Some arts charities are unsurprisingly nervous about the new General Data Protection Regulation that comes into effect next year. Pamela Johnson offers trustees guidance on how to comply.
Under the General Data Protection Regulation (GDPR) all organisations will need to demonstrate how they operate in relation to changes to the new data protection law. There are already clear existing guidelines under the Privacy and Electronic Communications Regulation for electronic, mobile and telephone communications that sit alongside the current Data Protection Act, and which organisations should already be following.
Evidence of opting in
When charities have hit the headlines in the past, it’s mainly been due to the way in which communications have been carried out. Organisations have been fined predominantly for not following the principle of ‘fair and lawful processing of data’.
Trustees should be asking whether individuals have been given a reasonable understanding about why the charity would want to contact them
Under GDPR, all fundraising is deemed ‘direct marketing’ and charities will require an ‘opt in’ consent for most forms of communication where named individuals are involved. So, while it’s best practice that individuals consent by opting in to all organisational communications, there is also a lawful condition for sending postal communications or making live telephone calls that does not necessarily require opt in.
This issue therefore is one of the most important (and confusing) aspects of the new legislation. Currently, consent must be freely given, specific and capable of being withdrawn at any time. For GDPR, consent still needs to be all of those things, plus ‘unambiguous’.
The ICO states that ‘unambiguous’ equals a ‘clear affirmative action’, i.e. individuals signing up to a mailing list through an opt-in box, providing their details on a contact form or even given verbally via a member of staff or volunteer are all acceptable. However, in future this must also now be able to be evidenced.
Rights of the individual
Charities will still be able to contact individuals without consent under what is termed the ‘legitimate interest’ rule, but a balancing exercise should be carried out to determine whether the individual’s rights override the charity’s own legitimate interest in sending them the communication.
It is worth noting that while there is nothing in the law that says wealth screening or sharing data is illegal, the use of an individual’s data for these purposes must not override their individual privacy rights. For example, was the individual told how their data would be used at the time it was gathered (‘unambiguous’) and were they provided with opportunities to agree, object or opt out (‘fair and transparent’)?
From a governance perspective, trustees should be asking whether individuals have been given a reasonable understanding about why the charity would want to contact them and how this can be evidenced.
Duration of consent
The law also doesn’t state how often a charity should contact an individual, or how long consent should last. This will be different for every organisation. Trustees should be discussing with their organisations whether their charity has been doing this in a way that audiences and supporters are happy with and meets their expectations. Charities will then need to create a policy that denotes how this will happen in future.
For example, if you run a membership scheme with a number of lapsed donors on the database that haven’t supported the organisation in years (there’s no record of recent activity and no original register of consent), would a major giving ask for a capital campaign be lawful? The charity could still contact them using the ‘legitimate interest’ condition, but without evidence of any of the above, this approach would appear to be questionable under the new legislation.
One way to ensure compliance would be to develop a policy on lapsed donors – when and how to contact them and for how long their data should be kept if they don’t renew.
So, what are trustees to do in the light of these scenarios? A good starting point is to take a whole organisational approach and undertake an audit of all the charity’s data collection methods and communications. Only then can consideration of consent within the context of that charity’s activities be fully addressed.
Another way to ensure compliance is to have a clear, accessible and fit-for-purpose privacy notice on the home page of the charity’s website. The privacy notice should tell the public what data is collected, how and why it is held and what it will be used for, and how they can opt out and who to contact.
If a charity holds personal data, it must also tell individuals what data is held on them and periodically publicise the fact, particularly if a privacy notice is created or updated. How that is carried out can be part of an organisation’s normal communications, such as a line and link included in a monthly newsletter.
Although it will be up to each individual charity to decide what is appropriate, trustees should have a nominated board member that takes an oversight role and understands this new regulatory framework. They should also task the charity’s leaders and employees to create organisational policies that demonstrate best practice and monitor that these are operating in line with GDPR guidance.
While there are things that the new law won’t be able tell you, having clear written policies in place on consent and privacy will help minimise risks. Doing this not only ensures your charity is compliant, but above all demonstrates good effective governance.
Arts Fundraising & Philanthropy and the Institute of Fundraising’s Cultural Sector Network will be running a one-day national conference at Bristol Watershed on Thursday 9 November on the implications of GDPR and the new Fundraising Regulations for all arts, cultural and heritage charities.
This article is part of a series, sponsored and contributed by Arts Fundraising & Philanthropy, on the theme Fundraising for the future.