Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

B2: Fundraising in an age of GDPR

298 views

Published on

Slides from breakout session B2: Fundraising in an age of GDPR, from the NCVO Annual Conference which took place on 16 April 2018.

Published in: Government & Nonprofit
  • Be the first to comment

  • Be the first to like this

B2: Fundraising in an age of GDPR

  1. 1. FUNDRAISING IN AN AGE OF GDPR SPEAKERS DANIEL FLUSKEY HEAD OF POLICY AND RESEARCH, INSTITUTE OF FUNDRAISING GERALD OPPENHEIM HEAD OF POLICY AND COMMUNICATIONS, FUNDRAISING REGULATOR Dinner sponsors: Media partner: Headline sponsor: Lead sponsor: Digital partner:
  2. 2. Fundraising in age of GDPR Gerald Oppenheim, Head of Policy and Communications, Fundraising Regulator NCVO Conference 16 April 2018
  3. 3. • GDPR comes into effect on 25th May 2018 • Government legislating to ensure GDPR passes into law before UK leaves European Union • New rules strengthen the rights of individuals over their personal data • Charities must:  Show they have a lawful bases to process personal data  Recognise and act on the rights of individuals under GDPR  Have adequate decision-making, monitoring and reporting processes in the organisation In brief
  4. 4. Information/data which relate to a living individual who can be identified directly or indirectly by reference to: a) an identifier such as a name, an identification number, location data or an online identifier, or b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. What is personal data?
  5. 5. • Consent: You can evidence a positive indication from the individual to say they are happy for you to use their data in a particular way. • A public task: if you need to process personal data to carry out your official functions or a task in the public interest – and you have a legal basis for the processing under UK law – you can. • A contract with the individual: eg. to supply goods or services they requested, or fulfil your obligations under an employment contract. • Legitimate interests: you can process personal data without consent if you have a genuine and legitimate reason (including direct marketing), unless this is overridden by the individual’s rights and interests. • Compliance with a legal obligation: if you are required by UK or EU law to process the data for a particular purpose, you can. • Vital interests: you can process personal data if it’s necessary to protect someone’s life. This could be the life of the data subject or someone else The 6 lawful bases for processing someone’s personal data: consent and legitimate interest
  6. 6. Consent must: • Be given through a clear affirmative action from the individual. • Give granular options to consent separately to different types of processing (you may combine some of your processing purposes if you can show they are sufficiently similar). • Be separate from other terms and conditions and not be a precondition of signing up to a service (unless necessary for that service). • Name the organisation and any third parties which will be relying on the consent. • Inform individuals about their right to remove consent at any time and offer easy ways to opt out in subsequent communications. • Be recorded in a format which enables the organisation to evidence who consented, when they consented, how they consented, and what they were told. • Be kept under review, and refreshed if anything changes. Consent: a “freely given, specific, informed and unambiguous indication of the individual’s wishes”
  7. 7. Where legitimate interest is your basis for processing, you need to: • Conduct a legitimate interest assessment:  Purpose test: are you pursuing a legitimate interest?  Necessity test: is the processing necessary for that purpose?  Balancing test: do the individual’s interests override the legitimate interest? • Let the individual concerned know that you are processing their data and for what purpose (usually through a privacy notice). • Offer them the opportunity to opt out if they wish to do so. • Keep it under review and repeat the legitimate interest assessment if anything changes. Legitimate interest:
  8. 8. Consent is likely to be most appropriate where: • you can offer people genuine choice and control over how you use their data, and want to build their trust and engagement Legitimate Interest is likely to be most appropriate where: • you use people’s data in ways they would reasonably expect and which have a minimal privacy impact. When is each appropriate?
  9. 9. • Following consultation (Oct – Dec 2017), we have:  made the rules on data protection more accessible  ensured consistent terminology between Code & GDPR  removed or replaced Code where inconsistent with GDPR  added and expanded definitions for key terms  increased signposting to existing ICO and FR guidance • Published in February (Comes into effect May 2018) Updating data protection in the code of Fundraising Practice
  10. 10. A few caveats… • Awaiting Data Protection Bill and in 2019 or 2020 PECR changes in the E Privacy draft directive. • Further ICO guidance expected on use of legitimate interest and consent. However… • ICO advice to charities is to get ready as draft guidance will not change much. • ICO have reviewed the revised Code and support it. Caveats are flagged where applicable. • Working with IoF, NCVO, charities and third parties on compliance issues. • Close relationship with ICO, Charity Commission, other regulators Data protection: next steps
  11. 11. Guidance on GDPR February 2017: Personal Information & Fundraising - guidance and toolkit • Developed with Protecture – data protection advisers. • Defining a Direct Marketing approach under GDPR. October 2017: GDPR resource library • Compiles key guidance and resources from a range of bodies. February 2018: Guidance with Institute of Fundraising • New 6 part "bitesize" GDPR guidance for fundraisers. • Identifies ways that personal data is used in 4 fundraising methods (community, trust, corporate and legacy fundraising). • Addresses key GDPR questions received from charities.
  12. 12. • Ongoing journey rather than a race ending on 25 May. • No surprises - much of the GDPR builds on existing DPA 1998. • Bigger fines possible for non-compliance, but ICO will use those powers “proportionately and judiciously” and “as a last resort”. • Lots of guidance and support out there. • “Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.” Information Commissioner GDPR in summary – no reason to panic…
  13. 13. DISCUSSION: GDPR AND FUNDRAISING: WHAT’S ON YOUR MIND? Dinner sponsors: Media partner: Headline sponsor: Lead sponsor: Digital partner:
  14. 14. Excellent fundraising for a better world Fundraising in an age of GDPR Daniel Fluskey Head of Policy and External Affairs
  15. 15. Excellent fundraising for a better world GDPR Rules and compliance Culture and best practice Governance and leadership Donors and supporters
  16. 16. Trying to answer three questions at the same time How do charities make sure they’re properly following data protection law (GDPR and PECR)? Should charities be held to the same standards as businesses and other sectors, or should they be held to different/higher standards? How SHOULD charites be fundraising in a way that raises money, improves the experience for supporters & the public, and brings long- term sustainability? Excellent fundraising for a better world
  17. 17. Trying to answer three questions at the same time How do charities make sure they’re properly following data protection law (GDPR and PECR)? LEGAL COMPLIANCE Should charities be held to the same standards as businesses and other sectors, or should they be held to different/higher standards? FUNDRAISING REGULATION How SHOULD charites be fundraising in a way that raises money, improves the experience for supporters & the public, and brings long- term sustainability? EXCELLENT FUNDRAISING Excellent fundraising for a better world
  18. 18. Excellent fundraising for a better world Legal requirements Charity’s values/ethical approach/ excellence Code of Fundraising Practice
  19. 19. Excellent fundraising for a better world
  20. 20. Lawful processing Excellent fundraising for a better world
  21. 21. Opt in or opt out? (consent or legitimate interest?) Excellent fundraising for a better world 1. First off, check the rules and review the guidance. Consent is required for email and SMS. Consent or legitimate interest can be used for post or telephone (non-TPS). Do you know what each requires and how to do them fairly and lawfully? 2. Understand your options, scenario plan, budget and assess Should be a strategic and informed decision – not just fundraising Decide what’s right for your charity – a fully ‘opt in’ approach might not be best for all 3. Whichever way you go, make sure you do it right! And don’t just think about it as a ‘compliance’ question, what’s going to raise you money and give supporters a great experience?
  22. 22. What the rules can’t tell you… Excellent fundraising for a better world • How often to contact a supporter? • Whether to use consent or legitimate interest? (for non-electronic marketing!) • How long to keep donor records for? • How long does consent or your legitimate interest last? • The exact wording to use in your privacy policy and in fundraising communications
  23. 23. Five things to think about – for organisations 1. Accountability and governance. Not enough to ‘be compliant’. Need to be able to demonstrate that you are. How are you going to do that? 2. Make the right decisions for your charity (consent or legitimate interest?) 3. How will you be talking to supporters, providing information and giving them choices? (in a way that sounds human and engaging!) 4. Getting a joined up approach across your organisation – not just a fundraising issue! 5. However much guidance is out there – some things are up to YOU Excellent fundraising for a better world
  24. 24. Some resources to help Excellent fundraising for a better world
  25. 25. FUNDRAISING IN AN AGE OF GDPR SPEAKERS DANIEL FLUSKEY HEAD OF POLICY AND RESEARCH, INSTITUTE OF FUNDRAISING GERALD OPPENHEIM HEAD OF POLICY AND COMMUNICATIONS, FUNDRAISING REGULATOR Dinner sponsors: Media partner: Headline sponsor: Lead sponsor: Digital partner:

×