Fundraising Data Update: Consent, confusion and clarity
Those attending Fundraising Week recently could be forgiven for scratching their heads and
leaving none the wiser about the future of fundraising.
Rob Wilson MP, the Minister for Civil Society, called on charities to prepare for 'opt-in' for
fundraising – noting that the focus should be less on the Fundraising Preference Service (FPS) and
more on the EU General Data Protection Regulation (GDPR) due to come into force in 2018.: The
GDPR is the biggest change to data protection law in 20 years. The starting gun has been fired: you
now have two years to May 2018 to prepare for the the new data protection regime.
Yet this clear “‘opt-in’ for fundraising” message was challenged. The Direct Marketing Association
(DMA) stated that charities will still be able to use opt-out systems under the GDPR. The Institute
of Fundraising (IoF) wrote an article noted their understanding was the same as the DMA’s:
unambiguous consent under the GDPR “does not mean there has to be an ‘opt in’ tick box.
Consent will be able to be given ‘unambiguously’ through an ‘opt out’ mechanism.”
The briefing paper seeks to provide some much needed clarity…
1
The future: the General Data Protection Regulation (GDPR)
The GDPR will, for the first time, put a clear definition of consent into UK data protection law.
Consent in the future…
A "freely given, specific, informed and unambiguous indication of [an individual’s] wishes…by a
statement or by a clear affirmative action"
The GDPR adds further clarity:

“Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”

Organisations have to be able to "demonstrate that the data subject has consented to processing
of [their] personal data…"

Individuals “shall have the right to withdraw [their] consent at any time.”

Consent is presumed not to be freely given if it does not allow “separate consent to be given to
different personal data processing operations despite it being appropriate in the individual case.”

Consent should cover all processing activities carried out for the same purpose or purposes.
“When the processing has multiple purposes, consent should be given for all of them.”
Can
consent be
opt-out in
the future?

We believe the short answer is no.

As outlined above, the GDPR sets a pretty high threshold for obtaining consent.

Attempts to try and arrive at a contorted test for “unambiguous consent” are, we
believed, misguided when set against the definition of consent and the clarity
provided by the GDPR.
1
Consent in the future…
Consent
 A record that someone clearly indicated to you…
will be:
 …that they agreed to the use of their personal information…

…for each different purpose you wish to use it for [e.g. for campaigning; for
emergency requests for money; for regular donations; to be informed about your
training and events; to be sent information about your charity shop offers; to be
sent seasonable raffle tickets]…

…via whatever channel(s) they are want [e.g. post; email, SMS; calls].
But what if you do not need to rely on consent? Introducing “legitimate interests”

Consent is only one way you can legitimately collect and use personal information.

Another way is to rely on your legitimate interests – i.e. where the collection and use of personal
information is in your legitimate interests, and these interests are not overridden by the interests
or fundamental rights and freedoms of the individual.
Example:
Sending a thank you letter: you want to say thank you; many people expect it, and it is
unlikely to cause harm to people. Those that object – that don’t want to receive it – can
let you know this.
The GDPR supports this: it states that direct marketing can be a legitimate interest. So, in some cases
you will not need to rely on consent, because you can rely instead on your legitimate interests to
justify your collection and use of personal information.
PECR rules will still apply though…
PECR will still require you to have prior consent for
(ii) automated calls
(iii) email and SMS
(iv)
Fax
So obtaining the prior consent (as you do now) for these channels will
mean you are likely (so long as you meet the further clarity outlined above)
to also comply with the new GDPR requirement for “freely given, specific,
informed and unambiguous” consent.
(i)
live calls (and post)
Talk of consent still being given “on an unsubscribe or opt-out basis" is misplaced: the question is
whether you choose to rely on “freely given, specific, informed and unambiguous” consent for your
live calls and use of post, or whether instead you look to rely on your legitimate interests to justify
your collection and use of personal information for these two channels.
Live calls
Compliance with PECR:
Compliance with GDPR:
Does not require prior consent….
…so you could rely on your legitimate
interests (rather than seek consent).
Must still screen against and TPS
and your own suppression lists
(i.e. previous opt-outs).
Post
Does not require prior consent…
…so you could rely on your legitimate
interests (rather than seek consent).
Protecture © 2016
2
And
You do still have to react to anyone who wishes to use their right to object to direct
remember... marketing, regardless of the channel.
2
Next steps:
A Really think about purposes
Being clear what you want to collect and use personal information for has two benefits:
(i)
Some purposes will not rely on consent – e.g. sending a thankyou letter; administrative
purposes; gift aid recordkeeping.
(ii)
Where a purpose does rely on consent, the GDPR is pushing you away from generic, catch-all
statements like “opt-in here to be kept informed about our work and how you can support us.”
As shown above, the GDPR makes clear that separate consent should be provided for different
uses of personal information; that when you want to use the personal information for multiple
purposes, consent should be given for them.
This will mean making a judgement (or hopefully guidance should come from the Fundraising
Regulator) about how granular you might need to get, depending on the different fundraising,
campaigning, and promotional activities you want to collect and use personal information for.
For example, campaigning (writing to MPs; trying to change the law) could be regarded as a
different purpose to raising money by running a marathon; which is different to being informed
about your training and events.
2
Next steps:
B
Be clear on your legal basis for collecting and
using personal information
Having defined your purposes, you next need to define for each the lawful basis behind the
collection and use of the personal information. As discussed above:
For electronic
fundraising…
…this will be opt-in, "freely given, specific, informed and unambiguous” consent.
For live calls
and postal
fundraising…
…you could make a decision to keep things consistent, clear and transparent and
also seek opt-in consent for these channels.
…but you could rely on legitimate interest to post or live call individuals (subject to
also complying with PECR).
The question is whether you would be willing publicly stand by this decision; if
someone were to complain, saying “I didn’t consent to this…yet I still received
fundraising post / calls” you would be confident in responding “we believed this was
in our legitimate interests…and not harmful to you…we gave you the option to
object, and when you did we reacted immediately…”
And don’t
forget other
purposes…
For example:

An administrative call to process payments – could be in your legitimate
interests.

Collecting the personal information you need in order to provide a safe and
Protecture © 2016
3
secure service – could be required to meet other legal obligations (such as
health and safety) or to fulfil the terms of a contract between you and a service
user.
2
Next steps:
C
Review your existing data – have you got
unambiguous consent?
The GDPR makes clear that any existing consent you have will continue when the GDPR comes
into force…but only if “…the manner in which the consent has been given is in line with the
conditions of this Regulation.”
So if the consent you have is not a "freely given, specific, informed and unambiguous indication of
[an individual’s] wishes…either by a statement or by a clear affirmative action" and you do need to
rely on consent to hold and use their personal information, then you will need to seek “new”
consent from your existing donors / contacts.
This is an opportunity to review the data you hold – to improve its accuracy, to ensure you are
communicating with those who really want to engage with you. You have two years to engage
with your existing donors / contacts – to write engaging content that makes them want to engage
with you, to let you know what they want to receive from you, and how.
About Protecture
Protecture are longstanding partners to ACEVO and we have worked together with members on a
range of projects and contracts that have relied on data protection support services. We are data
protection specialists whose aim is to help organisations ensure data protection compliance in all
areas.
Newsletter: Please subscribe our newsletter here. We will next be discussing:
1. How to be open and transparent when collecting and using personal data.
2. Using existing personal data for new purposes
3. Managing consent – when does one consent override another.
Next
events:
Fundraising Success - Navigating the new legal landscape
24th May 2016 | London | £15
How we treat supporters and manage their data has never been a bigger issue. The
high profile stories of last year have fixed this firmly on the public agenda. The new
Fundraising Regulator will be up and running within months and the Information
Commissioner’s Office is actively engaging with charities and taking enforcement
action. There are new Data Protection Regulations still to come. Please follow the
links below to see the agenda and book tickets: Morning | Afternoon
Free Policy
review
Protecture are offering to review your data protection policies - for free. Learn more
here.
www.protecture.org.uk
|
020 3691 5731
Protecture © 2016
|
[email protected]
4