With the General Data Protection Regulation (GDPR) enforcement date only a few weeks away, here is a summary of queries we have received and some practical guidance on becoming compliant.
If your charity is compliant in terms of the current Data Protection Act, you are almost there with GDPR compliance. The GDPR is a development of existing data protection laws, not an overhaul. The Information Commissioner’s Office (ICO) has said that there will be a soft landing for charities post-25th May in relation to non-compliance and penalties, but it must be shown that the charity has taken steps towards compliance. As they say, ‘ignorance of the law is no excuse’. The ICO are encouraging data controllers to ‘self-regulate’. Similar to OSCR’s Notifiable Events Scheme, the ICO will take into account self-reporting when dealing with non-compliance and considering regulatory action.
How do you eat an elephant? One bite at a time…
Trying to absorb the ICO GDPR guide as a whole is difficult – break it down into sections, do one thing at a time. That’s why the key guidance note from the ICO is a 12 step process. Start your data audit and take it from there. Some charities have found it difficult to deal with the general and subjective nature of the principles-based approach of the GDPR: you can only understand your own charity’s position, apply the principles and adopt compliant procedures once you have a full and clear understanding of the data you hold and how you use it.
How long can you rely on consent? Is there an expiry date?
Unfortunately – or fortunately, depending on how you look at it – there is no set period for how long consent lasts. Issued guidance states that ‘it will depend on the context’ and ‘you should review and refresh consent as appropriate’.
What is reasonable in your circumstances? It has been suggested that renewal of consent every 12-24 months is best practice. But how achievable is this in practice? This is a policy point that should be agreed by trustees by taking into account the purpose and need for data in their own charity’s context. Once agreed, it should be explained and justified, and consistently implemented.
Can you assume consent for direct marketing from the existence of a direct debit?
Strictly speaking, no, you cannot assume consent through the act of donation alone. If donors have not said that you cannot contact them, you may be able to rely on legitimate interest but you must give them the option to opt out of communications. If an individual has made a donation, it is normally accepted that it is in the charity’s interest to evidence to the donor how their donation was used and to maintain a relationship with the donor.
Is placing your business card in a bowl an indication of consent?
This is an illustrative example contained in the most recent Institute of Fundraising/Fundraising Regulator (IoF/FR) guidance - if it is made clear to an individual that the charity will contact them by direct mailing if they put their card in a bowl, the act of dropping the card in the bowl is a positive action, and an affirmative form of consent. You would need to ensure this method of obtaining consent was recorded, and it may be prudent to follow up with a letter advising of this, in a similar way as you would do for verbal consent. This also gives you an opportunity to advise the individual of your privacy notice and their right to unsubscribe from communications.
Can you contact someone to ask for their consent for direct mailings if you don’t have their consent to contact them in the first place?!
If you decide to obtain the consent of data subjects to send them direct mailing, it may be the case that you don’t have consent to contact them in the first place to ask for their consent! It is likely that you would need to rely on legitimate interest to contact them in the first instance and then rely on consent for future mailings. This is why it is likely that a combination of the lawful bases of opt-in/consent and opt-out/legitimate interest will be required.
Can I use publicly available information?
You can use publicly available information, but you must do so in compliance with GDPR and the relevant data protection legislation.
Fundraisers may, for example, wish to use publicly available information (such as information on Companies House/social media etc) for fundraising purposes. You cannot use such information as you see fit with no restrictions. Fair processing information must be given to the individual and you must consider the individual’s rights and reasonable expectations of how their publicly available data will be used.
This is a balancing exercise and the most recent IoF/FR guidance contains the example of reviewing someone’s employee biography on their employer’s website to reviewing someone’s Facebook account – you must consider the context. Legitimate interest it likely to be the lawful basis for processing here.
Compliance with the GDPR extends to informing an individual of your use of their data at an early and appropriate time, which can be done by providing them with your privacy notice and giving them a chance to opt-out and/or object. If you are researching new individuals (who have not seen your privacy notice), it is strongly suggested that you inform them of the types of data you have stored and the processing involved when you first make contact or within 30 days (which is the time frame given by most commentators), whichever is sooner, and inform them of their privacy rights, including the right to object.
If your charity has any GDPR related queries, please contact the Charities Legal Team email@example.com.