In December 2016, the Information Commissioner (UK) fined the RSPCA and the British Health Foundation for appending external wealth data to prospect records and searching for new addresses and telephone numbers for supporters with whom they had lost touch, without explicitly informing prospects of these actions. This ruling is the latest in a series of developments in UK fundraising and European data-protection regulations.
We attempt here to offer practical steps to take now and in the weeks ahead in order to be well-prepared for the new compliance regulations in 2017 and 2018. While these recommendations primarily apply to UK and EU-based organisations, the rulings themselves would, in theory, impact any organisation whose prospects include UK or EU citizens. Please note that the following does not constitute a legal opinion, but rather our best understanding. We recommend that you share these perspectives with your own legal counsel. These regulations, while complex, have four key components:
- Recent Judgements Against Appending External Data – ‘Wealth Screening’ and Address Updates
- The New EU Data Protection Regulations, or GDPR
- The Fundraising Preference Scheme
- Thinking Ahead: The Increased Importance of Growing Relationships with Donors
In our understanding, adding wealth and updated contact information to individuals’ records is not in itself illegal. What was deemed to be a breach of the law was that the charities in question did not have wording anywhere in their Privacy Notices to alert individuals that such external data might be gathered and appended to their records, and for what purpose.
The Information Commissioner also expressed the view that ‘vague’ wording – for example, that charities would use such information ‘for development purposes’ – was insufficient, and that any wording should be more explicit about the purpose for which external data would be used.
Most commentators have focused on the wealth screening in particular, but it is clear from the adjudications that the principle covers the addition of any external data to someone’s record beyond what they have themselves supplied.
Recommended next steps:
- Review your privacy notices. Ensure that they state that you may source external data to enhance your understanding of your constituents, and for what purpose. We would be happy to advise on wording.
- If you have not done so recently, carry out a Privacy Impact Assessment (PIA) on the constituent data you hold, or propose to hold. The Information Commissioner has published a guide to carrying out a PIA; click here for more information.
- Consider a privacy notice communication to your existing constituents, covering all data you hold and the purposes for which you use it. This will be necessary in any case to ensure compliance with the new GDPR (covered below). You will not need to seek consent for all data you hold, as we are optimistic that you may lawfully process constituents’ personal data for your own organisational ‘legitimate interest’. But your constituents should know they have a right to ask you not to hold certain kinds of data and for you to remove this from their records.
Opt-in or opt-out? It is our understanding that the new legislation has tightened the definition of consent for holding and processing personal data. In particular, it underlines that a lack of response cannot signify consent, making opt-in the de facto standard for any activity where ‘unambiguous’ or ‘explicit’ consent is required. However, consent is only one basis on which you can lawfully hold and process personal data. The others are (quoting the ICO guidance directly):
- The processing is necessary in relation to a contract which the individual has entered into, or because the individual has asked for something to be done so they can enter into a contract.
- The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract).
- The processing is necessary to protect the individual’s ‘vital interests’. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E (Accident & Emergency) department treating them after a serious road accident.
- The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.
- The processing is in accordance with the ‘legitimate interests’ condition. This last category of ‘legitimate interests’ explicitly covers direct marketing, and thus alumni relations and fundraising activity. Paragraph 47 of the GDPR states:‘The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’.
1. Legitimate interest and universities
However, a legal ambiguity must still be resolved around universities’ abilities to rely on the ‘legitimate interests’ condition. Paragraph 47 of the GDPR also states:
‘Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks’.
In UK law, universities come under the definition of public authorities under the Freedom of Information Act, but it remains unclear whether this should also extend to their consideration under the GDPR. The Information Commissioner is aware of this ambiguity, and clarification should be expected in 2017.
We are optimistic that a solution to this will be found between the various interested parties (i.e., UUK, HEFCE, CASE, and the Information Commissioner) that will allow universities to carry out direct marketing – necessary, after all, for student recruitment as well as fundraising and alumni relations – as part of their ‘legitimate interests’.
This would remove the need for unambiguous consent from all alumni for further contact, although alumni would still have the right to object to direct marketing at any time.
2. The right to object to profiling
This condition of the GDPR has been seen as a threat to prospect research and propensity modelling; however, the wording of this provision in paragraph 71 of the GDPR seems quite specific to us:
‘The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.’
This is clearly intended to cover very specific kinds of automated profiling that is unrelated to building a propensity model for fundraising or marketing purposes, which would have no legal or significant effect on the data subject.
Recommended next steps:
- The GDPR should already be included on your institution’s top-level risk register. It is important that fundraising and supporter engagement activity are considered as part of the whole picture of regulatory compliance.
- Ensure that you have clearly and comprehensively categorised the kinds of personal data you hold on your constituents, and the legal basis under which you hold and process it, including ‘legitimate interest’. This must be communicated to your constituents under the GDPR.
- Consider research on a representative sample of your constituents, to better understand their expectations of how you will use their personal data. This is a recommended practice by the Information Commissioner. We are able to support you in the design and analysis of such a survey.
- Consider a communication to your constituents that outlines the purposes for which you hold and process their personal data, and the basis under which you hold and process it. Ensure that constituents are notified that they have the right to ask you to:
- Not use their data for direct marketing purposes
- Not hold additional data beyond data expressly supplied by them
- Not use their data for automated profiling
- We do not recommend at this stage that you launch a campaign to all your constituents, telling them that opt-in consent from them is necessary for any further processing of their data. We recommend that you await the forthcoming clarification from the Information Commissioner regarding ‘legitimate interest’.
It would, however, be wise to assess which constituents’ opt-in consent will be most necessary to you, and the cost of such a campaign, should the legitimate interest ambiguity not be resolved in favour of universities.
Persons who sign up through the Fundraising Preference Scheme (FPS) will have to specify the charities from which they no longer wish to hear, and the Fundraising Regulator will assist them in this process. The FPS will not include a ‘total reset’ option. Furthermore, the FPS will not apply at all for charities registered in Scotland and regulated by the Office of the Scottish Charity Regulator (OSCR).
Recommended next steps:
We do not believe you need to take any extraordinary steps in respect to the FPS, other than being familiar with how the process will operate once the scheme takes effect in March 2017.
GG+A recognises these rulings may mark a new period in fundraising in the UK, which will require much more personalised attention to potential donors. We can help support the transition to personalised attention in several ways:
- The GG+A Survey Lab can support your efforts to develop an electronic survey or census to gather prospect information for the express purpose of fundraising and pre-qualification of interest in learning more about your organisation.
- The GG+A Advancement Learning team can support your fundraisers in their work with individual donors to help bring about a culture of philanthropy and engagement, so that contact with philanthropy is increasingly seen as a welcome opportunity to express one’s values and not an intrusion on privacy.
- The GG+A Alumni Engagement and Analytics teams can help you identify which of your engagement efforts, events, and outreach are most likely to convert into donor behavior, so that you can better target your activities and outreaching in an environment of limited contact and budget opportunity with prospects.
- GG+A’s Strategic Communications team can partner with you to develop a communications strategy that will bring donors and prospective supporters closer to your organisation, fostering interest and affinity in what you do and making them want to ‘opt in’.
Issues of donor consent, respect, and protection are in constant flux, and GG+A is committed to helping the philanthropic community navigate these waters in a manner that benefits both potential donors and the mission of not-for-profit organisations. We welcome your thoughts and questions on these issues. Please reply here or contact either Adrian Salmon, Vice President, or Kat Banakis, Senior Vice President of Advanced Analytics, directly.