The Fundraising Regulator and Chartered Institute of Fundraising (CIoF) produced six data protection briefings in February 2018 in advance of the General Data Protection Regulation (GDPR) becoming effective on 25 May 2018.
This briefing was reviewed by the Information Commissioner's Office (ICO), and supported by the Charity Commission for England and Wales, Charity Commission for Northern Ireland, National Council for Voluntary Organisations (NCVO), Northern Ireland Council for Voluntary Action (NICVA), Scottish Fundraising Standards Panel and Wales Council for Voluntary Action (WCVA).
The UK General Data Protection Regulation (UK GDPR) came into effect on 1 January 2021. For more information about your obligations and how to comply, please refer to the ICO website.
GDPR and charitable fundraising: Spotlight on corporate fundraising
The General Data Protection Regulation (GDPR) came into effect on 25 May 2018, updating the existing data protection framework in the UK. The legislation covers every sector and every organisation, which means that people in different organisations have to think about what personal data they might be processing and put the principles into practice in their area of work.
For the purposes of this guidance, corporate fundraising is taken to mean the development of a relationship between a company and a charity. That could be for a charity of the year partnership, a specific fundraising campaign, employee fundraising or other support.
Key GDPR questions for corporate fundraisers
1. Am I using personal data?
The GDPR applies to ‘personal data’, meaning any information relating to a living individual who can be directly or indirectly identified from it – this includes name, address, contact details but could also include two or more non-specific pieces of information that when combined could identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator and other descriptors. A fuller definition of ‘personal’ data can be found on the Information Commissioner’s Office (ICO) website.
Ways that corporate fundraisers may wish to process personal data from companies in the course of their activities include, but are not limited to:
- carrying out external research (for example, online or in published directories) to identify prominent individuals within those organisations who may have a particular link to your charitable cause or who may be open to a fundraising approach. This may include looking at the backgrounds and influences of those individuals. When doing this, it is important that fair processing information is given. Consideration should also be given as to how much within someone’s reasonable expectations the processing of publicly available information is – for example, the difference between reviewing the description of an employee on a company website and someone’s personal Facebook account.
- making contact with company representatives to find out more about their policies on charitable giving and to seek the company’s support.
- storing contact information of key individuals within the company.
- follow up communications, including thank you messages and keeping the company informed of progress with projects they may support.
While companies are organisations, the individuals associated with those organisations will have rights in relation to any corporate data which identifies them specifically. Personal data includes corporate email addresses and other contact details where they identify individuals (for example email@example.com). So, as a fundraiser, you are highly likely to be processing personal data in the course of engaging with a company.
When processing personal data, you need to consider two key issues:
- what purposes you wish to process the data for; and
- how you will show that the data has been processed lawfully.
2. What is my lawful basis for contacting an individual at a particular company?
Where you are promoting your charity to specific individuals at a company this is likely to fall within the definition of direct marketing, which includes promotion of a charities’ objectives. Likewise, if you carry out research on individual company representatives or collect data on those individuals for the purpose of seeking funds at a later date, your activity will involve processing for direct marketing purposes. Please note that where a telephone number is registered on the Telephone Preference Service - you must not make live calls to that number unless you have consent to do so.
The full range of lawful bases for processing personal data can be found in briefing 1. However, where you are carrying out direct marketing, it is likely that you will need to rely on either the individual’s affirmative consent or on legitimate interest as a basis to contact a corporate representative.
Where an individual has given you their contact details with specific consent for you to contact them for a particular purpose, it may be possible to rely on that consent as your basis for contact.
However, in many circumstances you will be approaching a company contact without a prior introduction, so using consent as your lawful basis may not be practical. The threshold for consent under GDPR is high; consent must be a “freely given, specific, informed and unambiguous indication of the individual’s wishes”, so you need to check if you can show you have met all of this criterion to be compliant (for example, even if a company’s website states it “welcomes approaches from charities”, this is unlikely to be sufficient to show that consent has been obtained from an individual to use their personal data).
Remember also that a communication outlining consent options is itself direct marketing. You will need a different basis to justify such a communication (for example legitimate interest may be applicable for post or live phone calls – see below) if you do not have any previous permission from the individual to use their data for direct marketing purposes.
b) Legitimate interest
Where consent is likely to be too difficult to obtain, corporate fundraisers may be able to use legitimate interest as a legal basis for direct marketing communications in many instances, provided they can show that they comply with the ‘3 step test’ for whether the communication is lawful.
Where legitimate interest is your basis for processing, you need to:
- Show you have considered the individual’s interests against your own by doing a legitimate interest assessment (this is likely to be easy to justify if your direct marketing communication is in a professional context – see Q4 below)
- let the individual concerned know that you are processing their data and for what purpose
- offer them the opportunity to opt out of further communications if they wish to do so.
Further information on the ‘3 step test’ for legitimate interest can be found in the ICO Guide to GDPR.
When using legitimate interest, you will usually be able to use a privacy notice to cover how you will process the individual’s personal data and how they can opt out, as long as you alert the individual to it in your communication with them.
3. What channels can I use to contact someone at a company or organisation about my charity and what is the difference between an ‘individual subscriber’ and a ‘corporate subscriber’?
Sending e-mail or SMS marketing to individual subscribers requires the individual’s consent under the Privacy and Electronic Regulations 2003 (PECR), as soft opt-in won’t apply to fundraising.
If fundraisers want to rely on legitimate interests for marketing, they will normally only be able to contact an individual for direct marketing purposes by post or live phone call (please note that where a telephone number is registered on the Telephone Preference Service, you must not make live calls to that number unless you have consent to do so). However, when approaching companies, fundraisers may lawfully use legitimate interest to send direct marketing communications by email under the ‘corporate subscriber’ category of recipient.
The context in which you are approaching the individual is important here in deciding if you are contacting a ‘corporate subscriber’ under legitimate interest, and therefore able to use electronic channels to market to them:
- Under PECR, the organisation the individual works for would need to fall within the ‘corporate subscriber’ category of organisation. This includes companies as defined by the Companies Act 1985, companies incorporated in pursuance of a royal charter or letters patent, corporations sole, partnerships in Scotland, and any other corporate body or entity (including charities) which is a legal person distinct from its members.
- The basis of the communication should be relevant to the individual’s work within the organisation (as opposed to contacting them in a personal capacity). This is not an explicit requirement of PECR but should be considered as a good practice in ensuring your communication is appropriate in the circumstances.
Examples where the ‘corporate subscriber’ category may apply to a communication include inviting an individual to speak at an event as part of their role or suggesting a meeting to discuss a potential corporate partnership or talk about employee fundraising activities. It could also potentially include a fundraising request directed at the organisation, if you can show that the approach is relevant to their work (for example, an employee of a business that declares “homelessness” is a key part of its corporate social responsibility objectives is sent an email by a homelessness charity seeking corporate sponsorship).
However, although you don’t need prior consent for a ‘corporate subscriber’ communication, you must still do a legitimate interest assessment using the ‘3 step test’ (see above) and consider the individual’s reasonable expectations. For example, it would be difficult to show you had a legitimate interest in the use of personal data to contact an individual, via their corporate email address without prior consent, to ask them to support your charity in a personal capacity, for example to make a personal donation. Nor would it be appropriate to use the ‘corporate subscriber’ category to contact an individual where your marketing has no relevance to the work of the organisation (a test question here might be: “Would the individual reasonably expect this communication given the work that the organisation does?”).
Although you don’t need prior consent for a ‘corporate subscriber’ communication, you need to remember that individual representatives of the company will still have a right to ask you to stop using their personal contact details or sending marketing to their personal work email address. Under PECR, you need to give the individual your identity and contact details in order for them to be able to request to stop marketing where they wish to. In the case that you receive such a request, you must comply with their request.
4. What if someone who gives a donation themselves gives us a work email address?
Sometimes people will give their work/business emails to a charity as part of a donation, as that is their preferred way to hear from the charity in the future. That’s fine but the normal rules about needing affirmative consent or relying on legitimate interest would apply for future direct marketing.
If you intend to use consent as your basis for contact, you will need to consider whether you have sufficient evidence to show that you meet the high standard of consent required by GDPR. Under GDPR, consent must be a “freely given, specific, informed and unambiguous indication of the individual’s wishes”. If you are using consent, you will need to be able to show that the consent provided by the individual meets these criteria, including whether they gave a specific and unambiguous indication of their wishes regarding how that email address was to be used by you.
If consent is difficult to evidence under GDPR, legitimate interest may be a more appropriate lawful basis to rely on for contacting the individual (although you are likely to be limited to doing so by post or live phone call under PECR). See Q2 for further information on using legitimate interest.
5. If a company does a fundraising day/activity for its employees for our charity, can we follow up with people as individual donors to tell them more about our work or other ways they can support us?
This kind of specific communication with individuals would be direct marketing, and so you’d need a lawful basis to send any material (consent or legitimate interest, depending on whether you can fulfil the conditions for using one of these lawful bases and the channel you want to use to communicate with them – see Qs 1-3). If you supply donation forms for companies to use, then make sure that you have fair processing notices about how you’d like to use that person’s personal data and give them a chance to opt in (consent) or a chance to opt out (if you are using legitimate interest). Also remember, that an individual providing personal information so that Gift Aid can be claimed on a donation, does not mean that you have permission to use that information for direct marketing.
The company should not be sending lists of names/email addresses of their employees to any charity for the charity to then send direct marketing, unless they have checked to make sure that those employees are happy for their details to be passed to the specific charity.
6. Can we look at information that is available on professional networking sites (e.g. LinkedIn) or otherwise in the public realm to find out a bit more about people at companies with whom we have a relationship or want to approach?
Fundraisers will often want to look at someone’s job profile, experience and history/ interests that the individual has made public through professional networking sites. This can help develop a relationship between the charity and the corporate partner and means that the charity can tailor their approach accordingly (for example through the process of ‘wealth profiling’ or ‘wealth screening’). If you want to use this kind of information, you will need a lawful basis to do so – either consent or legitimate interest.
Charities are likely to use legitimate interest as a basis, but to do so you will need to make sure that you are being fair and lawful in the use of that data and take into account the reasonable expectations of the individual. Their reasonable expectations are likely to vary depending on the type of data in the public domain and the context for which those data were originally published.
It is important to remember that individuals have the right to object to marketing, which includes profiling for marketing purposes, at all times – regardless of whether they have an existing relationship with you or not.
What about commercial participator agreements and information shared between organisations?
It is a legal requirement (included in the Code of Fundraising Practice) to have a written agreement with any organisation that falls within the definition of a ‘Commercial Participator’. Broadly speaking a ‘Commercial Participator’ is any person who carries on a business and in the course of that business represents that it will make donations to a charity. For example, a manufacturer that advertises washing powder with the promise that a contribution will be made to charity for each packet sold would be a commercial participator.
In terms of GDPR, this agreement should include reference to the policies and procedures that the two organisations will adhere to for the processing of any personal data. Organisations should also agree how compliance will be monitored and reported. If any data breaches are identified, then both parties need to have an agreed process taking appropriate action (including, where required, reporting the breach to the ICO). Where one organisation is sharing personal data with another (for example, a list of employees taking part in a corporate event), as part of the privacy information provided to the individual, you should outline your purposes for sharing their data and name each of the organisations involved (the sharing organisation and the recipient). Where you wish to share the information for direct marketing purposes, you should seek consent from the individual before doing so.
How long can I store personal information?
Personal data must only be kept as long as necessary to fulfil the purpose for which they were processed. It’s worth making sure you are clear what personal data you are holding, on what basis you are holding them, whether the purpose you have been processing them for still applies and, if so, how you will keep the data accurate and up to date. You also need to make clear the individual’s right to object to processing for this purpose.
It’s important to be as clear as possible in your initial privacy statement to the individual about all of the purpose you envisage using the data for. Otherwise, you may find your legitimate interest basis for using the data expires.
For example, suppose research has been done on someone for a ‘Charity of the Year 2018’ application. The individual was told at the start of the application process through a privacy statement that their data are being processed for the purpose of the 2018 event. But the application comes up every year and the charity realises after the event that it might be useful to keep hold of this data longer.
In such circumstances, the charity will either need to delete the data once the 2018 competition is over or update their privacy information with the individual to make it clear that it will process the data for a new purpose (future ‘Charity of the Year’ competitions). They will also need to re-emphasise the individual’s right to object to their data being used for this purpose.
Can we inform a company of the names of employees signed up to events as part of our partnership?
This will depend on what you have told the employees about how you will process their data. You must let employees know if you intend to use their data in this way and offer them an opportunity to object. You should also carefully consider the impact of doing so as part of your Legitimate Interest Assessment, particularly given the employer is in a position of power over the employee (for example, if there is a risk that employees could be treated differently in their job by their employer if their boss knows they have or haven’t signed up to a corporate event).
What is the situation with our contacts passing on details of other people?
For example, if a main contact at a partnership says their supplier is interested in starting a partnership with us, can they send us their details for us to make contact or cc us into an introductory email? Or, in this instance, would we need to give the partner written (email) permission to share our contact details and then have them pass them on to the supplier to make direct contact with us?
In this situation it will depend on whether they meet the category of being a corporate subscriber or not (see Q3). If they are, then the legitimate interest basis may be applicable for sharing the data, providing all the requirements of that basis are satisfied.
If they are an ‘individual subscriber’ under PECR, then consent will be required. More information can be found in the ICO’s Guide to PECR.
Signposting and resources
Information Commissioner’s Office (ICO)
Chartered Institute of Fundraising (CIoF)