The Impact of GDPR on Charitable Activities
Are charities exempt to data protection? The short answer is no.
Unfortunately for charities, the rules on data protection treat charities in exactly the same way as any other business, there is no such thing as a charity exemption.
This is due to the fact that the ICO has assessed that, regardless of a charity’s aim to raise money for its charitable cause, this is essentially no different to private companies which are marketing their product or service.
Volunteers and Outsourcing
Volunteers are viewed no differently to employees and the charity is responsible for the actions of its volunteers – with no exception! You must be able to demonstrate that your volunteers have received GDPR training and understand the importance of and how to protect data. If you have outsourced this aspect, you must have in place a GDPR compliant contract.
Fundraising Preference Service Compliance
Data protection must be taken seriously. The Charity Fundraising Regulator has already made approximately 60 referrals to the Information Commissioner (ICO) for breaches of data protection. This was because these charities had failed to check the fundraising preference service (FPS) to identify which members of the public had made requests for the charity to cease contacting them.
Failing to engage with an FPS request may amount to a breach of the GDPR and/or the Privacy and Electronic Communications Regulations (PECR). The FPS will automatically send an email to ask them to act on the request through the FPS system within 21 days of the request.
The charities were referred to the ICO as they had failed to act on these repeated requests.
The Director of Investigations at the ICO who oversaw the investigations issued a stark warning to charities, saying: “Charities that ignore the fundraising preference service run the real risk of causing distress and offence to people who just don’t want to receive their marketing communications. The ICO has written to them to remind them they must act lawfully and responsibly in protecting people’s personal data and in how they communicate with them. Our advice for charities is clear: they must not contact people registered on the FPS and, where we see this happening, we will investigate and take enforcement action where necessary.”
ICO Enforcement Action Against Charities
Further evidence that the ICO takes data protection by charities seriously is demonstrated by its action in 2016, when it issued significant monetary penalty notices following investigations into the RSPCA and the British Heart Foundation (BHF). They received penalties of £25,000 and £18,000 respectively for contraventions of data protection. The activities under scrutiny were viewed as significantly non-compliant.
The three areas of activities were wealth screening, data sharing and data and tele-matching.
Some charities employ wealth management companies to analyse the financial status of supporters to estimate how much more money individuals could be persuaded to donate. The wealth management companies used other information from publically-available sources to investigate income, property values, lifestyle and even friendship circles, as well as an array of personal data, such as name, address and age. They were also able to identify the donors most likely to leave money in their wills.
The RSPCA and BHF informed the ICO that they repeatedly wealth screened all their supporters. They did not have their consent to do so. The RSPCA said the practice was common and both charities indicated that they had no intention of stopping.
From the report it would appear that there is an expectation from the ICO that any charities wishing to carry out wealth screening must identify this type of processing in the fair processing notice and have procedures in place for individuals who object to wealth screening.
Data Sharing and Data and Tele-matching:
When donors chose not to provide information, the RSPCA and BHF hired companies to find it out. They then shared the data which it did hold to enable the external companies to trace the additional information they wanted. Both charities were then able to use this additional information, which the donor did not know they had, to contact them for donations.
The key to hopefully avoiding complaints, investigation and enforcement action is to review your policies and procedures to ensure that you are GDPR compliant.
Charities are bound by the principles of the GDPR and the requirements for demonstrating compliance. More detail can be found on our website, however a simple over view to consent is set out below:
- You are not required to automatically refresh all existing Data Protection Act (DPA) consents for the GDPR but you should be confident that the standard of consent meets GDPR requirements, and that these consents are properly documented
- If existing pre GDPR consents are not GDPR compliant or are not properly documented, you will need to seek fresh GDPR- compliant consent. This will identify a different lawful basis for your processing (and ensure continued processing is fair).
- Ensure that you have compliant mechanisms in place so that individuals can withdraw their consent easily
The ICO’s consent guidance details there is “no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.”
That being said, the ICO asked the British Red Cross and Age International to sign undertakings that committed them to refreshing consent every two years. This may not seem unreasonable but may pose administrative burdens on ensuring compliance.
Therefore the key to the duration of consent directly rates to your privacy notice and ensuring that you are clear what an individual is consenting to and for what period. For example, is it for the duration of a particular charitable campaign or longer? Also consider when consent was obtained. If it was obtained at the time of completing a direct debit mandate which is subsequently cancelled, then consent should be obtained again.
Privacy and Electronic Communications Regulations 2003 (PECR)
Charities may also need consent under ePrivacy laws if it undertakes activities such as marketing calls, texts and emails. Charities can use the soft opt-in when selling products and services, just not when receiving donations. These rules are currently found in the Privacy and Electronic Communications Regulations 2003 (PECR).
The key question is whether an individual will understand what you are doing with their personal data. If not, then you cannot undertake that activity. Remember, a donation made yesterday is not consent for some other marketing activity today.
Legitimate interests as an alternative to consent?
The GDPR defines legitimate interests as follows:-
“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”.
Arguably, raising funds for a charitable cause is a legitimate interest. Therefore a charity’s understanding as to whether a person has the means to support such a cause and would be likely to donate is a legitimate interest.
The key is to ensure that your proposed activities (wealth screening, marketing, etc.) must be necessary. The onus is on the charity to demonstrate that the type of data processing undertaken is necessary. The ICO has indicated that wealth screening is a separate and distinct activity and not part of the admin of administering of donations.
A word of warning if you are considering relying on the legitimate interests condition. The charity’s interests must be balanced against the rights and freedoms of the individual. The ICO is more likely to err on the side of the individual unless you have a clearly documented procedure and associated risk assessment to demonstrate it is a legitimate activity.
So in conclusion:
- Review your data collection processes and procedures – your privacy notices informing donors what you are doing with their data needs to be clear and incorporate all your activities, giving them the opportunity to consent to any particular activities such as wealth screening or data matching
- Consent and/or legitimate interests – ensure that you are processing data according to the parameters of the consent or documented legitimate interests
- Compliance checks on the companies you work with – if you outsource any data processing activities make sure this is documented by an appropriate GDPR compliant contract
- Seek advice from to a data protection expert – I am an accredited GDPR practitioner. Getting the right legal advice on your data protection compliance can not only minimise your risk of financial penalties but also any reputational damage.