With the General Data Protection Regulation (GDPR) enforcement date approaching fast, here is a summary of common queries and some practical guidance for fund-raising charities on becoming compliant.
Don’t panic! If your charity is compliant in terms of the current Data Protection Act, you are almost there with GDPR compliance. The GDPR is a development of existing data protection laws, not an overhaul. The Information Commissioner’s Office (ICO) has said there will be a soft landing for charities post-25 May in relation to non-compliance and penalties, but a charity must show it has taken steps towards compliance. Ignorance of the law is no excuse. The ICO is encouraging data controllers to ‘self-regulate’. Similar to OSCR’s Notifiable Events Scheme, the ICO will take into account self-reporting when dealing with non-compliance and considering regulatory action.
How do you eat an elephant? One bite at a time… Trying to absorb the ICO GDPR guide as a whole is difficult – break it down into sections, do one thing at a time. The key guidance note from the ICO is a 12-step process. Some charities have found it difficult to deal with the general and subjective nature of the principles-based approach of the GDPR: you can only understand your own charity’s position, apply the principles and adopt compliant procedures once you have a full, clear understanding of the data you hold and how you use it.
How long can you rely on consent? Is there an expiry date? There is no set period for how long consent lasts. Issued guidance says ‘it will depend on the context’ and ‘you should review and refresh consent as appropriate’. What is reasonable in your circumstances? It has been suggested renewal of consent every 12-24 months is best practice. This is a policy point that should be agreed by trustees by taking into account the purpose and need for data in their own charity’s context.
Can you assume consent for direct marketing from the existence of a direct debit? Strictly speaking, no. If donors have not said you cannot contact them, you may be able to rely on legitimate interest but you must give them the option to opt out of communications. If an individual has made a donation, it is normally accepted that it is in the charity’s interest to evidence to the donor how their donation was used and to maintain a relationship.
Is placing your business card in a bowl an indication of consent? This is an example contained in the most recent Institute of Fundraising/Fundraising Regulator guidance – if it is made clear the charity will contact them by direct mailing if they put their card in a bowl, the act of dropping the card in the bowl is a positive action, and an affirmative form of consent. You need to ensure this method of obtaining consent was recorded and it may be prudent to follow up with a letter.
Can you contact someone to ask for their consent for direct mailings if you don’t have their consent to contact them in the first place?! If you decide to obtain the consent of data subjects to send them direct mailing, it may be the case that you don’t have consent to contact them to ask for their consent! It is likely that you would need to rely on legitimate interest to contact them in the first instance, then rely on consent for future mailings.
This is why it is likely that a combination of the lawful bases of opt-in/consent and opt-out/legitimate interest will be required.
Can I use publicly available information? You can use publicly available information, but only in compliance with GDPR and the relevant data protection legislation. Fundraisers may wish to use publicly available information (Companies House/social media etc.) for fund-raising purposes. You cannot use such information as you see fit. You must consider the individual’s rights and reasonable expectations of how their publicly available data will be used.
Compliance with the GDPR extends to informing an individual of your use of their data at an early and appropriate time, which can be done by providing them with your privacy notice and giving them a chance to opt-out and/or object. If you are researching new individuals, it is strongly suggested that you inform them of the types of data you have stored and the processing involved when you first make contact or within 30 days (which is the time frame given by most commentators), whichever is sooner, and inform them of their privacy rights.
Debbie McIlwraith Cameron is a senior solicitor in Turcan Connell’s charity law team