The COVID-19 crisis has had a profound effect on the way charities operate, as well as a significant impact on funding. A recent estimate by Pro Bono Economics puts the shortfall at £10.1bn over the next six months. Money from events, charity shops, face-to-face and donations has been squeezed, or in some cases, halted completely, at the same time that demand for services has risen.
There has at least, as Victoria Hordern, partner and head of data privacy at Bates Wells, points out, been examples of real generosity, such as Captain (Colonel) Tom. “Charities have had to become more dependent on digital and online interaction in a new environment, while engaging with supporters within a data protection and privacy framework where the rules are becoming stricter around direct marketing (DM) and fundraising.”
However, the challenges remain as well as the ICO’s draft code of practice on DM (published in January), which is weighted in favour of consent and makes profiling more difficult, she refers to uncertainty over the impact of the imminent ePrivacy regulation, operating on the GDPR standard of consent, which may be more lenient in some areas and stricter in others.
Hordern says: “Crisis situations frequently prompt innovation and opportunities. But, how do you re-engage with supporters who may have stopped direct debits or cut back on donations? How can you turn an army of new volunteers into supporters? Will this be a semipermanent environment, and if so, how do charities adjust to that?
“We know from the draft code that ICO expects fundraising to take a data-protection-by-design approach. What planning do charities need to do so that they can demonstrate to regulators and their audience that they are taking privacy into account up front – that they have checked that existing and potential supporters do actually want to hear from them?”
The charities on our panel told of how they have had some success fundraising in the new environment. Louise Brooks, head of data protection, outlines what the RSPCA did when the lockdown happened. “We rallied pretty quickly, and within two days launched a fundraising campaign focused on supporting animal welfare in the new climate. We started looking at it from a digital perspective first. It has ended up as one of our most effective campaigns.
“We found that some supporters with whom we had previously had quite a passive relationship; for example, those who had previously only received newsletters have responded with a donation, either by giving for the first time as a one-off or signing up to a direct debit.”
She says that RSPCA has also seen an increased response from corporate and major donors, not just financially, but with gifts in kind such as cat food and sanitiser.
However, income has been down overall. “We have had to stop a lot of activities. We are not doing door-to-door fundraising and have changed our operating model by reducing the hours of operation at our national call centre to 7am-11pm, down from 24/7. This is partly because of employee safety but also because of the costs involved in running a 24/7 operation in financially challenging times.”
Claire Robson, head of governance legal and compliance and data protection officer at Great Ormond Street Hospital Children’s Charity, says her organisation is projecting a shortfall due to loss of income over the coming months, despite some success in replacing lost funds. “We had to very quickly stop face-to-face fundraising, which had a big impact on projected figures. And many of our community and special events activities have been cancelled or postponed. But we also launched an emergency appeal within three days of lockdown being announced, and being linked into the hospital it meant we obviously got a lot of support from people wanting to help the NHS. We have received a generous number of gifts in kind to support staff from corporate sponsors such as meals, accommodation and car parking.”
She says GOSH is looking at ways to minimise the decrease and that innovation, flexibility and pragmatism will be the key words. “Our fundraising teams quickly started to try new things; for example, we held a successful virtual gala with celebrity support online. It is a leap into the unknown but we are trying to adapt, and seeing how the rules around data privacy should be applied in these circumstances.”
Tim Willett, executive director of funding, brand and communications at Action on Hearing Loss, says: “We were quite fortunate as we rely heavily on legacy income, although the pipeline will no doubt be affected in the coming months.
“We had already been reassessing our fundraising over the last year, to rebuild and restart it. The process has been paused due to Covid-19, but it has enabled us to rethink things in the context of the ‘new world’. How much of this will stick and what does it all genuinely mean for fundraising?”
Willett thinks that Covid-19 may act as a catalyst to focus on building relationships with donors. “Since the 2015 ‘summer of discontent’, we have seen the needs of the public changing, and an astronomical shift in how they engage with charities. If we just talk about fundraising and not funding [for our charities’ activities] then we will get stuck.”
He adds: “I have always been a proponent of the view that fundraising should be done on the basis of the supporter’s needs, not ours. We, arguably, got into a bad place and thought it was about driving income instead of engaging and achieving a goal.
“At the core of it, a lot of behaviours we apply are driven by operational management. Finance teams challenge fundraisers to raise a set amount to run planned services. But in our personal lives we wouldn’t book holidays on the basis of possibly getting a promotion. Most of us work within a budget defined by our expected income. Why should it be different in charities? I have never understood the need to do more than we can afford, it makes us unsustainable.”
Given these challenges, maximising income while staying within data protection rules is more important that ever. Hordern reflects upon how when GDPR was introduced, the big debate for DM was around consent vs legitimate interest (LI). Was the rush to get consent for DM the best approach, or does it now need rethinking?
Robson recalls that when GDPR came in, GOSH didn’t change tack much. “We had already altered our telephone marketing 12 months before, and now use consent for everything except postal marketing. We are, however, starting to look at whether consent for telephone marketing is right in the short term and in light of the current extenuating circumstances. For example, is there any scope to adapt our marketing without impacting our standards?”
Willett says Action on Hearing Loss has a mixture of consent and LI across different databases, depending on their purpose, but is working towards a consent-based model. “Yes, it could limit our ability to do things, but that is arguably offset by lower costs,” he says. “You can contact larger audiences and end up with lower returns. Consent means you are speaking to people who are already interested, so you get higher rates of response. It is more efficient, and you don’t end up burning bridges.”
Brooks states that the RSPCA currently uses consent for all channels, but just before Christmas it started examining the legal basis for its post and phone marketing. “We are still in the throes of that,” she says.
Mairead O’Reilly, senior associate at Bates Wells, questions whether it is in fact right for charities to hold themselves to a higher standard than commercial organisations. “I think ICO sometimes gets the balance wrong and doesn’t act proportionately in its approach to charities. In the draft code, several of the case study examples of organisations engaging in direct marketing feature charities, even though most breaches in relation to which the ICO has taken enforcement action feature commercial organisations, such as third-party marketing organisations sending thousands of spam messages to individuals without consent.
“And I would question whether imposing a requirement for consent for postal marketing, when this is not legally required, is an excessively cautious approach. Many people do not regard receiving fundraising messages by post as an invasion of their privacy.”
Robson says her charity had many a discussion about why they couldn’t rely on soft opt-in when, for example, double glazing companies, could. “My view is that a legal requirement should apply across the board equally. I always find it fascinating that there is a level for everyone, then another level for charities who are expected to take it one step further.”
Willett suggests that he might be a bit unusual in aiming for the higher road but says: “We have to accept that there are only so many people who will give money to a cause. It has to be close to their heart. Our job is to make people feel passionate about the cause. And there is a good way of doing that, which is why I think we need to aspire to that higher standard.”
He continues: “No one ever set up a charity saying ‘I don’t care how we do it, but we will fix it’. They say, ‘I want to fix it and do that in the right way’.”
Brooks is on the fence about the question of standards because she understands that there are often conflicting operational needs but she says she gets frustrated when she hears fundraising colleagues using GDPR as an excuse for having less supporters. “It may be a contributing factor, but the problem might be with the campaign or your pitch. If we are honest, maybe your supporter journey needs refreshing.
“It is about putting the supporter first. It is highly unlikely that a supporter didn’t provide consent because of GDPR – they probably didn’t provide consent because they didn’t want to buy what you’re selling. Investing in what supporters want to hear and see is more important than investing in what we think they do. And this approach will help engagement in the long term.”
O’Reilly emphasises that moving away from consent is not about cutting corners. “The question is, what would supporters reasonably expect? There is a middle ground between consent for everything and of doing the minimum possible to achieve compliance. It is about balancing compliance with operating sensibly within the boundaries of the law. And when determining whether to re-engage with people, it is necessary to ask whether they would be surprised and uncomfortable to hear from you.”
Robson argues that there can be a healthy tension between the creative fundraising team and the compliance team. “It is really helpful to embed GDPR and data privacy into fundraising teams so that they think about it day-to-day rather than as a contentious add on. It then becomes an intrinsic part of fundraising, where it is about engagement rather than contacting as many people as possible.”
Engagement with ICO
Hordern wonders whether the ICO should adopt a more realistic approach to charities. “Is there any way that future disengagement from the EU could lead to a more sympathetic regulator,” she asks.
On the positive side, Willett says the ICO has always been helpful when he has contacted it for support in the past, and that while he would look for advice and support from sector colleagues first, he would not hesitate to contact them proactively for advice if required.
Brooks thinks that while the ICO could be quicker at turning around guidance documents, in general they are useful. “While you can pick holes in the guidance over nuance and whether or not it suitably caters for different types of organisations, on the whole what they produce is fine. Certainly, the information they produce for the public is good, which is important as educating data subjects makes our job easier.”
Robson says charities must not expect too much from the regulator. “While the ICO is not necessarily my first port of call if I want to bounce ideas off of people, they are doing the best they can. We need to take some responsibility ourselves for figuring things out rather than expecting them to set it out in black and white. There has been more engagement with charities by [commissioner] Liz Denham, who seems genuinely interested, but the ICO has a massive ‘damned if they do and damned if they don’t’ job, especially when it comes to levying big fines.”
Finally, Hordern raises the issue of data privacy impact assessments (DPIAs), a process which helps to identify and minimise the data protection risks of a project. “Is it a live document that you revisit,” she asks. “Otherwise the danger is you complete it and then forget about it. It should be about cultural rather than documentation change.”
Brooks says that they are an important mechanism for her team, though they come with their challenges. “We use DPIAs for anything new, and as a training opportunity. While the process itself is straightforward, I find that the quality of responses across the organisation varies. We put the onus on people telling us if anything changes.”
Robson adds: “We have a process where we do an initial assessment to determine risk, then do additional ones when they are relevant. “Getting fundraising teams to involve us early in the process creates problems, and where a third party is involved it can be tricky.”
Willett argues that if DPIAs are seen as a process then they will fail. “We have to treat it as just the way we work. It can become harder to implement governance requirements if they are onerous, which is why changing the culture to make data privacy part of the everyday is important.
“We need everyone to ask whether we are doing the right things within the guidance. Do we have the right intent? And on that basis, we can then decide whether we should go ahead.”
With thanks to Bates Wells for its support with this feature.