GDPR briefing: Fundraising (2)

The Fundraising Regulator and Chartered Institute of Fundraising (CIoF) produced six data protection briefings in February 2018 in advance of the General Data Protection Regulation (GDPR) becoming effective on 25 May 2018.

This briefing was reviewed by the Information Commissioner's Office (ICO), and supported by the Charity Commission for England and Wales, Charity Commission for Northern Ireland, National Council for Voluntary Organisations (NCVO), Northern Ireland Council for Voluntary Action (NICVA), Scottish Fundraising Standards Panel and Wales Council for Voluntary Action (WCVA).

The UK General Data Protection Regulation (UK GDPR) came into effect on 1 January 2021. For more information about your obligations and how to comply, please refer to the ICO website.

GDPR and charitable fundraising: Spotlight on fundraising

Introduction 

The General Data Protection Regulation (GDPR) came into effect on 25 May 2018, updating the existing data protection framework in the UK. The legislation covers every sector and every organisation – which means that people in different organisations have to think about what data they might be processing and put the principles into practice in their area of work.

Why do fundraisers need to know about GDPR?

If you are fundraising for a charity, it’s more likely than not that you’ll be storing and using individuals’ personal information. That might be in the course of taking donations and recording people’s addresses and contact details, sending them direct marketing in the future or using publicly available information to research and contact new supporters. 

All of this (and much more) is counted as ‘processing’ personal data under GDPR and means that you have legal obligations and responsibilities in how and for what purpose you use those data to ensure you are respecting the privacy rights of individuals. 

In addition, there are extra rules on electronic communications under the Privacy and Electronic Communications Regulations (PECR) 2003, which are explained further below.

Direct marketing and GDPR 

For fundraisers, much of the focus in GDPR is on the processing of personal data for direct marketing. Direct marketing is the sending or directing of any advertising or marketing material to particular individuals, for example sending a fundraising appeal to someone in the post, emailing them, or sending them a text message.

‘Advertising or marketing material’ includes any material which promotes the aims and objectives of the organisation – not just promoting products or services. So, if you’re sending charity newsletters, fundraising appeals or campaigning material to people using their personal contact details this is direct marketing. 

Under GDPR you can only send direct marketing to individuals if you are able to do so under one of the lawful bases that GDPR sets out. There are six lawful bases, but in a fundraising context the two most relevant for charities are ‘consent’ and ‘legitimate interest’ (although if you are a membership organisation or trading/selling products you may be able to use one of the other lawful bases). 

What counts as valid consent? 

Consent means offering individuals real choice and control. To be valid, consent has to be a freely given, specific, informed and unambiguous indication of the individual’s wishes. It can’t be a condition of a service or be assumed through the act of donation. You can’t make the choice on the behalf of individuals (for example, you can’t use pre-ticked boxes). There are different ways for individuals to give their consent, such as choosing a ‘yes’ option on a website, ticking a box on a paper form, or orally or through action (for example, putting a business card in a bowl at an event may indicate consent where it is made clear that, by doing so, an individual is agreeing to hear more about the charity). 

For more on consent, see the ICO’s checklist on consent.

What’s legitimate interest?

In some circumstances, charities don’t need to have the consent of individuals to send direct marketing. Charities raise money through direct marketing, and GDPR makes it clear that direct marketing can be considered a legitimate interest. Legitimate interest is the most flexible lawful basis for processing and is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact. 

Note: See below for the rules on communicating through different channels – legitimate interest isn’t a valid lawful basis for electronic marketing through email and text messages or live calls to numbers registered on the Telephone Preference Service (TPS).

Whereas consent requires someone to have said ‘yes’ in some form (whether online, through ticking a box, given orally or through a specific positive action), legitimate interest allows a charity to send direct marketing as long as an individual hasn’t said ‘no’ and it does not cause harm or override an individual’s privacy rights. This means that a charity’s interests in sending direct marketing must be balanced against the interests of the individual. 

If they’ve said they don’t want to receive direct marketing (e.g. by ticking an opt out box) or if they would not reasonably expect to receive direct marketing, then their interests will override your legitimate interest and you can’t send it. So, if a charity wants to rely on legitimate interests, it needs to make a reasoned decision – most often demonstrated through having done a ‘balancing exercise’ which demonstrates that you’ve looked at the relevant factors and context to assure yourself that you are using legitimate interest properly.  For more information, see the ICO’s checklist on legitimate interest.

Don’t forget that there are specific rules for electronic communications

You will need affirmative consent for texts and emails and for some calls under the Privacy and Electronic Communications Regulations (PECR) 2003 (a different piece of legislation from GDPR). See the ICO’s Guide to PECR for more on when you need consent for electronic marketing.

However, you can rely on legitimate interests for marketing channels not subject to PECR (such as post and live telephone calls to numbers not registered with the TPS as long as no objection has been made in the past). However, you must be able to show that how you use people’s data is proportionate and has a minimal privacy impact, and that individuals would not be surprised or likely to object.

What bases can I consider for each type of communication?

You can carry out direct marketing to an individual:

By post, if

  1. That individual has given you their affirmative consent, or
  2. You can demonstrate legitimate interest and the individual hasn’t previously objected.

By email, text message or automated telephone call, if

  1. That individual has given their affirmative consent (in most cases, you cannot rely on legitimate interest to send fundraising emails, text messages or automated calls; however, when sending legitimate interest communications to ‘corporate subscribers’, you may be able to use these channels – more detail can be found in briefing papers 4 on corporate fundraising and 6 on charitable trust fundraising).    

By live telephone call if

  1. That individual has given you their affirmative consent, or
  2. You can rely on your legitimate interest and the individual hasn’t previously objected (although if the individual’s telephone number is on the Telephone Preference Service you will only be able to call if you have their consent).

How long does consent last or how long will we be able to use legitimate interest to communicate with supporters?

GDPR does not set out any specific time limits on how long consent lasts or for how long you can use legitimate interest. This will depend on what your purpose is for needing to process the data and what you have told the individual about why you need to process their data. 

Personal data must only be kept as long as necessary to fulfil the purpose for which it was processed. So, you need to:

  • Think carefully about all of the reasons you may need to process an individual’s personal data.
  • Let the individual know what those reasons are, usually either at the point of seeking consent or, in the case of legitimate interest, in privacy information provided to the individual about how their data is used (see “Privacy notices and informing individuals” below).
  • Stop using the data if your original purposes for processing it no longer apply or renew your consent/update the privacy information you send to the individual under legitimate interest if your purposes change.
  • You also need to give people easy opportunities to withdraw their consent or to stop hearing from you and keep it under review to make sure your purpose for contacting them hasn’t changed.

Paragraphs 63, 97 and 99 of the ICO’s Direct Marketing Guidance outline some factors to consider in assessing how often to review your consent with individuals or renew privacy information.

What else do fundraisers need to know?

Privacy notices and informing individuals

Individuals need to be informed about how their data will be used. Charities need to have a clear and accessible privacy notice to provide to individuals to inform them of what data you want to hold and what you want to do with those data and the rights individuals have in relation to those data. 

Privacy notices should be: 

  • Concise, transparent, intelligible and easily accessible;
  • Written in clear and plain language, particularly if addressed to a child; and free of charge.

For more information on privacy notices go to ICO’s code of practice on privacy notices.

A joined up approach with other teams

Charities can often have multiple or overlapping relationships with individuals. People can be service users or beneficiaries of a charity, as well as being donors, volunteers or getting involved in campaigns. It’s important to try and get a consistent and joined up approach across a charity so that individuals have their privacy rights respected and do not receive confusing or contradictory messages or choices over direct marketing and communications. 

Note: Also don’t forget that charities need to follow the Code of Fundraising Practice for the standards required of charity fundraising that are set by the Fundraising Regulator. This will include relevant parts of GDPR, but also include further requirements that charities need to follow in their fundraising activity.

Signposting and resources

Information Commissioner’s Office (ICO)

Guide to the General Data Protection Regulation (GDPR)

Guide to Privacy and Electronic Communications Regulations (PECR)

Fundraising Regulator 

Code of Fundraising Practice

Chartered Institute of Fundraising (CIoF)

GDPR: The essentials