CAN sat down with Stephen Service, Policy Manager at the Fundraising Regulator to find out more about how charities can be prepared for changes to the General Data Protection Regulation that will be enforced on May 25th 2018.
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It applies to any personal data you use as an organisation. That is, data that could be used to identify an individual.
“Processing personal data means doing pretty much anything with the data. Collect it, store it, screen it, use it to send direct marketing to individuals, delete it: all of these activities have data protection implications. You may want to use the data for some or all of these purposes and you need to know you have a legal right to do so.”
Consent and Legitimate Interest
“There are six conditions that you can use to justify processing an individual’s personal data and you have to choose what is the appropriate basis, based on the purpose for which you want to use the personal data. The two most common bases in terms of charities and direct marketing are consent (from the individual) and legitimate interest. Legitimate interest is when you have reason to believe an individual may be interested in being communicated to.”
“Organisations that rely on an individual’s consent as a basis to process their personal data should be aware that GDPR is tightening the rules around what you need to do to be legally compliant. The ICO have advised that organisations need to be able to show they have a positive indication of consent. For example, if you use tick boxes for individuals to express their communication preferences, these will need to be opt-in, as opposed to opt-out.
“You need a positive indication of consent.”
“It needs to be a granular and unambiguous indication of consent. Granular consent means consent gained for each of the distinct purposes for which you want to use the data. If there is any possibility that the consent you have from the individual could be interpreted in more than one way, it won’t be unambiguous. For instance, I might say: “if you don’t tick this box, we’ll assume you’re happy to hear from us”. But I don’t know whether the silence I get in response means you’ve read it or not – it’s ambiguous and I can’t rely on it as consent to justify contacting you.”
“Consent does not last forever so it is good practise to refresh your consent on a fairly regular basis.
“If your purpose is to promote the charity, you could say, ‘We are renewing consents in line with GDPR and we noticed that our consent with you is out of date. We are keen to continue to communicate with you for the purpose of informing you about our work - please tick this box if you would like to continue to receive our communications.”
- Legitimate Interest
“Some charities choose to use “legitimate interest” instead of consent to process personal data. Where the processing involves sending charity communications, you are only allowed to use the legitimate interest condition to contact people via post (or live phone calls where the individual isn’t registered with the Telephone Preference Service). Legitimate Interest can’t be used for communications via email or text message.”
“If you choose to use legitimate interest to collect personal data from an individual for any reason you must consider what the individual would reasonably expect. That includes telling that individual how you will use their data (a “privacy notice”), what you believe your legitimate interest is and how they can object if they wish to.
“If you have identified a legitimate interest to contact an individual, you then do a balancing exercise.”
“A balance exercise involves checking that your own interests in how you use their data isn’t outweighed by the rights and interests of the individual. You need to be able to evidence that you’ve done this exercise."
3. Contractual arrangements
“If you have a contractual arrangement with individuals as opposed to a fundraising relationship, for example a paid charity membership which includes entry to national parks, there are certain communications that you can send on the basis of fulfilling that contract. Where you are required under the contract to deliver certain services, you could justify it under those terms.
“If you can’t deliver a paid-for service unless you’re communicating with the service user, that could come under ‘reasonable expectation’ of the contract that you are delivering. It is advised that you make it as clear as possible in the contract and keep people informed about what their information will be used for under the terms of the contract. If that changes, let them know. Individuals can then object if they don’t wish for their personal data to be used in a particular way.”
“No matter what basis you use to justify your use of personal data, it is really important to record your decision- making process and evidence which type of communication you have chosen to use with a rationale to explain how you came to that decision. If you have a paper trail to record your decisions and you’ve covered all bases, you will be fine if an auditor were to run an audit.”
Does it need to be signed off?
“A data manager or controller in your organisation can sign off your rationale. You can choose to be audited by an independent auditor but it is not compulsory.”
What should happen with old data?
“You should only keep data as long as you need it to fulfil the purposes you collected it for in the first place. There is a new ‘right to be forgotten’ and in the current Data Protection Act there is a rule that you only keep data for as long as necessary. If you can’t identify why you still need it, or why you ever needed it in the first place, it should go.”
The only way to know if you are legally compliant is by knowing what personal data you hold and why you hold it. So do a data audit as soon as possible to identify the purposes for which you hold personal data on your systems and your lawful basis for having it on your database.
Will GDPR have an impact on how surveys are run?
“You will need to consider what the individual’s ‘reasonable expectation’ would be in receiving that survey. Surveys sent for the administrative purpose of improving organisational practises or services may be easily justified as they are reasonably expected by the individual as a service user, but we often see surveys where the real purpose is self-promotion. That kind of contact may be harder to justify as reasonable expectation. Where your basis for contact is sound, you should be clear and transparent on what your purpose is for making contact and how their views will be used.”
Top tips for charities
- The most important thing is to audit the data you currently hold, particularly older data
- Have an appropriate basis for historical data – do you really need it?
- Ensure that you are not sending communications out to people who did not initially want to be contacted (third party data)
- Don’t use legitimate interest as a ‘get out’ for consent- consider the purpose for contacting them
- Don’t fit the condition for processing around your needs
- Offer individuals a way to opt-out of further comms. It must be as easy to opt-out as it was to opt-in in the first instance.
- You don’t need a tick box for every type of comms- group purposes together. For example, fundraising and fundraising events
- As long as you justify it and you have a rationale that you have recorded, you should be fine!
- The ICO have said that if you are compliant with the Data Protection Act, you are on the way to being compliant with GDPR