Protecting donors’ privacy and complying with the principles set out in the Data Protection Act 1998 are an imperative part of charity management and administration. The General Data Protection Regulations (GDPR) come into force on 25th May 2018 and present charities with a new set of complex legal requirements to factor in, with stringent penalties for non-compliance.
Does your charitable entity understand the GDPR and the key changes to be aware of?
Should you ‘opt in’, or can you rely on the ‘opt out’ mechanisms?
What can charities do now to prepare for the biggest change in data regulation in two decades?
If you are a fundraiser, CEO, or trustee of a charity or fundraising entity, then this article will help you answer these questions and develop a basic understanding of the GDPR.
What is the GDPR?
The GDPR is an EU-wide regulation that will replace the Data Protection Act 1998 this year. The Information Commissioner’s Office has made clear that Brexit will not affect the application of the GDPR in the UK and all entities are required to comply with the regulations when processing peoples’ personal identifiable information (PII). PII means any information relating to an identified or identifiable natural person (i.e. the data subject).
One of the main differences between the Data Protection Act 1998 and the GDPR, is that the GDPR has a wider definition of PII and it now includes technology.
All entities, including charities, are expected to be meet the GDPR requirements as of 25th May 2018. Therefore, action is needed now.
What does the GDPR say?
The GDPR contains the following data protection principles:
• Principle 1: PII must be processed in a lawful, fair, and transparent manner. The principle is broadly similar to Data Protection Act 1998, however, the GDPR now expressly states that PII should be processed in a transparent manner. This includes giving data subjects adequate information about how their PII is or will be processed;
• Principle 2: PII must be collected for a specific and legitimate purpose, and there should be no further processing in a manner that is incompatible with these purposes;
• Principle 3: Data minimisation. PII collected must be adequate, relevant, and limited to that which is necessary for the purpose for which it is being processed;
• Principle 4: Accuracy. PII should be accurate and up-to-date; any out-of-date or incorrect PII should be deleted or rectified. Every reasonable step must be taken in respect of the same;
• Principle 5: Storage limitation. PII must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the PII was collected. PII may be stored for longer periods insofar as the it will be processed solely for archiving purposes, in the public interest, for scientific and historical research purposes or statistical purposes;
• Principle 6: Integrity and confidentiality. PII must be processed in a safe manner to ensure it is protected against unauthorised and unlawful processing, theft, loss, damage or destruction;
• Principle 7: Accountability. The controller (i.e. the charity) shall be responsible for and be able to demonstrate compliance with these principles.
What is the difference between a ‘controller’ and a ‘processor’ under the GDPR?
Article 4 of the GDPR outlines the differences between a controller and a processor of data:
• Controller: is a natural or legal person, public authority, agency or other body which, determines the purposes and means of the processing of PII; and
• Processor: is a natural or legal person, public authority, agency or other body which processes PII on behalf of the controller.
Do charities and fundraisers have to change how they ask for consent under the GDPR?
Consent must be freely given, informed, specific, unambiguous and given by a clear affirmation (i.e. a positive opt-in). The data subject will therefore have to ‘positively opt-in’ by ticking a box (yes, that means no pre-ticking boxes).
Under the GDPR, all entities need to explain clearly their reasons for collecting PII, how it is intended to be used and importantly, explicit and free consent must be given to share PII with third parties.
What is ‘opt-in’ and ‘opt out’?
As simple as it might sound, ‘opt in’ and ‘opt out’, as it applies to direct marketing is one of the most confusing and debated aspects of the GDPR.
‘Opt in’ – Charities and fundraisers can directly market to a person if they have given their consent that they are happy to receive direct marketing (as above). For example, this could take the form of an individual ticking a box on a donation form or putting their business card in a bowl at an event. In the latter example, you must make it explicitly clear that by doing so, the person parting with their business card is agreeing to receive direct marketing material from your organisation.
Under the GDPR, charities can, in certain circumstances, send direct marketing materials or make unsolicited telephone calls to someone without their express consent under the condition of ‘legitimate interest’. That said, when doing so, they must allow the person to ‘opt out’ of receiving such communications in the future. This is usually done by including an ‘opt out’ tick box.
To establish whether there is a ‘legitimate interest’ when direct marketing, charities need to consider what the data subject would reasonably have expected their PII to be used for when they provided it.
Charities and fundraising organisations must make it clear to data subjects how their information will be used at the time at which it is collected. This will require ongoing staff training to remind employees to do this with every data subject. If they are not informed that their PII might be used for direct marketing, charities will be unable to rely on the legitimate expectation condition.
You also need to consider whether the data subject’s rights and interests override your charity’s legitimate interests in sending direct marketing material. For example, if you know the data subject concerned is elderly or a child, it may not be in their best interests to receive direct marketing from your organisation.
The entire principle is very much a balancing exercise.
What other changes does the GDPR introduce that charities and fundraising organisations need to be aware of?
Under the GDPR, anyone can make a request to access and check the PII you hold in relation to them. They can also request that you remove any PII from your records. Therefore, it is imperative that you know exactly what PII is held and where it is stored. This is why, the ICO recommend conducting ‘war drills’ to test your staff’s ability and efficiency when dealing with request to access or a request for erasure.
How can charities prepare for the GDPR?
Most charities and fundraising organisations have robust data protection policies and procedures which comply with the principles of the Data Protection Act 1998. It is crucial that these are reviewed and updated to ensure compliance with the incoming GDPR and a communication and training programme rolled out to employees.
Our solicitors are well-versed in the GDPR and can provide practical advice and guidance regarding your organisation’s compliance.
Saracens Solicitors is a multi-service law firm based in London’s West End. We have dedicated and highly experienced charity law solicitors who can advise on all legal matters relating to the charity sector. For more information, please call our office on 020 3588 3500.