It was the memo heard around the world. In December 2016, the UK Information Commissioner (ICO) announced that it had fined two UK charities for conducting wealth screenings. Fines for several more charities would follow in 2017. The ICO’s actions sent shockwaves throughout the fundraising sector in the UK, with some shops halting prospect research entirely.
GG+A’s Senior Vice President for Analytics Kat Banakis, Vice President GG+ Europe Adrian Salmon, and Benchmarking Analyst Elisa Shoenberger recently led an APRA International webinar about this stormy time for UK charities. In addition to discussing the ICO, we also explored legislation of the EU’s new General Data Protection Regulation (GDPR), set to go into effect in May 2018 – and make privacy rules even more stringent. It will raise fines, increase data subject rights, and make consent mechanisms even stricter. Of equal, if not greater, concern is the Privacy and Electronic Communications Regulations (PECR), which regulates calls, e-mails, and texts.
Institutions in the EU and the rest of the world must be compliant with the new GDPR legislation before it takes effect in May – and this includes even post-Brexit UK. US institutions also need to think about what the new legislation means for them. Now is the time to work on compliance. While preparing your institution for GDPR and PECR, it’s important to know what is allowable now, and how that might change in the near future.
The following “Q & A” emerged from the APRA International webinar, and is based on the excellent questions we received from participants on those topics.
Processing Personal Data
Despite the upheaval caused by the ICO fines and the coming GDPR, there are still cases in which organizations may hold and process personal data. Such processing is allowable under the following circumstances:
- The individual whose personal data is in question has consented to the processing.
- The processing is necessary 1) in relation to a contract which the individual has entered into, or 2) because the individual has asked for something to be done so that they can enter into a contract.
- The processing is necessary because of a legal obligation (except an obligation imposed by a contract).
- The processing is necessary to protect the individual’s “vital interests.” This condition only applies in cases of life or death, such as when an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident.
- The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.
- The processing is in accordance with the “legitimate interests” condition, subject to a balancing exercise between the individual’s privacy rights and the interests of the organization.
Questions to Consider for the Future
Q: Are EU constituents within a US-based organization’s database also subject to this oversight or constituents living in UK/EU regardless of citizenship?
A: The GDPR will not only apply to organizations located within the EU, but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. It would apply to US based organizations holding data about EU/UK constituents. It is not clear whether the GDPR applies to “EU citizens” or “EU residents,” as the two terms are both used in the description of the GDPR’s scope. Our view – though you should check this with legal counsel – is that the former would be unworkable, and you should assume that the GDPR applies to any of your constituents that are residents in the EU, regardless of country of citizenship.
Q: What about prospects with seasonal addresses in the EU/UK?
A: Presumably, if the constituent resides in the EU or UK for a period of time, they would be covered by the GPDR during that time.
Q: If we have one CRM system that includes UK/EU constituents that is also used in the US, do we simply need to have the appropriate privacy statement shared, or is there a fundamental issue that requires us to have separate databases?
A: No, one privacy statement could be shared. We do not think two databases are necessary or desired, but check the Privacy Shield Network or legal counsel to confirm. You must of course notify any EU constituents that their data is being held and processed by you outside of the European Economic Area, and that the appropriate safeguards (e.g., Privacy Shield) are in place to comply with EU law.
Q: What constitutes “modelling” in this case?
A: Under the GDPR, data subjects have “the right to object to profiling.” Many were concerned that this might include the kind of modelling and segmentation that advancement offices carry out in the course of usual business.
However, the GDPR has a specific definition of profiling: “’profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements” (Recital 4).
The key word here is “automated.” There is a good discussion of the implications of this in this article, including this interpretation:
“Under Article 22(1) of the GDPR, data subjects have a right not necessarily to avoid profiling itself (e.g. automated processing of personal data for the purpose of making a decision), but rather to avoid being “subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” Recital 58 provides as examples the “automatic refusal of an on-line credit application or e-recruiting practices without any human intervention.””
We therefore take the view that propensity modelling, because it is 1) not entirely automated, 2) does not result in decisions based on purely automated processing, and 3) does not produce legal effects for the data subject, does not fall within the scope of “profiling” as described in the GDPR.
Q: What are some things we should do in the US specifically? Are there US-based organizations with examples of privacy notices?
A: There are a number of resources that can help US organizations prepare:
- Check out the Privacy Shield Network, designed to help companies on both sides of the Atlantic comply with the new laws.
- The Data Protection Network is another great resources with several whitepapers on the GDPR including one on Legitimate Interest that has some sample privacy notices.
- Review the privacy notices of universities in the UK, such as University of Manchester.
- Read ICO’s own discussion of privacy notices.
Q: If we wanted to find help with meeting the legal requirements, how would you find this type of support (i.e., find a consultant/lawyer/barrister who specializes in this?)
A: You may want to work with a barrister to meet legal requirements. You should probably check out the Privacy Shield as a first step.
Q: What information counts as “sensitive”? Would affiliations be considered sensitive?
A: All personal data is covered by data protection legislation. Some data has always been categorized as “sensitive” in EU data protection legislation, and thus processing has historically been under more stringent regulation.
The specific types of data deemed sensitive under GDPR are data containing 1) indications of racial or ethnic origin; 2) political, religious, or philosophical beliefs and opinions; 3) trade union membership; 4) genetic, biometric, and other health data; and 5) information regarding a person’s sex life or sexual orientation.
It is not clear whether membership of a university or school society that might imply any of the above would be classed as sensitive information, so you should seek legal counsel on these points. Also consider how you would have come to know that information – e.g., if the data subject themselves provided it, you it may well be covered by conditions under which personal data processing is allowed.
Remember that the following are the conditions for holding and processing sensitive personal data:
- Explicit consent of the data subject
- Necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement
- Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent
- Processing carried out by a not-for-profit body with a political, philosophical, religious, or trade union aim, provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes), and provided there is no disclosure to a third party without consent
- Data manifestly made public by the data subject
- Necessary for the establishment, exercise or defense of legal claims or where courts are acting in their judicial capacity
- Necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures
- Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
- Necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
- Necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes (in accordance with Article 89)
These of course are only a few of the considerations that fundraising institutions in the US, UK, and EU need to consider before the General Data Protection Regulation takes full effect in May 2018. While the ICO memo may have been a shot around the world, there’s still more to be decided about what GDPR means for charities. ICO’s recent blog posts help to shed light on some of the finer details. Keep an eye out for further information from ICO in the coming months.
GDPR is coming, and we all need to be ready for it.