResourceSpace can help your organisation to manage its digital assets, you can use the platform for free. Our free tier offers 10GB of storage with no expiry and no limits on the number of users.