Interview: How Friends of the Earth is UX testing for GDPR

Joachim Farncombe, Digital Product Owner at Friends of the Earth talks GDPR.

The General Data Protection Regulation (GDPR) is fast approaching. From May 25th there will be a step-change in how every company in the EU uses and stores personal data. And with this new framework, there’s a new regime of fines imposed by The Information Commissioner’s Office (ICO) for any infringement.

So you may be noticing a sudden shift in tone from the marketing emails you receive, as companies realise they need to refresh how they initially gained your consent – especially if they didn’t meet the new GDPR standard.

Many are asking honestly and politely for you to continue receiving emails, others are offering incentives to remain on a list, some are coming off a bit desperate. Or if you’re Wetherspoons, you’re just deleting your marketing list entirely.

However for most of us who have a GDPR plan, yet may still be confused as to how best to stay on the right side of compliance while still growing a marketing database, there are still some questions that need to be asked. Particularly around how best to ask for consent.

I recently chatted to Joachim Farncombe, Digital Product Owner at Friends of the Earth about what GDPR means for one of the biggest names in the charity sector.

We discussed the very real hit that FOE’s and other organisation’s marketing lists will take, how Joachim and the team are mitigating the effect by recapturing consent, the vagaries of the GDPR guidelines and how this should theoretically benefit everyone in the long-run.

But first, a pop quiz…

Here’s a challenge, can you describe GDPR as succinctly as possible?

GDPR is a new regulation that came from the EU, which is designed to protect individual’s data more rigorously. It replaces the Data Protection Act which is now deemed to be insufficient for the digital age.

Was the Data Protection Act something that was as ‘strongly policed’ as it seems the GDPR will be?

I think it was policed to a certain degree, but you could call into question its rigour. Whereas the ICO has already listed out the potential fines if you’re found to be in breach of GDPR and so multiple sectors are taking this incredibly seriously because it’s scary; there’s a lot of risk involved. However, the key point around GDPR is that it’s a good thing. The regulation isn’t being forced upon us in an onerous way, it’s an opportunity for all organisations – especially in the charity sector – to clean up their act and be much more transparent about what data they hold on people and how it’s used.

What’s your involvement with FOE’s GDPR progress right now?

I sit on the GDPR working group, which encompasses all sorts of people across the organisation, including fundraising, data-insight, the activism fundraising team. I’m also representing the digital delivery team, so I’m responsible for the front-end digital marketing. We’re basically a cross multi-disciplinary team and we’re looking at everything from how we store data on the database to our email channel opt-ins, which we’re trying to optimise. Our focus is to mitigate against the potential hit we’re going to take to our marketing lists. But with a mandate that we’re looking at it with the mandate that it’s an opportunity rather than something to be terrified of.

How calm are you right now about GDPR? On scale of 1 = placidity to 10 = shrieking alarm – how panicked are you?

We’re about 7. There’s a lot of pressure. I think we’re doing well, because we’re taking it very seriously and there’s a steering group that’s headed up by our senior leadership team and there’s budget assigned, there are resources assigned. We have a project manager assigned to it, who’s been in the post for the last seven months, so we’re perhaps taking it more seriously than a few other organisations.

Are you aware of how seriously other, similar organisations are taking it?

The large charities such as RSPB, Oxfam and RNLI are a way ahead of us. Especially in terms of their optimisation and user experience of forms – I think they’re a long way ahead and there’s a lot of learning we can take from them. Inevitably the smaller charities, who we meet during conferences, tend to say, “yeah we should do something about that” and then a look of terror spreads across their face when you tell them how much you’ve done so far. So I think we’re doing okay, but I’m slightly concerned that we are going to take quite a hit – especially on our email list.

RSPB’s current channel consent form

What kind of hit do you think you’ll take?

Big, judging by the initial testing that we’ve done so far. I’m actually surprised how many people opt-in to email. For example, in the current set-up we have, which is very rudimentary – we basically made our opt-in channel preferences bigger and more upfront, as opposed to greying them out and putting them down the bottom of a donation form. However it is noticeable that we have taken a hit – our list has reduced since implementing changes in the last few months. But as a user myself, I don’t want an email that means nothing to me.

How has FOE traditionally collected data in the past?

I think there’s a wider conversation about how we’ve operated as a charity, there was a big emphasis on street collection and telephone marketing until very recently. A few years ago we were still doing hawking on the street, which we’ve stopped doing now – it was no longer cost-effective and there was a real conscious decision to take supporter experience more seriously. We don’t like bothering people and it’s more valuable to acquire supporters in a much more engaged way, who are already interested in a specific issue. So as a result of that, online digital acquisition has suddenly shifted and we’re still playing catch-up to try and bridge the gap, especially around telephone marketing. It was very profitable to call someone up and ask them to set-up a Direct Debit, but under GDPR, telephone marketing is really difficult in terms of the consent that we currently have and we’ve basically said we’re not going to do it anymore.

How do even get consent for telephone marketing?

That’s part of the problem. We will still do it, based on other channel opt-ins. So for example, our petitions very often ask for a phone number, in which case we have to ask permission to use it. Some of our forms have four channel opt-ins. We will still be able to do telephone marketing, but we recognise there’ll be a shift away from it, so we have to think about how we’re going to plug that gap; how do we upgrade regular givers via email. And that’a a real worry for fundraising at the moment.

Want to learn even more about protecting users’ private data?

What are the specific differences that a charity might face when collecting and using personal data?

A specific example I’ve been looking at recently is around growing an email list. We recognise it’s the most effective way, post-GDPR, to collect people’s data in a compliant way. Ecommerce companies have the benefit of being able to offer discount codes. They can incentivise handing over your email address, or reconsenting to further email marketing. Whereas all we have to offer perhaps are ‘lifestyle tips to live a greener lifestyle’, it’s a harder sell for us, because we don’t do much in the way of detailed segmentation of our email list. We don’t send out specific emails about events we do, for instance. However in our testing, we’re finding out that people are willing to hand over their details for specific campaigns. And that’s a unique challenge for us.

Is that level of segmentation new to Friends of the Earth?

Technically yes. The challenge for us is that we don’t necessarily want to talk to people just about bees for instance, because we’ve got a wider narrative around climate change. So everything is related to how problems are caused by climate change, and the solutions we’re offering feed into that. We want to send all our supporters pretty much the same message because that makes it easier for us. But, in terms of the ‘sell’, what’s the value for the user? It’s very difficult to enunciate that because, again, we don’t really do ‘products’ as such.

Do you have a specific plan on how to recapture consent for the data you already have?

Yes we do, in fact, there’s a series of reconsent emails going out. But there’s a question mark over how much of our data is inaccurate. Much like many organisations, our CRM isn’t great. And there’s a lot of work going on independently of GDPR about fixing that problem and re-engineering how we use and segment our data.

But yes, we recognise that a lot of people have, perhaps, opted out previously without really understanding the implications of it. Now, before May the 25th, we have the option to contact people and show them our new approach. And hopefully we’ll get quite an uptake. Hopefully.

On an anecdotal level, I’ve noticed a few organisations sending reconsent emails recently, but incentivising it – which is kind of dodgy in itself. Someone showed me an email from a certain successful football club, which is about entering a ballot for a season ticket draw if you opt in to all three of the channels they were promoting. It feels a bit disingenuous.

Was it particularly obvious as to why they were doing this? Was there any kind of messaging around, “This is a government-mandated thing. We have to do this in order to get your consent?”

No, and our GDPR manager certainly called it into question. We don’t really have the opportunity to enter people into a competition or whatever, but our wording is being poured over at the moment about how we sell the idea of a GDPR to our supporters. Maybe we don’t even talk about GDPR. Maybe we just talk about, “This is an opportunity to reaffirm your support”?

I think the idea of reconsent is interesting because it’s a good opportunity for us. We can probably do that two or three times between now and the end of May. It’s not like we have a lot to lose. After May 25th, we won’t be able to contact people. And specifically, we are thinking about highlighting what people are gonna lose. We’ve implemented radio buttons where if you click, “No” a message appears that says, “Are you sure? Because that means you won’t be able to get our awesome emails.”

Because, as you said, you’ve got nothing to lose…

And I think, as a general point, there’s a real issue especially in the charity sector, about what the guidelines actually are. Because the ICO hasn’t really given any detailed guidance yet. There are lot of people making a lot of money as experts.

Have you been approached by third-party consultants?

Yeah, yeah. We get emails all the time from people. But that’s going to be a really short-term career choice, until people start getting fined.

We’re in a fortunate position in that we have a dedicated GDPR lead. He always has a view towards erring on the side of compliance at the moment. But I think the rest of us are trying to push the envelope a little bit. One example is an an email pop-up we have that’s quite obtrusive. It’s an interstitial at the moment.

On mobile?

No, we’re not doing it on mobile because we think Google might still penalise us there. But for desktop, there’s a conversation about whether we need a checkbox on that. And I’m like, that’s a specific active consent. It’s one purpose, right? You’re giving an email address and it says very clearly what you’ll receive in return. Why do we need to have a checkbox as well? That’s kind of crazy. This is taking it too far. So we’ve really pushed back on that.

But there’s no specific guideline that says, “You definitely need this or that”?

Not that I’ve found. And I’ve looked quite hard for that.

Let’s take an online petition as an example. You’re giving your details so that you can sign a petition, however the email marketing preferences associate that as a secondary thing. So, fine, of course you need a checkbox for that.

A GDPR friendly, single-channel webform from the current Friends of the Earth website

I can only imagine that in slightly more high-revenue, ecommerce organisations they can factor in the loss that might come from a fine.

We’ll see. I think it’s going to be interesting. All the scare stories I’ve heard are from the existing Data Protection regulations, and they tend to be medical charities that hold patient data that have either abused that data or had a data breach. I’d like to more background of these ‘scare stories’.

Do you have an idea of how it will actually change the on-page experience for people coming to your site?

There are a few big charity examples I like to cite. I think RSPB’s probably the best one. They’ve got these massive buttons and they look really good on mobile, it’s just a simple cross and a tick on their donation forms. That’s where I personally want to get to. And although I’m very data-driven and I don’t make assumptions, I do think that sort of thing see us increase our opt-ins on all channels, but especially email. As opposed to select boxes that we have now.

Select boxes are our starting point for compliance. And then we’re doing split-testing. And we’re gonna do split testing initially on our petitions, 50/50 radio buttons and select boxes. And then, if we’ve established that radio buttons are the way to go, then we can move into a bit more of a designed approach – because I think radio buttons on a mobile are problematic. So we’re looking at big buttons as well.

There’s an option there where if you slide “No” to an email, it’ll come out with a pop-up saying, “But you’re gonna miss out.” Somehow, we’ve got to highlight in the UX what this email signup means before you even interact with it. So that’s the challenge for the next few months, is to just optimize the hell out of this.

So you’ve been doing split tests on buttons and opt-ins, is there anything else you’ve been testing?

We will be doing testing on the wording as well. We’re still struggling a little bit from a technical point of view on the integration with our CRM, to get to a baseline of, “You’ve ticked a box that will cause a hard opt-in on your record within our database.”

Or conversely, we’ve got this slightly strange situation where we have hard opt-outs for post and phone, where applicable. And so the integration thing’s been quite complicated. We’ve only just got to that point where we think we’re compliant, and that’s all passing through to our database.

In terms of wording and content, who’s working on that?

Everyone. Our content lead is involved obviously. There’s someone else on tone of voice, who is trying to steer it in a slightly more friendly direction. But this is has been a battle of wills between friendliness and compliance. It’s gonna be a toss-up, right? I think, from our point of view, psychologically across all our digital platforms, we need to know that we’re consistent before we can start testing content.

Can you talk me through the other aspects of GDPR, which aren’t to do with consent, that you’re having to deal with?

Here’s a good example of something that’s kind of bothering me, which I’ve got to try and resolve in the next few days. We have an e-card platform, where you can send friends or family a greeting card online, and as the user fills out their details, they also have to provide the recipient’s details. Bonus! But now I have to find out, are we allowed to store that email address? Because that recipient has not given consent. So the whole platform is being called into question. Can we do this? Is this okay? For a start, the wording is totally wrong. It says, “We will only hold your data for 28 days and then it will be deleted.” But you can set the ecard to send it up to one year in the future. So this 28 days thing is bullshit. It’s 28 days from the point of receiving the card, which is probably gonna contravene something in GDPR.

But again, I don’t know enough because the guidelines aren’t very clear.

We also use platforms like SurveyMonkey and TypeForm, and obviously those survey tools have the option of collecting personal data. We don’t want people to do that anymore.

But then the conversation goes into, “what constitutes personal data?” So obviously: first name, second name, postcode, phone number, easy. But then, our GDPR guru has said if you start collecting ethnicity, age, etc. you could start piecing things together. And that’s where we go into dodgy territory, so we shouldn’t do that at all, and err on the side of caution.

How would you feel if GDPR was brought forward to tomorrow?

The thing is, there’s a shitload more to GDPR than just gaining consent. It’s more about how you store the data and where you do it. But from a pure channel opt-in perspective, we are probably gonna be okay if it magically became May 25th tomorrow. But I think our list would be reduced.

But you would be on the right side of ‘the law’.

Sure. And that’s the main thing, right?

The battle we have is that we are doing a big push on recruiting new supporters, with a lot of paid social. Which is great, but if we’re losing an equal number or more of our longtime supporters, then what’s the point?

It’s quite demoralising. We want to grow our list, not stand still, treading water.