Earlier this year the ICO, Charity Commission and Fundraising Regulator joined forces at the Fundraising and Regulatory Compliance Conference to provide specialist sector guidance to charities on two overlapping areas of law: data protection and charity fundraising.
Recent fines issued by the ICO to high-profile charities, including the RSPCA, for serious data protection breaches have caused both the ICO and the Fundraising Regulator to focus on what charities are doing with donor and customer data. One of the key areas the ICO look at when assessing a charity’s data protection compliance is the consent gained from people in relation to charities using their personal information.
With this news, the public are becoming better informed and are more likely to be aware of their rights and challenging their chosen charities to prove they look after their data in the way they expect. Below are questions identified by the ICO, Charity Commission and Fundraising Regulator and what you should be doing to address them:
- The first question charities should ask themselves is: what are people expecting us to do with their personal data?
Obviously part of that answer could be: to use their personal data in order to process their donation; but what about people who haven’t donated yet or who haven’t donated in a while? The first step is to explain what you do with data in a clear detailed Privacy Policy. If you want to be able to send people marketing information in relation to fundraising you need to be telling them you are doing this and getting their consent right at the beginning of the process. For data you already hold, you will need to think about whether you have current permissions for how you fundraise using people’s information.
Be careful of seeking consent from people by email where you already hold their information as there have been recent cases involving Honda and Flybe where the ICO has issued fines for the communication seeking consent breaching the Privacy and Electronic Communications Regulations (PECR), which is a separate law to the Data Protection Act 1998. There is a currently a draft law at European level called the E-Privacy Regulation that may shortly supersede the PECR – watch this space for more updates. The E-Privacy Regulation is designed to strengthen online users’ rights in electronic communications.
- For fundraising, the next question is: has the person consented to receive fundraising information from us?
And was that consent clear, unambiguous and informed? If the person hasn’t consented, on what basis are you processing their information? In direct marketing circles, much has been made of the ‘legitimate interest’ ground for processing. The ICO are clear that this has historically been used as a get out of jail free card and this will not be acceptable under the GDPR for charity fundraising, except in very limited circumstances.
- And finally: what are we doing to become compliant with the General Data Protection Regulation (GDPR)?
The GDPR will come into force on 25 May 2018 across the EU. It will apply directly in the UK despite Brexit, and applies to all organisations that process personal data including charities. The management board of the charity as well as the trustees should have oversight of all data protection processes and should start implementing GDPR compliance immediately if they haven’t already. Your legal advisors should be conducting Data Protection Audits of charity processes around collection and use of personal data.
The GDPR will bring a huge change in the data protection landscape and for most charities that carry out fundraising activities it will necessitate significant changes to charity operations. The best advice is to start getting ready now.