Data Protection and data processing in the UK is covered by the following key legislation:
The UK General Data Protection Regulations (UKGDPR)
The Privacy and Electronic Communications Regulations (PECR) (including the requirements of The Telephone Preference Service)
In general, when processing personal data, you are legally required to:
- have a “lawful basis” for collecting, using, and keeping personal data;
- give people clear and easily accessible information about how you will process personal data; and
- only process personal data in ways that person would reasonably expect;
There are also a number of legal requirements about how you store, maintain and share personal data. In the context of fundraising these include ensuring that data is:
- stored securely;
- accurate and up to date (including people’s contact preferences);
- only kept for as long as necessary; and
- kept confidential and only shared with other organisations as permitted by law.
Subject Access Requests
If you process a person’s personal data you are legally required, on request from that person to:
- provide them with a copy of the personal data you hold (a Subject Access Request); and
- ensure their data can be easily moved, copied, or transmitted from one computer system to another.
The ICO provides guidance on these areas:
- Right of access (on a person’s right to access their personal data held by an organisation)
- Right to data portability (on a person’s right to transfer data for their own purposes)
Data Protection for Direct Marketing
Section 122 of the Data Protection Act 2018 defines direct marketing as: “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. Some marketing is not directed to specific people (for example, unaddressed mail) and so is not covered by this definition.
The ICO’s Direct Marketing Guidance explains that fundraising activity, as well as charities’ promotional and campaigning work, is covered by the definition of direct marketing. In practice, fundraising messages which are sent electronically (for example, phone calls, texts, emails and social media) or by addressed mail are likely to be directed to a specific person, and so are covered by this definition.
In addition, if you send marketing electronically, such as by email, text message, or a recorded phone call, you must comply with the Privacy and Electronic Communications Regulations (PECR), which requires a person’s consent to send them direct marketing in most cases.
The ICO’s Guidance on Direct Marketing Using Electronic Mail provides more information on complying with PECR, including details of how it applies to fundraising activity.