After the Storm: Fundraising Research and GDPR
Lawrence Simanowitz and Hannah Lyons from Bates Wells discuss what GDPR has meant for major donor fundraising from a legal and compliance position, ahead of a session at the Major Donor Fundraising Conference later this month.
Gradually, major donor fundraising is getting back onto its feet. Some wondered whether it would ever recover after first being hit by the 2015/16 media stories and subsequent aggressive ICO fines and then having to adjust to the arrival of GDPR in May 2018.
However, major donors are a critical building block in the architecture of many charities’ funding models. Indeed the very origins of today’s concept of charity goes back to the philanthropists of the middle ages, and the legislation that Queen Elizabeth I put in place to facilitate their benevolent aims. So of course major donor giving (together with the prospecting that is intrinsic to this form of fundraising) was going to survive the downturn, and today the legal and compliance position does not look as gloomy as it did just a couple of years ago.
The introduction of GDPR did of course mean that charities and their major donor fundraising teams needed to review their data practices and consider whether they were compliant with the new regime. But GDPR merely built on what had existed before – it was not an enormous shakeup, despite the worries that existed at the time (and which remain in some quarters). In addition, the highwater mark of the ICO’s restrictive views on prospect research have now receded somewhat. New guidance , developed by and for the sector, including the ‘Connecting People to Causes: A Practical Guide to Fundraising’ produced by the IoF and Bates Wells takes a balanced approach to prospect research. Helpfully it was reviewed by the ICO and reflects their more recent views on this area.
Dealing with personal data
So where does this leave us in terms of what major donor fundraisers can and can’t do with personal data?
Well firstly, it is important to remember that consent is not always needed in order to gather information about a potential major donor. It may be possible to rely on legitimate interests to undertake these forms of processing. This will very much depend on the nature of the data/research and how intrusive this may be (the more intrusive the more likely consent will be required). A legitimate interest assessment (LIA) must therefore be carried out to balance the interests of the charity in conducting the research against the privacy rights of the individual. In some cases it may also be prudent to conduct a fuller Data Privacy Impact Assessment (DPIA), particularly if the exercise involves a large amount of data and/or new or potentially controversial forms of processing.
It is also important to remember that consent will be needed it any of the research includes special category (sensitive) data such as information about a person’s religion, ethnicity and health (amongst other things).
It is also essential to inform individuals that their data will be used in this way – for example within the charity’s privacy notice. This can be challenging when you are researching new prospects as they will not have previously been provided with the charity’s privacy notice, especially as GDPR requires you to inform them within 30 days.
Contacting prospective donors
So, once you have completed your research and have identified a major donor how can you contact them?
If you contact them by post, consent is not needed – but a LIA will need to be completed. Consent is also not required when calling people on the phone (unless that person is registered on the Telephone Preference Service). Consent is needed for direct marketing by e-mail and text. The definition of direct marketing is wide and is likely to catch most fundraising approaches including, for example, invitations to events as wells as direct asks.
Our top tips for compliant fundraising research are:
1. Identify a solid legal basis for undertaking research activities. This may be consent, or may be “legitimate interest” based on LIAs (and DPIAs where appropriate)
2. Develop a research/profiling policy that sets out the scope of the research you will undertake and ensure that all staff are clear on what they can and can’t do
3. Ensure that your privacy notices are clear and transparent on the subject of prospect research and profiling.
4. Be clear on which platform you are permitted to use to contact major donor
5. Check the Code of Fundraising Practice
Lawrence Simanowitz is a Partner and Hannah Lyons is Senior Associate at Bates Wells
Lawrence Simanowitz will be running a session on 'Prospecting for major donors post GDPR: What does the law allow and what does the law require?' at the Major Donor Fundraising Conference on 27 January 2020. View the full programme and book your place here.