While a huge amount has been written about GDPR, less attention has been paid to concurrent changes to the existing Privacy and Electronic Communications Regulations (PECR). Tim Turner writes that fundraisers neglect changes to PECR at their peril.
If your job involves handling personal information about donors, volunteers, staff or anyone else connected with your organisation, you have probably heard of the General Data Protection Regulation (GDPR).
GDPR is coming in May 2018, and brings with it a host of questions and complications – mandatory breach reporting, impact assessments, data protection by design, and for some charities, a mandatory data protection officer operating with considerable independence from their employer. However, if you’ve heard anything about the GDPR, it is probably about consent.
The GDPR standard for consent is high – unambiguous, active, with no doubts about what the person has agreed to. It’s not surprising that some in the charity and voluntary sector are tempted to look for other GDPR options. Consent isn’t the only justification for using personal data, but GDPR limits the other options.
The other option in most cases is "legitimate interests", which requires a decision about whether the organisation’s purpose is overridden by the effect on the interests or fundamental rights and freedoms which require data to be protected. For research, marketing and other fundraising activities, it might be a tempting option to justify the use of personal data, and not to mince words, it’s the option that doesn’t involve people saying no.
But there is a problem with seeing the question as being a binary choice between equally weighted options – sometimes, the choice isn’t there. Data Protection (both the current Data Protection Act and the future GDPR) isn’t the only legal control on the use of data, especially when carry out fundraising, marketing and promotion. Indeed, for the purposes of the Privacy and Electronic Communications Regulations 2003 (PECR), fundraising, marketing and promotion are the same thing.
While legitimate interests might work for research, direct contact for marketing purposes is constrained by PECR if made by electronic means. Only post is exempt. Whenever you want to contact people with your message or recommendation, PECR’s rules must be on your mind.
PECR’s rules are a hotchpotch – to send emails and texts for marketing purposes or use automated calls with a recorded message, an organisation must have consent. No other condition is allowed, despite the many charities who run text campaigns on an opt-out (and therefore unlawful) basis. On the other hand, live marketing calls can be made without consent unless the person is registered with the Telephone Preference Service or has opted out. Even donors or supporters are included in this.
But just as GDPR is changing, so is PECR. A new version is on its way, but unlike GDPR, the rules aren’t finished. Whereas GDPR was finalised in April 2016, with a two-year implementation period to cushion the blow, the upcoming ePrivacy Regulation is still in draft.
Some changes are clear: PECR’s replacement moves every method of communication to a default of consent. Moreover, the eye-catching GDPR monetary penalties (a maximum of €20,000,000 or 4 per cent of annual turnover) are also included. The rules for cookies are streamlined, perhaps spelling the end of some of the internet’s annoying pop-ups.
The Regulation is a draft, so its requirements are still potentially up for grabs. Moreover, despite the default requirement for consent, the draft leaves open the possibility for individual EU member states to retain an opt-out system for live calls. Meanwhile, the European Data Protection Supervisor has suggested that the distinction between personal and work-related communications should be dissolved, removing the potential for sending marketing to business addresses without consent.
The EU plans a big bang for information law, with the ePrivacy and General DP Regulations coming into force at the same time (25th May 2018), but a progress report from the EU presidency last month revealed scepticism from some countries that the precision required to get the Regulation right for 28 EU member states can be achieved that quickly.
Nobody knows for certain when it will be finalised, and when it will come into force. And, of course, the Regulation is EU legislation, and it is traditional to express a measure of scepticism about what the future holds for anything European in the uncertain Brexit future.
Nevertheless, PECR and ePrivacy should never be far from the thoughts of anyone wanting to contact individuals, and especially whenever legitimate interests is raised. Moreover, with the new rules still up in the air, close attention to the ePrivacy Regulation’s progress would be advisable.