The GDPR makes no exemptions for charities. Charities are not unlike private companies. Fundraising activities comprise the seeking of donations, profiling of donors, or maintaining records of supporters. How different are those activities compared to a private company marketing a product or service, profiling a customer, or maintaining a customer database?
The GDPR places more focus on the controller/processor relationship so it is important to establish at the outset whether the relationship is between yourself, as controller, and a processor or with another controller. If you outsource your wealth screening or telephone calls to another company then that company is a processor. However, if that company already holds the personal data, then it is a controller. If you buy personal data from a company, that company is a controller for the purposes of selling the data, and you are a controller once you buy it.
Many believe that because personal data is in the public domain it becomes a ‘free-for-all’. Data in the public domain is not exempt from the GDPR. The GDPR makes it clear that people need to be told if their information has been obtained from publicly accessible sources – Article 14 (2)(f). Note also that the restriction on processing of special categories of personal data is lifted where processing relates to personal data which are manifestly made public by the data subject. Article 9 (2)(f)
It all starts with a Purpose
Personal data shall be…collected for specified, explicit and legitimate purposes…
The entire data protection journey starts with ‘purpose’. If you can’t describe the purpose or purposes accurately and simply at the outset, key questions about how you comply will be impossible to answer, risks will be improperly identified and assessed and your donors will be inadequately informed. Just saying ‘fundraising purposes’ is wholly inadequate – as this activity constitutes a variety of purposes.
…and not further processed in a manner that is incompatible with those purposes
If you want to use data for a further purpose, you must ensure is not in conflict with the original purpose. If it can be said to be incompatible then you may not process that further purpose. This is another reason why you must be accurate with your original purpose.
Examples of detailed and granular fundraising purposes.
Maintain a list of previous donors in order to contact them again
Maintain a list of people who have explicitly told us that they don’t want to be contacted again
Research the donors’ financial background using public sources
Outsource the researching of the donor’s financial background
Buy data from a third party to create a list of potential donors
Claim gift aid on a person’s donations
processed lawfully, fairly and in a transparent manner.
Are there other laws that are relevant to your organisation or sector that might affect how you’re using personal data? Almost definitely. Consider e.g. human rights, freedom of information, sector-specific laws etc. You need to understand the legal framework that applies to your charity. Often you will find your ‘purposes’ and legal bases within these laws.
Fairness equals ethics – broadly speaking. It is not to ask whether data processing is legal, but whether it is right – not can we do this, but should we do it. Ask yourself, on a personal level - how would I feel if this was my data or belonging to someone close to me? Think of yourself as a data subject – what would your reasonable expectations be?
The fundraising sector knows about and understands profiling and research. In many cases the public has no idea that fundraisers use as much profiling and research as they do. Do tell all in your privacy notices and consent mechanisms. Articles 13 and 14 are very clear. Oh, and plain, clear and simple language please.
Conditions / Legal basis for processing
So, now that you’ve established your purposes, under what conditions (legal basis) may you process the personal data?
There are six conditions (or legal bases) to justify the processing of personal data – Article 6. You must satisfy one of them. This is not optional, or good practice. The following four conditions do not (should not?) apply to charity work in general and fundraising in particular.
Contracts – especially in fundraising, it is unlikely that there will be any kind of binding contract between the fundraiser and the donor / prospective donor
Legal obligation – it’s unlikely that any law requires you to do any fundraising or activities associated with fundraising
Vital interests – the vital interests condition works only if someone is at immediate risk of death
Official authority / public interest: some fundraiser may argue that raising charitable funds is a task carried out in the public interest – what are the chances of that being a reality – or even legal?
The condition of Consent
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
Freely given – the person must be given a free choice in the first place, and they must be able to change their minds at any time. You can’t trick someone into giving consent and when they tell you to stop, you must stop.
Specific – the processing that they are agreeing to must be clear – what marketing are they going to receive? Who will it be from? Asking someone to agree for their details to be shared with ‘carefully selected third parties’ isn’t specific. If you want to do wealth screening with consent, asking the person to agree to ‘fundraising purposes’ isn’t specific.
Informed – if the person doesn’t properly understand how their data is going to be used, then the consent is not valid. You have to spell out what they’re agreeing to, in language that they understand. You cannot bury the purpose in terms and conditions that the person might not read or understand.
Unambiguous indication – no more opt-out or pre-ticked boxes
Examples of what you cannot say in your direct marketing communications:
Untick this box
Tick this box if you do not want to receive marketing (especially if the marketing is email or text)
Text STOP to xxx
By giving us your details for (something unrelated), you agree to receive emails
How long does consent last?
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate. The real limit of how long consent lasts is what you tell the person at the start. The crucial factor is the ability for data subjects to unsubscribe in every marketing communication with them.
If you believe that you have consent to a GDPR standard, there is no need to renew it before May 2018. However, if you do not have consent, you will need to go back to the data subject and obtain consent. If you email an existing donor or contact knowing that they have opted out or never gave consent in the first place, an email requesting / suggesting that they opt back in is essentially marketing. If you don’t have consent to send a marketing email, you don’t have consent to send an email asking the person to opt back in. The only valid way to contact the person is by post, or face to face if that opportunity arises.
The condition of Legitimate interests
Article 6 (1)(f) where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
It should be safe to assume that a charity raising funds would be doing so in the legitimate interest of the charity just as making a profit would be for a commercial business. And here lies another reason why it’s important to break down the generic purpose of ‘fundraising purposes’. From Article 6 (1)(f) it’s clear that the processing must be necessary – so, for example, profiling donors and potential donors isn’t necessary for the straightforward process of administering donations, but should be treated as a distinct purpose. Be aware though – there is no legitimate interest legal basis in Article 9 – (processing of sensitive personal data).
The exception in the definition demands a balancing test. It is useful to imagine both the legitimate interests of the controller and the impact on the interests and rights of the data subject on a spectrum. Legitimate interests can range from insignificant through somewhat important to compelling. Similarly, the impact on the interests and rights of the data subjects may be more or may be less significant and may range from trivial to very serious. Consider wealth screening – high net-worth individuals may expect a certain element of research and, in this case, may build a case for legitimate interests as an alternative to consent. But what if you are screening several million people? You can make a sensible argument that legitimate interests works for specialised cases, but profiling millions isn’t the same thing.
(GDPR creates a problem for universities and other public bodies that carry out fundraising – the use of legitimate interests is forbidden for a public body carrying out its own tasks)
Obtaining data from third parties
There are legitimate sources for addresses (the open electoral register) and phone numbers (from telecoms organisations). These sources don’t cover everyone but they are legitimate and the data has been fairly obtained. Using them won’t undermine the fairness of your processing. If your data source is illegitimate, you cannot comply with the first GDPR principle.
You are not obliged to obtain data directly from the subject, but compliance is more difficult when you don’t. The onus is on you to show that you have fairly obtained the data, which means you need evidence from the data supplier about when and how the data was obtained, including if and how consent was obtained and whether those data subjects were explicitly informed about your charity.
An organisation that shares or sells data to you is a data controller, but you become the data controller for it once it is received. You cannot claim innocence or ignorance if it turns out that the data is stolen, or the supplier has misrepresented the purposes for which it was obtained. Even if the supplier lies to you (‘opted-in’ and ‘fully consented’ are two lies to look out for), once you process the data, you are responsible for its flaws. Ignorance is no defence.
Profiling under the GDPR
Essentially, this is the use of machine or computer-based analysis or decision-making – the creation of a profile isn’t enough to trigger the GDPR’s requirements, it needs to be done using a computer program or similar technique.
Several things are required once profiling is being undertaken:
- individuals must be informed that decisions affecting them are being taken using profiling
- they have a right to challenge the use of profiling, especially where the justification is legitimate interest and to demand the opportunity to make representations and for human intervention
- data protection impact assessments have to be carried out where profiling will have significant legal effects on the individual
e-Privacy Directive (soon to be Regulation)
Which is concerned with the processing of personal data and the protection of privacy in the electronic communications sector.
It’s a fallacy (and dangerous) to think that advertising or marketing material that promotes the aims and ideals of a not-for-profit organisation are exempt from the GDPR. The e-Privacy Directive (PECR in the UK) sets up the rules for consent over electronic direct marketing (consent for automated calls, opt-out and ‘do-not-call’ lists (TPS in the UK) for live calls, consent for emails and texts).
Live calls – consent or legitimate interest if they are not registered on a Member State’s ‘do-not-call’ list; if they are registered on list, you can’t call them unless they specifically tell you that you can.
Automated calls – You can only make automated calls to those who have consented. This method is very much associated with spamming – do you really want to use it?
Email/SMS – You can only send texts and emails to those who have consented. You cannot send an email requesting consent – this is considered ‘direct marketing’
The soft-opt in
Charities can use the soft opt-in when selling products and services, just not when receiving donations. Why? The Directive states – where a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service…of which donations are not.
This is not the be all and end all of data protection for charities – it’s merely to provide an assist to get you on the right track. There are many more requirements which flow from the remaining principles and provisions of the GDPR.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018