Stephen Service, policy manager at the Fundraising Regulator, writes that the "cult of consent" has caused many charities to run into trouble as they move towards being GDPR compliant come May next year.
I know Halloween is coming, but I was genuinely spooked to hear about the untimely demise of consent as a condition for data processing.
“Consent is dead’ when it comes to GDPR, charities told”, screamed Civil Society’s report on Serena Tierney’s comments at the Charity Finance Summit on 20th October. “You have been thinking about GDPR in terms of consent,” she reportedly said. “But consent is the route of last resort. You should be able to process personal data on one of the other bases, and I strongly recommend that you do so.”
Ms Tierney is right to highlight the range of lawful reasons under which charities may process data. An approach which only allows data to be processed where it has an individual’s consent is likely to unduly restrict a charity’s activities, just as an approach which only considered the legitimate interest of the charity would restrict direct marketing communications to post and phone calls where a charity can show a pre-existing relationship with an individual.
However, the idea that charities should think about the lawful bases for processing as if they come in an order of priority is unhelpful. Consent is not “the route of last resort” – as the ICO’s draft guidance makes clear, it is a lawful basis for processing which will be appropriate for charities in some circumstances and not in others. It is up to charities to consider what purposes they wish to use individual’s data for now and in the future and apply the most appropriate processing condition based on those purposes.
Operating with the permission of the individual is an attractive concept for many charities; it can be seen in phrases like “donor-centred fundraising”. But the cult of consent has caused many charities to come to grief in the early stages of their GDPR thinking, wanting the idea of explicit and unambiguous consent for their fundraising without being able to evidence it in reality.
In data protection terms, consent comes with obligations and these will tighten under GDPR. The ICO’s draft guidance emphasises that “if you cannot offer a genuine choice, consent is not appropriate”. You cannot pay lip service to consent if you would process the data anyway by other means without it.
All charities need to understand the range of conditions for processing in order to apply them correctly to their activities. Consent is not the bogeyman, but wilful ignorance of your right to process data is.