A free guide to help charities understand GDPR and comply with data protection law has been published today.
GDPR – the General Data Protection Regulation – is a new EU law governing data protection, which will supersede the Data Protection Act in 2018. GDPR will not introduce widespread changes to existing law, but will increase the monetary penalties for non-compliance.
The new guide, Fundraising and data protection: a survival guide for the uninitiated, has been published by consultant Tim Turner, a former policy manager at the Information Commissioner’s Office, who has been highly critical of charities’ understanding of data protection, and of the Institute of Fundraising’s guidance and approach.
The guide is also critical of charities’ handling of newspaper criticism, and of some reaction to recent actions from the ICO, who are responsible for ensuring charities comply with data protection law.
The guide includes key points for fundraisers to be aware of, including:
- There is no significant charity exemption to data protection or marketing law. Maybe there should be. There isn’t.
- The ends never legalise the means.
- If a donor or other individual does not understand what you are doing with their personal data, the practical effect is that you can’t do it, whatever it is. The same is true for consent – if a person doesn’t understand what you’re doing, you can’t argue that they have consented to it.
- You don’t need consent for every use of personal data, but if you don’t have consent, you need to know what other justification you have that allows you to use the data. The other reasons are specifically set out in the Data Protection Act and the GDPR.
- You cannot assume consent. Failure to opt-out is not consent. Silence is not consent. Previous support is not consent. A donation I give you today is not consent for something tomorrow.
- Volunteers are no different to employees; they must be trained and equipped to protect data. There is no volunteer exemption. Using volunteers is a choice you have made, and you are responsible for ensuring that you manage the risks adequately.
- If you contract out any work to an agency or contractor, you are wholly responsible for what they do, unless they steal your personal data or otherwise use it for their own purposes.
- Personal data available in the public domain is still personal data and Data Protection still applies to it.
- There are specific rules for consent over the method of communicating fundraising and other direct marketing communications. Beyond that, you have to decide whether you need consent or whether some other condition applies.
Turner wrote today in a blog that he felt that another guide was necessary, despite guidance from the ICO and the Fundraising Regulator.
“I decided that both regulators hadn’t hit the target I was aiming for – a candid, realistic and human guide to the legislation,” he said. “Moreover, having relentlessly criticised charities and fundraisers, annoying a good many good people in the process, I felt that if I had something useful, something positive to give, I was obliged do so.”
In Fundraising Magazine
Turner said that many charities have complained that the ICO does not understand charities, but that this is not an important consideration under data protection law.
“Some people seemed to think that the ICO has to consider how important fundraising, and some specific techniques, are to the business model of charities when enforcing,” he wrote in the guide. “To be blunt, they don’t. The importance of your data processing to you is irrelevant. All ICO has to consider is whether your processing is lawful under DPA now, GDPR from next year.”