GDPR briefing: Community fundraising (3)

The Fundraising Regulator and Chartered Institute of Fundraising (CIoF) produced six data protection briefings in February 2018 in advance of the General Data Protection Regulation (GDPR) becoming effective on 25 May 2018.

This briefing was reviewed by the Information Commissioner's Office (ICO), and supported by the Charity Commission for England and Wales, Charity Commission for Northern Ireland, National Council for Voluntary Organisations (NCVO), Northern Ireland Council for Voluntary Action (NICVA), Scottish Fundraising Standards Panel and Wales Council for Voluntary Action (WCVA).

The UK General Data Protection Regulation (UK GDPR) came into effect on 1 January 2021. For more information about your obligations and how to comply, please refer to the ICO website.

GDPR and charitable fundraising: Spotlight on community fundraising

Introduction 

The General Data Protection Regulation (GDPR) came into effect on 25 May 2018, updating the existing data protection framework in the UK. The legislation covers every sector and every organisation, which means that people in different organisations have to think about what personal data they might be processing and put the principles into practice in their area of work.

Community fundraising

Community and event fundraising are broad terms, but in the context of this guidance it means working in your local community with people, companies and volunteers to put on events or locally based fundraising activities and campaigns. 

Key issues for community fundraisers 

The GDPR applies to ‘personal data’, meaning any information relating to a living individual who can be directly or indirectly identified from it – this includes name, address, contact details. It could also include two or more non-specific pieces of information that when combined could identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator and other descriptors. Charities and community fundraisers may process personal data in a range of community fundraising contexts, including:

  • promoting the charity’s work and seeking funding from individuals.
  • research, for example when identifying individuals from the local community who may support the charity’s objectives or getting feedback on new fundraising methods and activities tried at local level.
  • storing personal data, for example when holding records of supporters, donors, volunteers, beneficiaries or other useful contacts within the local community.
  • supporting (directly or indirectly) local fundraising initiatives by individuals.

Whenever you ‘process’ personal data you need to do so fairly and lawfully. You also need to keep the data securely and take steps to ensure they are accurate and up to date. 

When processing personal data, you need to consider two key issues:

  • what purposes you wish to process the data for; and
  • how you will show that the data has been processed lawfully. 

A fuller definition of ‘personal data’ can be found on the Information Commissioner’s Office (ICO) website.

Key GDPR questions for community fundraising

1. Can we send communications which advertise fundraising/ community events to individual people?

Yes, but if you’re processing personal data to send these communications to specific individuals, you’ll be doing direct marketing and so will need a lawful basis (see briefing 2 on fundraising for more information) under GDPR to do so. 

For post and live telephone calls (if numbers are not registered with the Telephone Preference Service and no objection has been received), you may be able to rely on your organisation’s legitimate interest or the individual’s consent to do so. 

For electronic communication (email, text, recorded telephone calls or calling TPS-registered numbers) you can only send direct marketing communications if you have the individual’s consent. For more on consent and legitimate interest, see briefing 2 on fundraising.

2. How long does consent last or how long will we be able to use legitimate interest to communicate with supporters?

How long consent lasts or for how long you can use legitimate interest depends on what your purposes are for using an individual’s data. You should tell the individual what your purposes are either when you obtain their consent or, in the case of legitimate interest, by giving them information about how you will use their data. 

When your purposes for using the personal data are no longer relevant, you must either delete the data or (in cases where you identify a new purpose for keeping it), either seek new consent or, if using legitimate interest as your basis, send them updated privacy information about why and how you intend to continue using it and the new purposes for doing so. You should keep your data under review to make sure your purpose for contacting the individual hasn’t changed.

You also need to give people easy opportunities to withdraw their consent or to stop hearing from you. You’ll need to assess how long you think is reasonable to continue to communicate with people and be able to justify this retention period and explain it clearly in your privacy policies. The ICO’s Direct Marketing Guidance outline some factors to consider in assessing how often to review your consent with individuals or renew privacy information.

3. A supporter ran a marathon for us last year and raised money through sponsorship. When they signed up, we asked for their consent for ongoing direct marketing, but they didn’t provide it. Are we allowed to get in touch with them this year to see if they’d like to take part again?

Because the individual was asked for their consent and didn’t give it, this means that you cannot use consent as a lawful basis to send them direct marketing messages (which include taking part in future events). If you have sought consent as your basis for contact and not received it, it also means that legitimate interest may be more difficult to show as a lawful basis for subsequent communication as your Legitimate Interest Assessment will need to take into account that consent was previously sought but not given by the individual.  Think carefully about whether consent is the right basis to use to contact supporters. If you are seeking consent, it means you must be prepared to offer the individual a real choice and respect the outcome. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.

4. If an individual is doing a challenge event and fundraising for sponsorship, can we follow up to thank the people who donate and see if they’d like to hear more about our charity?

This kind of specific communication with individuals would be direct marketing, and so you would need a lawful basis to send any material (consent or legitimate interest, depending on whether you can fulfil the conditions for using one of these lawful bases and whether consent is applicable or not for the channel you want to use to communicate with them – see Q1). Think about how and when people provide their personal data – if the sponsorship is going through an online fundraising platform, then all the right privacy notices should be present on the site at the time of the donation with clear opportunities for the individual to choose whether and how they hear from the charity in the future. If you are providing paper sponsorship forms for individuals to fill in, you will need to include the right privacy information and an opportunity for people to choose if they want to receive further direct marketing communications in the future by asking for consent or relying on your legitimate interest.

Also remember that receiving personal information so that Gift Aid can be claimed on a donation does not give you permission to use that information for direct marketing.

5. If we put on an event (like a fete or summer fayre) where anyone can turn up without registration, how can we follow up to send them further information about our charity and ways to be involved afterwards?

A follow up communication to provide more information about the charity would be direct marketing, so you’d need a lawful basis to send the communication. You can have sign up forms on the day of the event for people to provide you with their email or contact details, but you’ll need to have the right privacy notices on any signup forms and give people clear information about what marketing they’ll receive as well as a clear opportunity to choose whether they want to receive direct marketing from you in the future. Consent can be given electronically (on a charity’s website) through an active method such as an ‘opt-in’ tick box on a paper form, or through a positive action (for example, putting a business card in a bowl), as long as it’s made absolutely clear that through this act the individual is giving consent for you to send them direct marketing and that it is freely given.

6. What personal information should community fundraisers be keeping (or not keeping) on their own laptops and records?

Community fundraisers may wish to store a range of personal data to carry out their campaign, for example the contact details of local people who donate, businesses and supporters. The key questions that they will need to answer to be GDPR compliant are: 

  • For what specific purposes do I need to store or use this individual’s personal data (for example, to send fundraising requests or to keep them up-to date with the progress of a project or event)?
  • What lawful basis am I using to process their data (for example, consent or legitimate interest)?
  • Can I show that I am using this lawful basis fairly and appropriately (briefing 2 on fundraising has more information on what you need to do to meet the fairness test for consent or legitimate interest)?
  • Am I letting the individual know how I am using their personal data and the purposes for which I am using it (either through a consent form or the data privacy information I give them)?
  • Am I offering the individual the opportunity to object to me using their data in this way (either through a consent form or the data privacy information I give them)?

Where a charity knows that a volunteer fundraiser is carrying out a campaign in aid of its work, but is not involved directly in processing any data, it is sensible to alert the volunteer to their legal obligations regarding the storage and use of personal data, as set out in the Code of Fundraising Practice

Where a volunteer fundraiser is operating more directly on behalf of the charity, the above questions about purpose and lawful basis for processing will similarly apply. However, the organisation should also consider whether it is necessary for that individual to process personal data independently to achieve their purposes, or whether it may be more appropriate for the organisation itself to process the data centrally. Where the volunteer fundraiser is processing information on the organisation’s behalf, there should be agreed data protection processes between the organisation and the individual.

7. How long should personal data be kept?

Personal data must only be kept as long as necessary to fulfil the purpose for which it was processed (see Q2). Once that purpose expires, you must either delete their data or go back to the individual to let them know that your processing purpose has changed, and how. Consideration should be given to whether holding personal data is really necessary to achieve that purpose (for example, you might want to keep statistical data on marathon participants each year, but this does not necessarily require you to keep the personal data of each and every participant).

Make sure you are clear on: 

  • what personal data you are holding
  • what lawful basis you are using to hold it
  • whether the purpose you have been processing it for still applies; and if so
  • how you will keep the data accurate and up to date.

What else might we need to think about?

Event administration vs event marketing

While a charity needs to have a lawful basis for sending communications about an event, if you are sending communications for a genuine administrative purpose that is unconnected with ‘direct marketing’ then the direct marketing communications rules don’t apply. So if an individual signs up to take part in an event you are running (e.g. a marathon), you would be able to contact them for administrative purposes to give them information about the event (for example, where the event is and their start time). 

Signposting and resources

Information Commissioner’s Office (ICO)

Guide to the General Data Protection Regulation (GDPR)

Direct marketing guidance

Data protection impact assessments

Fundraising Regulator 

Code of Fundraising Practice

Chartered Institute of Fundraising (CIoF) 

GDPR: The essentials