The Institute of Fundraising (the 'IoF') has updated its guidance, GDPR: The Essentials for Fundraising Organisations, to take into account a number of questions the IoF has received from fundraisers since the introduction of GDPR last May.
The guidance was originally published before GDPR came into effect, and – although this should be viewed more as an update than saying anything substantially new - the IoF hopes that updating it will emphasise to fundraisers the importance of regularly reviewing their data processing procedures and ensuring they are operating in line with the law.
The focus of the guidance remains on how charities decide on which lawful basis of processing personal data they should rely on in a particular situation. In relation to fundraising activities, other than unsolicited e-marketing regulated under PECR (see below), this generally means a choice between individual consent or legitimate interests. Ultimately, the guidance concludes that each charity must decide their own approach, based on fundraising strategy, the size of the organisation, and who it will be communicating with.
Using consent
Where relying on consent, GDPR has raised the legal standard. For example, consent now requires an 'unambiguous' positive action which shows the person is happy to receive communications in future. Most often this would be a clear "opt-in" box which the individual has to actively tick. The days of being able to assume marketing consent from an individual failing to "untick" a pre-ticked box or solely from the act of having made a donation are over.
The guidance now includes a helpful checklist for fundraisers to refer to when using consent as the lawful basis for sending communications. This includes making the request for consent prominent and separate from other terms and conditions and providing distinct options for different purposes and types of processing.
The IoF's view is that consent is most appropriate when the charity can offer the individual a "true choice" over how the charity uses their data. Consent to receive marketing communications would not usually be appropriate when it is tied-in as a pre-condition of receiving a service.
Using legitimate interests
The alternative lawful basis for processing personal data is legitimate interests, which the guidance describes as the "most flexible" basis but requiring the "most thought". For non-electronic marketing not caught by PECR (e.g. direct marketing by post) and for other fundraising related activities such as prospect research, legitimate interests is still commonly relied upon.
To rely on legitimate interests, the guidance notes a charity must be able to show a legitimate interest behind processing the personal data (the 'purpose' test), that processing is necessary for that purpose (the 'necessity' test) and that the individual's interests, rights or freedoms do not override (the 'balancing' test). The guidance explains the Information Commissioner's Office (ICO) necessity test, clarifying that 'necessary' means actually helping to further that interest in a proportionate way and that the charity should consider whether there is a less intrusive way of achieving the same result. A charity should conduct a legitimate interests impact assessment (LIA) to record its decision.
Legitimate interests may be suitable where it is impractical to ask for consent or difficult to keep a record of it (e.g. donor research). Even when relying on legitimate interests however, individuals still need to have a reasonable understanding or expectation about how their personal data will be used (usually communicated through the charity's privacy policy). It will not be an appropriate basis for particularly intrusive forms of processing or for using special category personal data (e.g. information about a person's health, sexuality, religion or political views).
GDPR and PECR
When reviewing fundraising compliance with GDPR, charities should always keep in mind the additional obligations they have under the Privacy and Electronic Communications Regulations 2003 ('PECR') that specifically regulate the sending of direct fundraising messages by phone, fax, email, text or through other electronic media to individuals.
These rules have applied for a number of years but have taken on particular significance in the wake of recent ICO investigations into charity fundraising and, as noted above, when relying on consent under PECR to send e-marketing, higher GDPR standards of consent must now be applied
PECR distinguishes between messages sent to individuals at a personal email or phone account for which consent is needed as opposed to a 'corporate' email or phone account, to which prior consent requirements do not apply. However, the status of the recipient's address or number is not always apparent and furthermore, the email address of a partnership, sole trader or a trust would not usually fall within the 'corporate' body definition under PECR. The IoF guidance advises that in cases where it is unclear whether a recipient's email address belongs to a corporate body or not, the best practice would be to obtain positive consent.
The PECR was due to be updated alongside GDPR last year with a new EU e-privacy regulation, but the final text for the new Regulation has not yet been agreed a EU level, so currently the PECR continues to run alongside GDPR. It seems unlikely that any new e-privacy Regulation will appear before 2020 after the UK is due to exit the EU, although we expect the new EU law would still be replicated domestically. If your charity has any concerns about complying with GDPR or PECR or questions relating to the updated IoF guidance, please do contact any member of our team to discuss further.
