At the unprecedented gathering in Manchester, the Fundraising Regulator launched their long-awaited guidance – and the ICO made clear that charities are at a crossroads when it comes to using personal information for their fundraising, promotional and campaigning activities.
There were a number of key messages worth noting from the ICO’s keynote speech:
- “We’ve always done it this way [is] a particularly perilous phrase if what you’ve “always done this way” is not follow the law”
- “The Data Protection Act does not stop you from doing your jobs… It simply obliges you to do it in such a way that respects the fundamental privacy rights of each and every one of your donors, your supporters, and your volunteers”
- “DPA is a principles based law…ignorance is not bliss”
- “People have a fundamental right to privacy”
- “Trust is a cornerstone of success…and we know that trust also builds reputation. Both can be easily lost when people discover you haven’t been completely transparent about how you’re using their information”
- “Change comes from the top. Data Protection is a matter for the Board room…You are accountable. You have the power to set the standards for your organisation”
- “GDPR…is a game-changer for everyone”
- “Find a “way to excel within boundaries of the rules“
Bottom line: “You can cling to the belief that we’ve got the law wrong or that it doesn’t apply to your sector or that the regulatory burden is too great. Or you can commit to positive change. Change that, in my view, is not only achievable but will reap its own rewards.”
These messages are echoed in the Fundraising Regulator’s new guidance and supporting tools.
Gary Shipsey, Managing Director of Protecture and co-author of the Guidance and supporting tools, introduces these below:
Personal Information and Fundraising: Consent, Purpose and Transparency – download
The Guidance is designed to help charities better understand their current responsibilities (the Data Protection Act and the Privacy Regulations), existing Codes of Practice, and the forthcoming GDPR requirements when looking to us personal information for Direct Marketing.
It guides you through the three related elements of compliance:
(a) Clarity of purpose
Clearly defining what Direct Marketing activities your charity wants to use personal information for.
(b) Lawfulness – e.g. consent, or legitimate interests
Establishing the lawful basis on which you plan to obtain and use personal information for the purposes you’ve agreed on. The channels of communication you wish to us to communicate with people are central to this.
(c) Fairness and Transparency
How your charity will ensure individuals are treated fairly; know about your proposed use (or uses) of their personal information, and can use their rights to manage their personal information.
Download the Guide here.
Actions Checklist – download
An actions checklist appears at the end of each section of the Guidance. These suggest actions that fundraising organisations should consider in follow up to the issues raised. For ease of use, the actions have been separated into a single checklist.
Download the checklist here.
Consent Self-Assessment Tool – download
The consent self-assessment tool provides a means of self-assessing the standard of consent you currently operate and you current degree of compliance.
This is an important assessment. Consent held at the time the GDPR becomes law will only remain valid if (a) it already meets the existing standard of consent defined in the Directive, and (b) the manner in which the consent was given is in line with the conditions of the GDPR (for example: silence, pre-ticked boxes or inactivity were not used as a means to obtain the consent).
You may conclude, for some sets of personal data, that the consent you currently hold meets the required standards – and you can and will rely on the consent going forward into May 2018.
You may conclude, for some sets of personal data, that you need to seek updated consent – to ensure it meets the GDPR standard.
Seeking updated consent requires you to have consent to the current standard required by the DPA (as the act of seeking further consent is itself processing their personal information for a direct marketing purpose). Again, the consent self-assessment tool can be used to make this assessment.
Download the consent self-assessment tool here.
Case Studies – download
The case studies we have included alongside this guidance provide examples of various ways in which charities are changing their fundraising practices with a view to complying with data protection requirements.
Download the case studies here.