Casper Harratt, Marketing Manager at Blackbaud discusses changes to data protection following
formation of the new fundraising regulatory body and breaks it down into a handy 3 minute guide.
GDPR, DPA, FPS, ICO… confused? You should be.
Over the last 18 months, enquiries, reviews, a media frenzy around over-communicating, a new
fundraising regulatory body and a perceived public mistrust of the sector all mean that the next two
years will see significant changes that affect us all. Organisations close to the centre like Blackbaud
and FSI are well placed to support you every step of the way.
Take 3 minutes and digest our handy guide to what’s going on:
The key bodies, laws and acronyms to be aware of:
 Data Protection Act (DPA) 1998 – EU law
 Privacy and Electronic Communications Regulations (PECR) 2003 – EU law
 General Data Protection Regulation (GDPR) 2018 – EU law
 Information Commissioners Office (ICO) – UK regulator responsible for interpreting and
enforcing GDPR
 Public Fundraising Regulatory Association (PFRA) – now replaced by Fundraising Regulator
 Fundraising Standards Board (FRSB) – now replaced by Fundraising Regulator
 The Fundraising Regulator (FR)
GDPR:
General Data Protection Regulation
An EU law passed by Council of the European Union on 27th April 2016.
What is it?
Replaces the DPA (1998) and PECR (2003)
Who is impacted?
All organisations that process personal data. It affects both non-profit and for-profit organisations,
big and small.
What about Brexit?
Brexit will not change the UK’s compliance requirements. Any negotiations as we leave the EU will
include equivalency with EU law on data protection.
When?
GDPR “enters into application” (becomes active law) on May 25th 2018. For the UK, the ICO will
release its interpretation of the law in November 2016. Unlike a European Directive, GDPR is a
Regulation that does not require any enabling legislation to be passed by national governments.
What’s changed from the Data Protection Act 1998?
Some of the key differences to be aware of are:






Increased enforcement powers: maximum fines of up to €20 million or 4% of total annual
worldwide turnover of the preceding year (whichever is higher).
Extended geographical scope: non-EU businesses will be subject to the regulation if they
provide their service to EU organisations, or monitor the behaviour of EU residents.
Consent: More rigorous criteria will be applied to obtaining individuals’ consent: it must be
freely given, specific, informed and unambiguous. Eg. fundraising consent may not be valid if it is
given when grouped with non-fundraising matters.
Opt-in: Crucially, where consent is involved, non-profits must gain explicit, ‘opt-in’ consent. (See
below.)
Profiling: Individuals will have the right to object to profiling, which includes most forms of
online tracking and wealth screening.
The right to be forgotten: Individuals will have the right to request that an organisation delete
all their personal data.
Opt-In, instead of Opt-Out
This is one of the most significant changes: data can only be legally ‘held and used’ if a person has
actively and positively opted in. Consent under the GDPR requires some form of “clear affirmative
action”.


Silence, pre-ticked boxes or inactivity does not constitute consent.
Consent must be verifiable. This means that some form of record must be kept of how and when
consent was given.
 Individuals have a right to withdraw consent at any time.
 Explicit permission to contact through different channels, eg. phone / email / text / post.
 The consent must be “informed consent”.
Note that the ICO’s November interpretation of GDPR will give us all greater clarity around
‘legitimate interest’ – ie. do we need to get a supporter’s opt-in consent if we have a legitimate
interest to market to them? This was allowed under DPA – it’s not so clear now.
Fundraising Regulator and Fundraising Preference Service
Following Sir Stuart Etherington’s 2015 review into the self-regulation of charities, he made two key
recommendations to Parliament:
1. One single regulator should replace IoF Guidelines + PFRA + FRSB: ‘The Fundraising Regulator’
Chair: Lord Michael Grade
CEO: Stephen Dunmore (interim)
1. There should be a fundraising equivalent to the Mail Preference Service (MPS) and the
Telephone Preference Service (TPS): the ‘Fundraising Preference Service’ (FPS).
The Fundraising Regulator
What is it?





New, voluntary and independent regulator
Set fundraising practice code for UK
Charity-funded (48 of the largest charities)
Responsible for fundraising preference service
Investigates donor complaints
Who is impacted?

UK non-profits
When?

Active immediately – the Fundraising Regulator came into being on 7th July 2016.
Fundraising Preference Service
The FPS is an ‘opt-out’ mechanism that will be introduced in the first half of 2017, to allow
individuals to opt-out of all fundraising comms in one go. However, due to the operational costs of
adhering to the FPS, it has been deemed “necessary to initially limit the scope of the FPS” as regards
the size of organisation to which is applies. The threshold has not yet been set, though is expected to
be organisations whose expenditure on direct marketing exceeds £100,000 per year, which would
exclude the majority of FSI members.
For more information, check out Blackbaud’s website: www.blackbaud.com