GDPR briefing: Legacies (5)

The Fundraising Regulator and Chartered Institute of Fundraising (CIoF) produced six data protection briefings in February 2018 in advance of the General Data Protection Regulation (GDPR) becoming effective on 25 May 2018.

This briefing was reviewed by the Information Commissioner's Office (ICO), and supported by the Charity Commission for England and Wales, Charity Commission for Northern Ireland, National Council for Voluntary Organisations (NCVO), Northern Ireland Council for Voluntary Action (NICVA), Scottish Fundraising Standards Panel and Wales Council for Voluntary Action (WCVA).

The UK General Data Protection Regulation (UK GDPR) came into effect on 1 January 2021. For more information about your obligations and how to comply, please refer to the ICO website.

GDPR and charitable fundraising: Spotlight on legacies


The General Data Protection Regulation (GDPR) came into effect on 25 May 2018, updating the existing data protection framework in the UK. The legislation covers every sector and every organisation, which means that people in different organisations have to think about what personal data they might be processing and put the principles into practice in their area of work.

Legacy fundraising 

For the purposes of this guidance, legacy fundraising is taken to mean fundraising activity where the purpose is to encourage individuals to leave a legacy gift in their will.

Key issues for legacy fundraisers 

The GDPR applies to ‘personal data’, meaning any information relating to a living individual who can be directly or indirectly identified from it – this includes name, address, contact details but could also include two or more non-specific pieces of information that when combined could identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator, and other descriptors. 

A fuller definition of ‘personal data’ can be found on the Information Commissioner’s Office (ICO) website.

For legacy fundraising and administration, this means that whenever you ‘process’ personal data (e.g., for direct marketing) you need to do so fairly and lawfully. You also need to keep the data securely and take steps to ensure they are accurate and up to date.

Note: The provisions for ‘personal data’ apply to living individuals – so people who have left a legacy gift and are deceased fall outside the scope of GDPR. However, there is still a duty of confidentiality which needs to be considered when making any disclosures. 

Ways that legacy fundraisers may wish to process personal data in the course of their activities may include, but are not limited to:

  • carrying out external research (for example, online or in published directories) to identify individuals who may have a particular link to your charitable cause or who may be open to a fundraising approach. This may include looking at the backgrounds and influences of those individuals, screening them for particular characteristics such as level of wealth or using publicly available data about them.
  • contacting those individuals to seek a charitable gift, to provide information about how to make a will or to keep them updated about the work of your charity.
  • storing contact information of those individuals.
  • communicating with executors to follow up legacy notifications.

When processing personal data, you need to consider two key issues:

  • what purposes you wish to process the data for; and
  • how you will show that the data has been processed lawfully.

Key GDPR questions for legacy fundraisers

1. How can I lawfully contact an individual?

Where you are promoting your charity to specific individuals, for example by contacting an individual to seek their support, this is likely to fall within the definition of direct marketing. Direct marketing includes promotion of a charities’ objectives and ideals. Likewise, if you carry out research on individuals or collect data on those individuals for the purpose of seeking a bequest, your activity will involve processing for direct marketing purposes. The full range of lawful bases for processing personal data can be found in briefing 1

However, where you are carrying out direct marketing, it is likely that you will need to rely on either the individual’s affirmative consent or on legitimate interest as a basis to contact them.

a) Consent

Where an individual has given you their contact details with consent for you to contact them for a particular purpose (for example to send them details about leaving a legacy), then consent is likely to be the best basis for future contact. An example of this would be if they have provided contact details and ticked a box on a consent form to signify that they are happy to hear from you about leaving a gift.

However, in many circumstances you will be approaching an individual without a prior introduction, so using consent as your lawful basis may not be practical. The threshold for consent under GDPR is high; consent must be a “freely given, specific, informed and unambiguous indication of the individual’s wishes”, so you need to check if you can show you have met all of this criterion to be compliant. 

Remember also that a communication outlining consent options is itself direct marketing. You will need a separate basis to justify a ‘consent options’ communication (for example legitimate interest – see below) if you do not have any previous permission from the individual to use their data for direct marketing purposes. 

b) Legitimate interest

Where consent is likely to be too difficult to obtain, legacy fundraisers may be able to use legitimate interest as a legal basis for direct marketing communications in many instances, provided they can show their processing is fair. Where legitimate interest is your basis for processing, you need to:

  • Show you have considered the individual’s interests against your own by doing a legitimate interest assessment (see briefing 1 for further details).
  • let the individual concerned know that you are processing their data and for what purpose.
  • offer them the opportunity to opt out of further communications if they wish to do so.

Further information on the ‘3 step test’ for legitimate interest can be found in the ICO Guide to GDPR

When using legitimate interest, you will usually be able to use a privacy notice to cover how you will process the individual’s personal data and how they can opt out, as long as you alert the individual to it in your communication with them.

2. How long does consent last, or for how long will we be able to use legitimate interest to communicate with supporters?

How long consent lasts or for how long you can use legitimate interest depends on what your purposes are for using an individual’s data. You should tell the individual what your purposes are either when you obtain their consent or, in the case of legitimate interest, by giving them information about how you will use their data. 

When your purposes for using the personal data are no longer relevant, you must delete the data or (in cases where you identify a new purpose for keeping it) either seek new consent or, if using legitimate interest as your basis, send them updated privacy information about why and how you intend to continue using those data and the new purposes for doing so. You should keep your data under review to make sure your purpose for contacting them hasn’t changed.

You also need to give people easy opportunities to withdraw their consent or to stop hearing from you. Paragraphs 63, 97 and 99 of the ICO’s Direct Marketing Guidance outline some factors to consider in assessing how often to review your consent with individuals or renew privacy information.

3. What about communications with family members about the administration of an estate where someone has left a legacy?

Charities will often be in contact with the family or next of kin of a supporter who has left a legacy gift. That could be to recognise the generosity of the donor, offer condolences, check the family’s preferences and views of how they would like the donor to be remembered by the charity, or confirm the projects that the donor’s gift will be put towards.

Sometimes that communication will be via a solicitor who is administering the estate. If not, charities can write to the family, but you need to be careful that the communication doesn’t slip from being an ‘administrative’ purpose into a direct marketing communication. If it does start to become a direct marketing communication (for example, asking if the next of kin wants to support the charity in the future or receive information such as a newsletter), then the same rules requiring consent or legitimate interest would apply.

Other issues for legacy fundraisers to think about

Are you processing sensitive personal data?

Any personal data that is classed as ‘sensitive’ will need explicit consent from the individual to be processed. Sensitive personal data include, but are not restricted to, racial or ethnic origin information, as well as any physical or mental health condition. Legacy fundraisers may be informed of sensitive personal data (e.g., someone might tell a charity that they are leaving a gift in their will to their cause to help cure a disease from which they suffer). You can record and keep that information, to enable you to communicate sensitively and appropriately with the supporter and their family, but you will need explicit consent (or another basis, if applicable) to do so. 

Consider undertaking a Data Protection Impact Assessment (DPIA)

One of the key elements of GDPR is being accountable and putting in place good governance processes. One of the ways organisations can identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy is to undertake a DPIA. If you believe that there is a higher risk to individuals’ rights (e.g., contacting a lapsed donor after a number of years, who had a history of engagement and financial support to your charity, with a legacy communication), then carrying out a DPIA can help you to assess the necessity and proportionality of the processing in relation to the purpose and any risks to individuals. For more information, take a look at the ICO’s guidance on conducting data protection impact assessments.

Legacy fundraising vs legacy administration

Beyond legacy communications that are sent for direct marketing purposes, legacy administrators have a duty to fulfil the donor’s final wishes in a timely manner. This will mean communication with a solicitor and the executor of the estate and can also include next of kin and family. For next of kin and family, you will need to check where and how you have received their details (e.g. direct from them or via a solicitor), review any past communication or preferences they might have specified and take care to communicate in an appropriate and sensitive manner. For more information see guidance from the Institute of Legacy Management.

Remember the requirements in the Code of Fundraising Practice

Alongside data protection requirements, it should always be remembered that fundraising organisations should follow the Code of Fundraising Practice.

Signposting and resources

Information Commissioner’s Office (ICO)

Guide to the General Data Protection Regulation (GDPR)

Direct marketing guidance

Data protection impact assessments 

Fundraising Regulator 

Code of Fundraising Practice

Chartered Institute of Fundraising (CIoF) 

GDPR: The essentials