By Lord Toby Harris, Chair of the Fundraising Regulator and Elizabeth Denham CBE, the UK Information Commissioner
It has been more than five years since serious public concerns were raised about how some charities were using the personal data they held about their donors. A lack of adequate fundraising regulation meant that practices of sharing and exchanging donor data had become common.
A review of charitable fundraising regulation followed, which found that the existing regulatory system for the sector needed reform. This review recommended a single, new regulator, and out of this, the Fundraising Regulator was established in 2016 to reverse poor public perceptions of charities and re-establish good relationships with donors.
Meanwhile, the Information Commissioner’s Office (ICO), the UK information rights regulator, fined 13 charities for breaking data protection laws by misusing donors’ personal data in data sharing, data and tele-matching or wealth screening. This shook public trust in charities and was the catalyst for transforming the way that charities interact with donors.
Committing to positive change
A year later, the charity sector came together to share learning from the past and prepare for the implementation of the incoming General Data Protection Regulation (GDPR). At a joint conference between the ICO, the Fundraising Regulator and the Charity Commission for England and Wales in February 2017, charities were encouraged to commit to positive change – and that meant playing by the rules even if that made practices a little more complicated.
The large number of people who participated in this conference and signed up to the ICO’s fundraising and consent webinar, showed that charities wanted to get it right. Since then, charities have taken this commitment seriously by firmly embedding new ways of working into their operations.
The ICO’s audit of eight charities published in 2018 sought to assess charities’ compliance and showed many areas of good practice, including clear governance structures and the appointment of data protection officers. Like most organisations, charities want to do the right thing and maintain trust with their donors and stakeholders. While the ICO took action against a small number of charities for falling short of what is expected in law, we have not seen the wide-spread issues from previous years.
Enhancing data privacy rights
When the GDPR became enforceable in May 2018, it represented the most significant shake up of how charities handle donor information. The new law created enhanced privacy rights for people and placed greater emphasis on accountability for organisations using personal data.
By contributing to and implementing the Fundraising Regulator’s GDPR guidance – produced with the Chartered Institute of Fundraising and reviewed by the ICO – which supports organisations to comply with the rules, charities have demonstrated their commitment to good fundraising and data protection practices. In addition, the ICO’s direct marketing guidance, which applies to all organisations and includes fundraising activity, continues to be a key resource for the sector.
The launch of the Fundraising Preference Service (FPS) in 2017 created an additional backstop for donor protection. By allowing people to choose how they are contacted by charities, organisations can make sure they are respecting the contact preferences of individuals. Together, the Privacy and Electronic Communications Regulations (PECR) - which govern direct marketing calls, emails and texts - and the FPS are giving people back control of how and when they are contacted by charities.
Building a resilient future
The past 18 months have tested the charity sector again, but this time for different reasons. Restrictions on public fundraising have meant that many charities increased their use of digital fundraising methods or have taken to digital fundraising for the first time. This has implications for the way they collect data from individuals interacting with their services.
Guidance from both the ICO and Fundraising Regulator supports organisations to navigate data protection issues and fundraising regulation during this unprecedented time. Data protection is not a barrier to fundraising and we want to make sure that charities are supported to fundraise effectively, while handling people’s information in line with the law.
Charities should continue to follow, and refresh their memories of, the ICO’s data protection advice and direct marketing rules. This includes helpful information about protocols for processing personal data and outlines six circumstances, or lawful bases, in which charities can make contact with donors.
A reminder of the lessons learned
As we emerge from the pandemic restrictions, it is right that we as regulators do what we can to support organisations. We will continue to publish guidance and proactively engage with the sector on issues we encounter.
Under pressure of the pandemic, charities should remind themselves of the lessons learnt in all those years ago. The sector must make sure that it maintains the high standards that it has set itself, particularly when it comes to trust, accountability and transparency, which are all key elements that underpin data protection laws and fundraising regulation.
A key outcome of the GDPR is that people are now more aware of the value of their personal data and how it’s used than ever before. So, any organisation that wants to be trusted must get data protection right. Driving trust is a hugely important part of our joint role in protecting the public. We know that trust, and a positive donor experience from start to finish, will drive confidence in charities and their fundraising activities.
As we reflect on the progress that has been made over the past five years, it is right that we, the Fundraising Regulator and the ICO, commend charities for the significant strides they have taken to improve fundraising and data protection practices. We have been consistently pleased with the charities’ willingness to engage with our regulation, and in doing so, they have together built a stronger, more resilient, sector.