10 things we learned from the joint regulatory event
Following the joint regulatory event in Manchester yesterday, IoF Head of Policy and Research Daniel Fluskey gives us his take on the 10 key areas.
1. The ICO and Fundraising Regulator are working together and will continue to do so
This is a good thing. We need a joined up approach to regulation and a consistent view between the statutory regulator of data protection (ICO) and the body responsible for regulating fundraising (FR). It is really important that all charities and fundraisers understand their legal obligations and that the different codes of practice are aligned so that there is a shared position about what the law is.
2. Researching, profiling, use of data in the public domain are not in themselves unlawful. But not adequately informing people of how you use their data is
The fundamental issue with the recent fines and action around profiling and wealth screening is that charities were not providing sufficient information to individuals so that they would be appropriately informed as to how their data would be used. (And if an individual doesn’t have the right information then they can’t exercise their choice to agree or object to that use of data). As the ICO says in its conference paper, “The DPA doesn’t stop you getting and using information from publicly available sources.” But you have to do it fairly and lawfully. So all charities should be reviewing, and where necessary updating, their privacy policies and fair processing notices to make sure they properly cover how an individual’s data could be used.
3. Legitimate interest can be a valid basis for data processing and for sending postal direct marketing – but it will be for charities to undertake a balancing exercise and make a judgment call
This is one area where there isn’t an easy yes or no answer. Yes, charities may have a legitimate interest in sending marketing material or processing data, but it won’t always be a given that it will be fair and lawful. Where the legitimate interest infringes an individual’s rights then it won’t be valid and so would only be able to take place if you had consent instead. As the ICO says, this is going to be a risk-based approach. They have made it clear that for some forms of wealth screening or really in-depth research where the impact is ‘intrusive’ on the individual, legitimate interest is unlikely to pass the test. So, fundraisers are going to have to get to grips with legitimate interest and understand how to undertake a balancing exercise and satisfy themselves that the processing is fair and lawful. While the ICO said that they don’t want to stop fundraising, and Elizabeth Denham the Information Commissioner said ‘we are not the department of ‘no’’, I prefer the quote from the ICO’s Richard Marbrow who said ‘we are the department of it depends.’ While it may not be possible to give cast-iron guarantees, we hope that this is one area where we can work with the ICO and the Fundraising Regulator to get greater clarity on where the boundaries are and what is likely to be acceptable or not.
4. ‘Opt out’ is, and will be ok, but it is not the same as consent
Opt out vs opt in has been a red herring in terms of the law. The right question is whether an organisation has consent, or has a legitimate interest, to be able to undertake direct marketing. If an individual gives their details, is provided with an adequate fair processing notice, and does not tick a prominent ‘opt out’ box for future marketing, they have not given consent to future communications. But, by not ticking that ‘opt out box’ they have not registered their objection, and so it is likely that a charity can rely on legitimate interest to send direct marketing by post, or call non-TPS phone numbers. This is the case now, and will be the case under GDPR when it comes into force in May next year.
5. There are still more questions than answers, but some clarity is forming
The ICO’s guidance provides their view on the law. The Data Protection Act (DPA) is, in the main, principle based around fair treatment of data. So it is often about interpretation and judgment rather than hard and fast rules. This inevitably leads to a number of practical questions for charities and fundraisers to consider about how they can make sure that their current and future practice is lawful and follows the general principles. A lot of the questions at the regulatory event were about practical detail – how and when should privacy notices be promoted or made available to donors? What level of research is considered so ‘intrusive’ that it is likely that you’d need consent? What to do about historical data? We are starting to get some of the answers – and hopefully the questions and answers from the workshops in Manchester will be written up and confirmed. There will always be more questions though and we’ll be working, in partnership with others, to try and get as much clarity as we can for fundraisers moving forward. We’re glad that the ICO have already committed to meeting with us to work through some particular points of detail which we hope we can do soon.
6. The Fundraising Regulator is taking a view on best practice
The Fundraising Regulator released its guidance yesterday. This goes through the legal requirements and regulatory requirements for charities and fundraising around data protection and direct marketing as it relates to fundraising. It takes a toolkit approach with resources, checklists, and case studies with the aim to be a practical and helpful piece of guidance. Importantly, the Fundraising Regulator has made it clear that the document is ‘guidance, not standards.’Of course the Fundraising Regulator can give a view on what they consider good practice to be, but it is important that these are not presented as ‘rules’ so that everyone (fundraisers, trustees, members of the public) can be clear of what the requirements are. If it’s a rule that you have to follow, and will be held accountable to if you don’t get it right, then it has to be in the Code of Fundraising Practice – and recommendations or proposals for change in the Code should go through open consultation (as is currently taking place on a number of issues).
7. Not everyone will agree on the rules and the interpretation of the law, but we need to do better in how we disagree.
The subject matter is important and emotive. People are concerned about their charities and how this will impact on their ability to engage supporters and give them the best experience of fundraising. And of course where the law is interpretive, and the standards for fundraising are set through an independent regulator, there will always be differing views and ideas of ‘what is right’. Part of the reason for the event in Manchester was to start a dialogue and discussion building on recent enforcement activity. The tone and manner of that discussion is important. The fundraising sector needs a strong and constructive relationship with those that regulate it (whether Charity Commission, Fundraising Regulator, or ICO). This isn’t at all to say that people can’t or shouldn’t hold different views – but we should be mindful of the impact and effect of how we engage with the regulators and try to do so in the most positive way moving forward.
8. Yes, this is about regulation. But more importantly, it’s about donors and the public.
Fairness and transparency. Clarity and choice. Being informed about how your data is being used. Giving people the best experience of charity fundraising and connecting people to causes they care about. Understanding more about those individuals so that they can receive more meaningful and individual communications. That’s what this is all about. Of course the legal requirements provide the framework through which this has to happen, but this isn’t just a philosophical legal essay question. It’s about the future of fundraising and philanthropy and giving in the UK and the right practice that gives people the best experience of fundraising. Law and regulation will take you part of the way in how to do that, but arguably more important are the values, culture, and approach that individual organisations take to make sure that they are building positive relationships with supporters.
9. We need a better and fuller shared understanding of the role and value of research in fundraising and how it delivers positive outcomes for donors.
As long as it is done according to the law it works for everyone; researching and understanding supporters better enables charities to tailor their approaches to them appropriately as well as identify potential new supporters. It means people get communications that are relevant to them and provides opportunities for people to support charities in different ways and, yes, potentially ask some people to give more who might be able to. Indeed, in the academic work by Beth Breeze and Theresa Lloyd, Richer Lives: Why Rich People Give it was found that 78% of major donors said that better research before they are approached by a non-profit is the most significant area of improvement in fundraising in the past 10 years. We are now working with Beth to look at this in more detail and will have the findings from a survey of over 300 respondents soon on how and why charities undertake research and the value that delivers.
10. It might seem hard, it might seem complex, it might take more work, but getting this right is absolutely fundamental.
We are probably somewhere in the middle of a process. It started with the ICO fines (the investigations themselves starting in 2015), we’ve now got some further information and detail on how the law applies to certain practices, and ideas of best practice. Some organisations themselves have moved to ‘opt in’ or consent as the only means by which they will contact supporters. But this isn’t the end of the discussion. The ICO will be bringing out updated direct marketing guidance in a few weeks to make sure that their guidance is up to speed with the requirements of GDPR, and the Fundraising Regulator will, at some point, consult on potential future changes around direct marketing in the Code. The discussions will continue around what is good practice and the rules that fundraisers and charities need to follow. It is our job to make sure that in these debates we continue to represent our members and contribute to ensuring excellent fundraising practices that deliver positive and sustainable relationships between charities and their supporters.
Missed the event? Catch up on key points on Twitter #FRCC2017