With GDPR looming, data protection is a 'hot topic' and over the last few months there have been a number of developments in this area (as outlined below) that will impact the Third Sector.
Much of the discussion around GDPR has focused on how charities use consent for donors in the context of fundraising - however understanding the new rules and how they apply to other areas of your organisations activities is equally as important; for example in your campaigns, how you deal with volunteer data, the extent to which you process and share data in your partnering arrangements with other organisations to deliver services or simply that you have employees and trustees – all of these areas will be impacted in some way by the GDPR.
1. ICO Guidance on Consent
The ICO's consultation on its draft GDPR consent guidance closed at the end of April and we eagerly await sight of the opinions. As currently drafted, the draft guidance summarises the following requirements for GDPR valid consent:
- unbundled: consent requests must be separate from other terms and conditions;
- active opt-in: use un-ticked opt-in boxes;
- granular: give options to consent to different types of processing separately;
- named: name your organisation and any third parties who will rely on the consent –precisely defined categories of third-party organisations will not be acceptable;
- documented: keep records to demonstrate consent, including when and how the individual consented and what he/she was told;
- withdraw: inform individuals of their right to withdraw consent at any time, and how to do this (it must be as easy to withdraw consent as it was to give it); and
- balanced relationship: consent will not be freely given if there is imbalance in the relationship between the individual and the controller.
Charities should review the consent mechanisms used for all individuals related to the charity (e.g. service users, staff, donors, supporters, volunteers, trustees and partners) to decide whether consents should be 'refreshed' prior to May 2018. It is also important to remember that consent is not the only legal basis to process personal data.
For a fuller review of the ICO's draft guidance check out our recent blog series: Part 1, Part 2, Part 3, Part 4 and how it may impact many areas of your organisations work.
A new e-Privacy Regulation has been proposed which will overhaul the rules on privacy and electronic communications. The intention is to implement the e-Privacy Regulation along with the GDPR on 25 May 2018. The ePrivacy Regulation is still in draft form however below we have outlined some of the key changes expected:
- territorial reach: applies to the processing of electronic communications carried out in connection with the provision of electronic communications services in the EU, irrespective of whether the actual processing takes place in the EU;
- expanded scope: applies to providers of non-traditional services that run over the internet ("OTT" service providers) e.g. instant messaging providers, social media messaging, VOIP and web-mail.
- cookies: non-privacy intrusive cookies that merely improve internet usage (e.g. to remember shopping cart history) will not require consent at all!;
- marketing: default position of opt-in consent to all electronic marketing; and
- enforcement: the penalties under the Regulation will greatly increase as they align with the higher GDPR fines (up to the higher of €20m or 4% of an organisation's total worldwide turnover).
The e-privacy changes are important for all Third Sector organisations as most will have a website or use social media to interact with supporters. Organisations should review their procedures and policies (especially cookie policies) to ensure compliance with the e-Privacy Regulation - and of course GDPR.
3. New Guidance on Fundraising
So it's not just all about consensual fundraising - but it is still relevant, and both the Fundraising Regulator and the IoF have issued guidance in recent months to assist charities in relation to GDPR and fundraising:
(1) The Regulator's guidance is focused on fundraising and the surrounding issues of consent, purpose and transparency. What can you learn from this guidance? – define the purposes for which your charity collects and uses personal information, and confirm which purposes are direct marketing; where you rely on consent define how you will obtain express consent and for how long consent will last; and ensure each data collection point contains a privacy notice. Most of the "take-aways" from the Fundraising Regulator's guidance are equally applicable to any processing your charity carries out in relation to personal data. In particular - defining the purposes for which your charity collects and uses personal information will be critical in any review that your organisation will carry out in relation to understanding how your charity will comply with the GDPR; without an understanding of what data your charity collects and the purposes for which the charity then uses it, it will be very difficult to make any assessment of where your charity requires to make changes to achieve GDPR compliance,
(2) The IoF's guidance on Fundraising and GDPR was issued earlier this month. This guidance helpfully sets out the GDPR essentials for fundraising organisations including top tips for preparation, the new rules around opt-in consent for direct marketing, and a summary of useful FAQs.
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.