Charities should use consent as the “route of last resort” when deciding the basis on which they processed personal data, an audience of charity finance directors heard this week.
Serena Tierney, a partner at law firm VWV, told the Charity Finance Summit, run by Civil Society Media, that there were several lawful reasons to process personal data, other than having explicit consent to do so, and that in most cases, charities could and should find another basis to use instead.
She said that the key thing was that if you used someone’s data, they understood what you were doing and why you were doing it. She said you must be able to explain what data you held, and people must always be able to stop you processing their data.
“You have been thinking about GDPR in terms of consent,” she said. “But consent is the route of last resort. You should be able to process personal data on one of the other bases, and I strongly recommend that you do so.”
She said the most likely other route to process data was that it was “necessary for the legitimate purposes of the organisation”.
“That’s much better than trying to contort it into the ridiculous idea of consent,” she said. “Even if you have something that is called consent, it probably isn’t really consent.
“Consent is dead. Replace it with granularity.”
She said there were a handful of instances where consent was needed: holding sensitive personal data, exporting data outside the EU, and marketing under the Privacy and Electronic Communications Regulations, which govern text and email fundraising.
“People will always have the right to object to what you are doing with their data, and you can’t get away from that,” she said.
She said that another key thing was to understand how data flows around an organisation, and what it is used for.
“Once you understand that, everything else falls into place,” she said.
Tierney said that another issue for charities to be aware of was where their data is stored. She warned charities to take care about data which was stored in the United States, because in practice, that information is likely to be accessible to US government agencies.
“Make sure you know if your data is stored on a server in the US,” she said. “If it’s in the US, it’s under the control of the US government.”