GDPR briefing: Charitable trust fundraising (6)

26 February 2018

The Fundraising Regulator and Chartered Institute of Fundraising (CIoF) produced six data protection briefings in February 2018 in advance of the General Data Protection Regulation (GDPR) becoming effective on 25 May 2018.

This briefing was reviewed by the Information Commissioner's Office (ICO), and supported by the Charity Commission for England and Wales, Charity Commission for Northern Ireland, National Council for Voluntary Organisations (NCVO), Northern Ireland Council for Voluntary Action (NICVA), Scottish Fundraising Standards Panel and Wales Council for Voluntary Action (WCVA).

The UK General Data Protection Regulation (UK GDPR) came into effect on 1 January 2021. For more information about your obligations and how to comply, please refer to the ICO website.

GDPR and charitable fundraising: Spotlight on charitable trust fundraising

Download this briefing in Welsh

Y Rheoliad Diogelu Data Cyffredinol a Chodi Arian Elusennol: Codi arian ymddiriedolaethau elusennol dan y chwyddwydr

Introduction

The General Data Protection Regulation (GDPR) came into effect on 25 May 2018, updating the existing data protection framework in the UK. The legislation covers every sector and every organisation, which means that people in different organisations have to think about what personal data they might be processing and put the principles into practice in their area of work.

Trust fundraising

Charitable trust fundraising refers to the process of asking for support from trusts and foundations that are empowered to make grants for charitable purposes. Technically, a trust is a fiduciary (“in good faith”) relationship whereby a person or persons (trustee/s) hold(s) and manage(s) property for the benefit of one or more others (beneficiaries). A trust’s purposes and rules are set out in its governing instruments (normally a trust deed or a Memorandum and Articles or Association where it is a company limited by guarantee). A foundation is, for the purposes of this guidance, synonymous with a ‘trust’.

Key GDPR questions for trust fundraisers

1. Am I using personal data?

The GDPR applies to ‘personal data’, meaning any information relating to a living individual who can be directly or indirectly identified from it – this includes name, address, contact details but could also include two or more non-specific pieces of information that when combined could identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator, and other descriptors. A fuller definition of ‘personal data’ can be found on the Information Commissioner’s Office website.

Ways that trust fundraisers may wish to process personal data from charitable trusts include but are not limited to:

carrying out external research on individuals such as trustees of a charitable foundation (for example, online or in published directories) to identify those trusts whose objects and policies match the need for which the grant is required. This may include screening them for particular characteristics such as level of wealth or using publicly available data about them.
contacting trustees or trust employees to discuss potential applications for funding.
storing contact information of trustees or trust employees relevant to your application.
submitting an application for funding.
follow up communications, including thank you messages and keeping the trust informed of progress with projects.

While trusts and foundations are organisations, the employees or trustees at those organisations will have rights in relation to any corporate data which identifies them specifically. Personal data include corporate email addresses and other contact details where they identify individuals (for example name.surname@organisation.org.uk). So as a fundraiser, you are highly likely to be processing personal data when engaging with a Trust.

When processing personal data, you need to consider two key issues:

what purposes you wish to process the personal data for; and
how you will show that the personal data has been processed lawfully and fairly.

2. What is my lawful basis for contacting a trust employee or trustee using personal data?

Where you are promoting your charity to specific individuals, this is likely to fall within the definition of direct marketing, which includes promotion of a charities’ objectives. Likewise, if you carry out research on individuals within a trust or collect data on those individuals for the purpose of seeking funds at a later date, your activity will involve processing objectives for direct marketing purposes.

The full range of lawful bases for processing personal data can be found in briefing 1. However, as a trust fundraiser, it is likely that you will need to rely on either the individual’s affirmative consent or on legitimate interest as a basis to contact a trust employee or trustee.

a) Consent

Where an individual has given you their contact details with specific consent for you to contact them for a particular purpose, it is likely that consent will be your most appropriate basis for contact.

However, in many circumstances you will be approaching a trust contact without a prior introduction, so using consent as a basis to obtain consent lawfully may be impractical (don’t forget that even a consent request will require a lawful basis for being sent to an individual). The threshold for consent under GDPR is high; consent must be a “freely given, specific, informed and unambiguous indication of the individual’s wishes”, so you need to check if you can show you have met all of this criterion to be compliant (for example, even if a trust’s website states it “welcomes enquiries/ applications”, this is unlikely to be sufficient to show that consent has been obtained from an individual to use their personal data).

b) Legitimate interest

Trust fundraisers who find consent too difficult to obtain may be able to use legitimate interest as a legal basis for marketing activity in many instances, provided they can show their processing is justified following a Legitimate Interest Assessment. Where legitimate interest is your basis for processing, you need to:

Show you have considered the individual’s interests against your own by doing a Legitimate Interest Assessment (this is likely to be easy to justify if your direct marketing communication is in a professional context – see Q4 below)
let the individual concerned know that you are processing their data and for what purpose
offer them the opportunity to opt out of further communications if they wish to do so.

Further information on the “3 step test” for legitimate interest can be found in the ICO Guide to GDPR.

When using legitimate interest, you will usually be able to use a privacy notice to cover how you will process the individual’s personal data and how they can opt out, as long as you alert the individual to it in your communication with them.

3. What marketing channels can I use to communicate with trusts and what is the ‘corporate subscriber’ category under legitimate interest?

Sending e-mail or SMS marketing to individual subscribers requires the individual’s consent under the Privacy and Electronic Regulations (PECR) 2003, as soft opt-in won’t apply to fundraising. If fundraisers want to rely on legitimate interests for marketing, they will normally only be able to contact an individual for direct marketing purposes by post or live phone call. Please note that where a telephone number is registered on the Telephone Preference Service, you must not make live calls to that number unless you have consent to do so. However, when approaching organisations, trust fundraisers may lawfully use emails to send direct marketing communications to ‘corporate subscriber’ categories of recipient using legitimate interest.

The context in which you are approaching the individual is important here in deciding if you are contacting a ‘corporate subscriber’ under legitimate interest, and therefore able to use electronic channels to market to them:

Under PECR, the organisation they work for would need to fall within the ‘corporate subscriber’ category of organisation. This includes companies as defined by the Companies Act 1985, companies incorporated in pursuance of a royal charter or letters patent, corporations sole, partnerships in Scotland, and any other corporate body or entity (including charities such as foundations and trusts) which is a legal person distinct from its members.
The basis of the communication should be relevant to the individual’s work within the organisation (as opposed to contacting them in a personal capacity). This is not an explicit requirement of PECR but should be considered as a good practice in ensuring your communication is appropriate in the circumstances.

Examples where the ‘corporate subscriber’ category may apply to a communication include seeking further information from a trust about a grant making opportunity. It could also potentially include a fundraising request directed at the organisation, if you can show that the approach is relevant to their work (for example, where your request is in line with the trust’s charitable objectives or the trust has stated it welcomes applications from fundraisers representing particular causes).

However, although you don’t need prior consent for a ‘corporate subscriber’ communication, you must still do a legitimate interest assessment using the ‘3 step test’ and consider the individual’s reasonable expectations.

For example, it would be difficult to show you had a legitimate interest in the use of personal data to contact an individual via their corporate email address without prior consent to ask them to support your charity in a personal capacity, for example to make a personal donation. Nor would it be appropriate to use the ‘corporate subscriber’ category to contact an individual where your marketing has no relevance to the work of the organisation (a test question here might be: “Would the individual reasonably expect this communication given the work that the organisation does?”).

Although you don’t need prior consent for a ‘corporate subscriber’ communication, you need to remember that individual representatives of the company will still have a right to ask you to stop using their personal contact details or sending marketing to their personal work email address. Under PECR, you need to give the individual your identity and contact details in order for them to be able to request to stop marketing where they wish to. In the case that you receive such a request, you must comply with their request.

What else do I need to think about?

Holding personal data

In the course of engaging with trusts, you may wish to store the personal data of an employee or trustee contact for a range of purposes beyond the initial application, including contacting them about future fundraising events.

If you wish to do this, you need to make sure that the individual knows that you are holding their personal data and the purposes for which you are keeping those data, seeking their consent for processing their data or relying on your organisation’s legitimate interest. They should also be given the opportunity to object to it being processed for any of the purposes you have outlined.

Where you are using legitimate interest, it’s important to be as clear as possible in your initial privacy statement to the individual about all of the purposes you envisage using their data for. Personal data must only be kept as long as necessary to fulfil the purpose for which they were processed. Once that purpose expires, you must either delete the individual’s data or go back to the individual to let them know that your processing purpose has changed, and how.

Make sure you are clear on:

what personal data you are holding
on what lawful basis you are holding it
whether the purpose you have been processing it for still applies and if so
how you will keep the data accurate and up to date.

Processing ‘special categories’ data

Any personal data for individuals that is classed as ‘special category’ will need explicit consent from that person to be processed (or another lawful basis if available). Special category data includes, but is not restricted to, racial or ethnic origin information, political and religious beliefs, as well as any physical or mental health condition.

Using publicly available data

You may wish to process personal data found in the public domain for fundraising purposes (for example, looking at publicly available information about the trustees of a grant-making organisation to find out more about their interests and projects/causes that they are likely to fund). When doing this, it is important that fair processing information is given. Consideration should also be given as to how much within someone’s reasonable expectations the processing of publicly available information is – for example, the difference between reviewing the description of an employee on a company website and someone’s personal Facebook account.

Fundraisers are likely to use legitimate interest as a basis for research using publicly available information, but you cannot assume just because it is publicly available that it can be used unconditionally. You will need to consider the context and reasonable expectations of the individual, ensuring that your own legitimate interest of processing this information is not overridden by the individual’s interests and privacy rights. Their reasonable expectations are likely to vary depending on the type of data in the public domain and the context for which it was originally published.

You will also need, at an early and appropriate time, to inform the individual that their information has been used in this way (for example, by providing them with your privacy policy) and offer them the opportunity to object to your use of their data in this way. See Q2 for further information on using legitimate interest.

Where the legitimate interest of processing this information is overridden by the individual’s privacy rights, consent (or another lawful basis) will be necessary.

The easiest way to inform people is through providing your organisation’s privacy notice to them.