Data protection

Data protection legislation affects many areas of fundraising. Fundraisers need to ensure they comply with the regulations. The new General Data Protection Regulation (GDPR) will become effective in the UK on 28 May 2018. It replaces the existing law we have on data protection (the Data Protection Act 1998) and gives individuals more rights and protection in how their personal data is used by organisations.

The regulations may appear daunting at first but it is helpful to remember a few rules of thumb which are often centred on having the correct permissions for using the data:

  • ensure you have the necessary permissions to contact supporters
  • do not retain any information on a supporter or prospect that you would not be comfortable sharing with them
  • do not use information in a manner that the supporter would not wish
  • do not share data in a manner that a supporter would not wish
  • In short, it is helpful to think about how you would like your details used by another organisation

 

Requirements vary depending on how you are communicating with donors and what information is being processed. For example, supporters need to opt-in to receiving electronic marketing communications whereas direct mail can be sent with an opt-out.

'Direct marketing' communications are considered to be anything that promotes an organisation's aims and ideals in addition to promoting goods and services.

 

Our guidance and support on data protection

  • We have produced these resources in partnership with Bircham Dyson Bell to help fundraisers understand the key parts of GDPR in relation to direct marketing and how you can lawfully contact your supporters. Our Head of Policy and Research, Daniel Fluskey, has written more about it here.

 

  • We have also produced this checklist to help you be aware of your obligations and responsibilities when it comes to data protection and signpost to detailed advice and further resources.

 

  • This document explains some of the terms that are often used when referring to personal data, and explains how and why charities might be using personal data in their fundraising.

 

FAQs
  • How long can I hold donors information for?

 

Donors information must not be kept longer than is necessary. This means that data that is being processed for a particular purpose must not be kept unless it is still required for that purpose. You should also maintain a ‘suppression list’ which contains details of individuals who have asked not to receive direct marketing material – you should always check against this. 

 

  • Do we need to include an opt-out or opt-in in our communications with donors?

 

Requirements vary depending on how you are communicating with donors and what information is being processed. For example, supporters need to opt-in to receiving electronic marketing communications whereas direct mail can be sent with an opt-out.

 

  • What rules for Data Protection do we need to follow?

 

Data protection legislation affects many areas of fundraising. Fundraisers need to ensure they comply with the regulations. These can be daunting but there are a few main things that you need to remember. It is most helpful to think about how you would like your details used by another organisation.

For example:

- ensure you have the necessary permissions to contact supporters;
- do not retain any information on a supporter or prospect that you would not be comfortable sharing with them;
- do not use information in a manner that the supporter would not wish; and
- do not share data in a manner that a supporter would not wish.

There is a helpful data protection section in the Code’s Legal Appendices. 

The recent Monetary Penalty Notices issued to BHF and the RSPCA by the ICO have understandably raised concerns and questions for charities and fundraisers about their implications for charitable fundraising moving forward. 

 

ICO FINES - WHAT ARE THE LEGAL IMPLICATIONS FOR CHARITIES AND FUNDRAISERS?
  • Are data sharing, wealth-screening and data-matching always unlawful?
  • Do we need consent to share data, wealth screen or data-match?
    • Will this change under GDPR?
    • What does this mean for existing/ historic data?
    • Will there be any further guidance issued?

  

Read the blog from Bates Wells Braithwaite which details the ICO charity fines - what are the legal implications for charities and fundraisers?

Watch the video below from a joint event held in January by the IoF and Bates Wells Braithwaite, on the first tranche of ICO fines and what they mean for charities and fundraisers:

 

Information Commissioner's Office (ICO)

 

Fundraising Regulator

  • The Code of Fundraising Practice sets out the key legal requirements and best practice standards for a range of fundraising techniques. Of particular note in relation to data protection are the Digital Media, Telephone Fundraising, and Direct Marketing sections of the Code, as well as the Data Protection Legal Appendices.
  • Read the latest guidance from the Fundraising Regulator on Personal Information and Fundraising: Consent, Purpose and Transparency