A question of data

“When the Data Protection Act was implemented in the UK, we put in the softest version that we could. Now that updated laws are on the cards, the UK has the furthest step up across Europe to reach GDPR levels. Many charities weren’t even coming up to the standards of the DPA so they have even further to go.”

These are the words of John Mitchison, head of preference services, compliance and legal at the Direct Marketing Association (DMA), talking about the new General Data Protection Regulation (GDPR) from the EU, which in May 2018 will replace the 1998 Data Protection Act (DPA).

GDPR will apply across the continent to any organisation that handles people’s personal data (defined as data which could be used to identify them), be it schools, businesses, governments or social clubs. Despite Brexit, the British government is committed to its implementation.

Discussion of GDPR in the charity sector has often focused on fundraising. This misses the scale of the change, according to Daniel Fluskey, Head of Policy at the Institute of Fundraising. “GDPR covers everything that organisations can or need to do in relation to the personal data of individuals – whether that’s campaigning, volunteering, or service user/beneficiary information,” Fluskey says. “Charities need to take a whole-organisation approach to getting to grips with the changes and making sure they don’t just focus on the fundraising side of things.”

So how should charities react to this root and branch reform? While the text of the law is still being finalised, the Information Commissioner’s Office (ICO) and others have already issued guidance about how it is to be implemented. Charities should be familiarising themselves with what is already available, such as the ICO’s 12 steps to take before GDPR document.

Core principles

Underwriting every change in the GDPR is the principle that individuals should have more rights over their personal data than they currently do. Importantly, organisations that handle personal data will have to be “transparent and accountable”, and weigh the rights of the individual against the legitimacy of what they want to do with the data.

Personal data should be more like a car, cash or any other object that someone owns. You can’t take someone’s car without asking. You can’t get permission to borrow someone’s car to go to the shops, and then drive it to Mongolia. If you have someone’s car and you crash it, you are accountable. If you have possession of someone’s car and they want it back, you have to give it to them. GDPR is now bringing these same rules into the world of big data.

But as sensible sounding as they are, how will they affect the way charities collect, process and use information about their supporters and customers?

Communicating with supporters

Under GDPR, you need to be able to explain why you have the right to be in possession of, and are able to use, an individual’s data – much as you would need to if you were found in possession of their car.

There are six justifications (see box-out) but the two that potentially apply to using personal data to raise funds, awareness or campaign are (a) and (f): consent, and legitimate interest. Neither of these options is entirely straightforward.

Currently, we know more about the rules regarding ‘consent’, in part due to the 46-page ICO consultation document, which can be summarised by this line: “Consent requires a positive opt-in. Don’t use pre-ticked boxes, or any other method of consent by default.”

In other words, “she didn’t say that I can’t take her data” is now as impermissible as “she didn’t say that I can’t take her car”.

Consent also cannot be included with, or be conditional on, any other service. When asking for permission to use an individual’s data, charities will need to stipulate what data, for what purpose and even name every organisation they intend to share it with. Some of this information can be included in a privacy policy while some will have to be included on the data request form.

Ultimately charities (and everyone else) will have to prove that people understand what they are consenting to. The DMA’s Mitchison recounts an example given to him by the ICO, of an insurer having to ask people separately if they want to be contacted about home insurance, pet insurance, car insurance etc. In the charity context, we might see this apply to different campaigns, causes or geographies.

The ICO and the other bodies such as the DMA agree that charities will not automatically have to re-obtain consent to use data they already hold, but that that consent must meet the GDPR standard. Consent may also be withdrawn at any time and it is a requirement for organisations to make it easy to do so.

The good news is, that despite much of the sector’s attention being placed firmly on the somewhat controversial ‘opt-in’, this is not the only justification charities have for contacting supporters (albeit consents being the strongest). ‘Legitimate interest’ is the other.

‘Legitimate interest’ asks you to weigh your organisation’s interest against the rights of the individual and what they would reasonably expect you to do with their data.

In an ICO example, an individual’s data is passed on to a debt collection agency without their explicit permission because it is in the legitimate interest of the creditor to do so.

A more charity specific angle is that it may be legitimate to send information about an auction in London to a group of people based in NW3 as it could be in their interest to attend. However, noises from the ICO suggest that activities such as processing post code data to establish the net worth of someone are less likely to be considered legitimate.

Implications of accountability and transparency

Supporter-relations aside, there are other issues to be aware of.

For example, the legislation includes large fines of up to €20m or 4 per cent of worldwide turnover for organisations that have not acted responsibly. In addition to not having a proper legal basis to hold data, failure to act responsibly might also mean not having sufficient security in place to protect against cybercrime, or a failure to follow the new international data transfer processes, or non-compliance with the rules around vulnerable people.

Equally, there are much tighter rules regarding the roles and responsibilities of people holding and handling the data, with data controllers now liable for breaches of the GDPR by their processors and vice versa. Charities will have to show they did due diligence on the policies and security of external firms that handle their data, such as fundraising or recruitment agencies, while these companies will have to show they did the same from their side.

All of this means we are likely to see an increase in the number of, and importance placed upon, data protection teams. Mitchison believes it will be akin to health and safety, something that pervades an organisation and is considered seriously at board level.

What to do

With less than a year to go before the new rules come into play, charities are advised to start working on new and improved data processes now. The ICO advises that charities should conduct privacy impact assessments, looking at the data they have, how they got it and what they can use it for. They should be thinking about the principles of accountability and transparency, and planning how they will abide by them. Above all, they should be giving thought to how they can respect individual’s rights while continuing to raise funds, campaign and deliver their important work all across the UK.

Thomas Collinge is a freelance journalist