The Regulator’s New Code Consultation: A First Take
Last week the Fundraising Regulator published a consultation on proposed changes to the Code of Fundraising Practice around data protection. With GDPR coming it is of course a hugely important area, and one where there has been a lot of debate and discussion.
As always, the IoF will be responding to the consultation in full to reflect the thoughts and priorities of our members.
In particular our Standards Advisory Board will be providing feedback and views to shape our response. We’ll share our draft response with members for your comment and feedback nearer the submission deadline and I’d really welcome comments or thoughts from across all our membership, so please do get in touch and email firstname.lastname@example.org anytime.
So, what are the things we’ll be looking at and responding to? Here’s my initial take on the Code consultation starting off with the areas which I’d expect to be broadly welcomed by the fundraising profession:
- Introducing new requirements in the Code so that everyone is clear on what their responsibilities will be from 25th May 2018 is a good thing. Fundraisers do need to know about and have reassurance on the key aspects of GDPR that will impact on their work to ensure that all fundraising is compliant in the processing of personal data.
- Changing and renaming sections of the Code – this seems like a pretty sensible idea to me. Under the changes proposed, we’d now have one section which is about the legal aspects of ‘if/how’ you can communicate with donors (all the GDPR stuff), and then one section that deals with the content of those communications which should make things more simple and clear.
- The inclusion of both ‘consent’ and ‘legitimate interest’ as valid grounds for processing personal data for fundraising purposes (and specifically for direct marketing) is very welcome. The emphasis on organisations needing a ‘lawful basis’ is correct, and the subsequent summaries of what is needed for consent and legitimate interest to be valid seem clear.
However, looking at the detail of some of the specific proposals I think there are some questions that need to be addressed and further detail is needed:
- It’s proposed that organisations MUST ‘keep up to date with and have regard to relevant guidance from ICO’. It would be useful to know what ‘have regard to’ means – is that the same as ‘follow the guidance’? Would charities be in breach of the Code if they could show that they were up to date and had ‘regard to’ the guidance, but chose a different approach which they thought was legally compliant? It’s really important that the standards are clear and charities know exactly what is expected of them.
- Further clarification and explanation on proposal 5.5.7 that ‘organisations MUST* explain how their contact data was obtained and what their legitimate interest is (why the charity thinks that the individual might be of interest in its cause or its work)’ is needed.
To explain and recount a whole legitimate interest balancing exercise in a communication would be disproportionate and clunky, potentially disrupting an engaging fundraising communication and existing relationship with an individual. But, something which said ‘as a previous supporter of charity xxx we thought you’d like to hear more about our work’ could potentially work. We need to know more about what this change means, what would count as a sufficient ‘explanation’, what form that should take, or where/how it should appear.
We also need to be mindful of how burdensome and proportionate it is to be able to provide this on an individual basis for every piece of communication that is intended to be sent and be really clear on what it is expected that charities should do. Some accompanying examples or guidance would be helpful to understand better what this proposed change requires in practice.
- There is also a significant change proposed on how fundraisers work with the Mailing Preference Service (MPS). The proposal would mean that unless individuals have provided consent to that charity, no direct marketing mailings can be sent. That is a fundamental shift of the goalposts as to what was in the Code before, and indeed, significantly changes what the MPS service (run by the DMA) was set up to do.
The MPS is specifically set up to stop ‘unsolicited’ mailing (it is not a statutory service like the TPS) and clearly explains to individuals that if they sign up “You can expect to continue to receive mailings from companies with whom you have done business in the past.” This means that as long as organisations can satisfy the legitimate interest ground, a registration on the MPS would not stop that organisation sending direct marketing by post.
Changing the Code to say that charities can only contact individuals on MPS when they have consent would exclude legitimate interest as a lawful basis and would mean that individuals who have had a pre-existing relationship, been engaging with a charity, and donating for years on the grounds of legitimate interest would have that relationship wiped out.
It also means that people signing up to the MPS are clearly told one thing, and sign up on that basis, but actually receive a different experience in reality – I don’t believe that this builds clarity and transparency. This proposal needs a re-think and we’ll be looking at it carefully.
The value of consultations are that they give us an opportunity to debate and discuss these changes. I’d urge as many charities and fundraisers as possible to make sure your voice is heard and feedback on the proposals to the Fundraising Regulator - you’ve got until 8 December.