Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fundraising and the GDPR

Published byPasi Nurminen Modified over 5 years ago

Similar presentations

Presentation on theme: "Fundraising and the GDPR"— Presentation transcript:

1 Fundraising and the GDPR
Andrew O’Brien Charity Finance Group

2 How confident are you that you are meeting the current Data Protection Rules?

3 Why start with DPA? The GDPR is part of a journey on data protection, starting with the Data Protection Act 1998 which was a watershed moment in data regulation. The GDPR is built on the DPA and Privacy and Electronic Communications Regulations. If you want to be in a strong place to implement the new regulations, you need to understand the DPA and make sure that you are meeting your current obligations, otherwise you might have a lot of work to do. Remember that the current GDPR is an evolution not a revolution of existing practice.

4 What are the principles of DPA?
Personal data must be processed fairly and lawfully Personal data must only be obtained for one or more specified lawful purposes Personal data must be adequate, relevant and not excessive in relation to the purpose for which it is processed Personal data must be accurate and kept up to date Personal data must not be kept longer than necessary Personal data must be processed in accordance to the rights of the data subject Personal data must be protected against unlawful processing (e.g. criminals) Personal data cannot be transferred to places without adequate data protection rules

5 What is personal data? It must be recorded information (e.g. electronically or manually filed) about identifiable living individuals. Information that is not recorded about a person (such as a telephone call or a meeting) is not data. Information which is about a company or cannot be identified as an individual person, is not personal data for the purposes of data protection.

6 Putting principles into action: treating data fairly
Fairness is based on communication. You need to tell people: Who you are What you will use the information for Whether it is going to be shared with any third parties and if so, for what purposes How you are going to communicate with people in the future This is usually contained in your privacy or data protection statement. Cannot be buried in your terms and conditions!

7 Good communication underpins data protection
Communication is central to effectively meeting your obligations under the Data Protection Act and GDPR. You have to clearly communicate to your donors about how their data will be used so that their rights are not infringed. Read your privacy or data protection statement – if a donor read this would they understand all the ways that their data may be used?

8 Think about these privacy statements…
“We take your privacy very seriously but from time to time we would like to contact you about the charity’s work…” “We take your privacy very seriously but from time to time we would like to send you the charity’s newsletter which tells you what we are doing…” “We take your privacy very seriously but from time to time we would like to send you information about our work, our fundraising campaigns and about volunteering/job opportunities that may emerge…” The ICO has a template privacy statement that you can use.

9 Consent: what do the rules say?
Consent is the least risky condition for processing data. Consent currently is based on specific and informed indication – this means that some forms of consent such as opt-out can be used. and text messages are governed separately and always require an opt-in. However there may be legitimate interest in your organisation processing data, this can be for direct marketing purposes or carrying out fraud checks. Key is to understand what you need the data for and then consider what the appropriate condition is.

10 Principles into action: obtaining and processing data for specified and lawful reasons
Think about how your data is going to be used: Marketing? HR/employment? Fundraising? Personal data isn’t all about fundraising and HR, even communications which are about spreading the aims and values of your charity are considered to be ‘marketing’. Be clear in your privacy or data protection notice what you are going to use the data for and on what basis an individual has consented to this (or whether you have a legitimate interest).

11 Think from the data subject’s perspective
When considering processing, think about how you would explain it clearly to the data subject. What are their rights? What would their reaction be? If it would be unfavourable, do you have do it? If you do, is there is a legitimate interest reason?

12 Principles into action: retaining data
Do you know when you no longer need data? You need to get rid of data as soon as it no longer becomes relevant or necessary for the purposes you originally intended. If you want to keep data for research purposes or impact measurement purposes, make sure that you thoroughly anonymise data. Remember you have to tell people when their data will be deleted and you must protect people’s data when deleting it (e.g. shredding or remove hard drives). - Archives & legal claims – legitimate to keep hold of the data for the long periods of time.

13 Principles into action: retaining data (2)
There is no guidance or law on how often consents need to be renewed. The Institute of Fundraising has recommended every 24 months (i.e. 2 years). There is relative safety in numbers and being aware of what your colleagues in other organisations do and whether their any relevant codes (like the Fundraising Code of Practice) is something work considering.

14 Principles into action: data protection/information security
You have to keep people’s data safe and you must make sure that you are taking reasonable steps to keep on top of the latest technological developments. Basic measures are essential: Logging who has access to data Passwords and encrypting data Monitoring who has accessed sensitive data Make sure that any pooled laptops or devices are appropriately protected Make sure that staff know their responsibilities!

15 Other issues to think about
The cloud Are they in the US or other non-EU countries? Do they have safe harbour status? Collaboration Who is the data controller and the data processor? Do your partners have a strong policy? Outsourcing If you have external payroll or recruiters, what is their data protection policy?

16 What should you do when you go back to the office?
Audit Carry out an audit of information that you process in your organisation. What do you hold? Is it personal data? Is it properly managed? Do you have a policy? Do staff know it? Who is accountable? Identify Use your audit to identify any weak spots whether within your organisation or third parties. Act Put in place an action plan to resolve those weaknesses. Make this a regular exercise! If you really want support, you can request an audit from the ICO, although these are awarded on a risk based process. These are free, but information may be made public about your audit depending on the agreement with the ICO.

17 BREAK

18 GDPR and Fundraising Part II: What has changed?
Andrew O’Brien Charity Finance Group

19 Significant changes You must show how you comply with the principles of data protection regulation now, for example, documenting your decisions on why/how you are processing data. Consent has been made stronger “freely given, specific, informed and unambiguous indication” The right to be forgotten (right to erasure) gives people a stronger right to have their data deleted or removed. All organisation will have to report data breaches to the ICO where there is a risk to the rights and freedoms of individuals. Consent not the end of the world given the continuation of legitimate interest The right to be forgotten is mostly limited to consent, but this was always there as the right to ‘object’

20 Minor changes impacting charities
New types of data covered (e.g. IP addresses & URLs, genetic, biometric and sexual orientation). Information requests now have to be answered within one month rather than 40 days and no charge can be made to the individual. New safeguards to protect individuals rights from profiling.

21 Compliance and governance
The ICO expects “comprehensive but proportionate governance measures”. This includes: Staff training, internal audits and reviews of HR policies Retain documentation of processing activities Use of data protection implementation assessments where appropriate (e.g. if you engage in profiling, use new technologies or engage in large scale fraud/credit checks). Data protection ‘by design and default’ Details include; Purposes of processing description of the catergoies of individuals and personal data who receives personal data details of transfers to third countries retention schedules description of technical and organisational security measures Data protection impact assessments need to go to the ICO to ensure that they comply, they will then given steps.

22 Data protection officers
You have to have a data protection officer if an organisation which carries out large scale processing of people’s sensitive data (e.g. race, sexual orientation or health) However regardless of whether you meet this obligation, you have to make sure that all your staff have the skills to sufficiently carry out the law. As a consequence, although not necessary, appointing a data protection officer is probably the most efficient way to meet this requirement and will aid internal governance.

23 Reporting data breaches
Where a data breach may lead to significant risks for individuals (e.g. criminal activity) a breach must be reported “without undue delay” or, at the latest, within 72 hours to the ICO. There is already a rule for /password data that a breach must be reported to the ICO within 24 hours. These two systems will continue to operate side by side. Make sure that you have a clear process and individual responsible for ensuring reporting in the event of a breach.

24 Tips for data governance
Put it on your risk register or any risk management framework that you have in place Ensure that it is regularly discussed at both SMT and trustee board level Ensure that any DPO or person responsible for data management has direct access to the SMT/Trustee Board. Take the time to explain to staff your approach and factor in their feedback to your processes. Consider signing a code of conduct (e.g. ICO, Fundraising Regulator) in areas of data processing for your charity.

25 Culture eats policy for breakfast!
Getting the culture right is critical to successful governance. The keys to building the right culture are: Understanding that data protection is about protecting the organisation’s reputation and assets A culture of feedback and action Clear information about the successes and failures Set the right tone at the top!

26 Consent – what’s changed?
Stronger level of consent required There must be “clear affirmative action” and this means that opt-out boxes are not acceptable to gain consent (if they ever were!). However clear affirmative action could be filling out contact details on a website which clearly says that there will be further contact made or data processed for fundraising, or a tick box (yes/no) or it could be over the phone or giving their business card with the aim of receiving further information from the charity. Documentation and evidence is critical. This is going to create a challenge where the data has come third party lists

27 Consent – preferences Under the GDPR there is more of an emphasis on giving people explicit opportunity to make their preferences about how they want to be contacted and what they want to be contacted about.

28 Example… We take your privacy very seriously, from time to time, we would like to contact you about: Our charity’s fundraising campaigns Our charity’s petitions, lobbying and campaigning Our charity’s activities and achievements Our charity’s volunteering and employment opportunities How would you like us to contact you in the future on these subjects: Phone Post Face-to-face

29 Consent v legitimate interest

30 Risk and consent Consent Legitimate interest
Less risky – clearer expectations from donors More risky – stronger rights for donors Legitimate interest Consent What types of fundraising do you do? How regular? How likely are donors to opt-in to communications? Have you explained clearly what you are going to use data for?

31 Legitimate interest explained
You have a legitimate interest in carrying out your activities as an organisation. It is understood that this will probably involve processing some sort of data, this includes fundraising. Direct marketing (i.e. telling people about your work, fundraising, campaigning) is legitimate interest. This covers post or telephone calls for people not on TPS. However, this legitimate interest does not override the rights of the individual not to be contacted or if there is not a reasonable expectation that their data would be used in this manner.

32 Channels Email and text messages – you need consent
Phone – you need consent for those on the TPS, you could use legitimate interest for those not on TPS Direct mail – you could use consent or legitimate interest Door to door – you could use consent or legitimate interest

33 Tips on consent v legitimate interest
Review your current consent methods to make sure that they are clear and unambiguous as well as any privacy statements. Give people clear information on how to withdraw their consent. You don’t have to refresh all existing consents to meet the new standards but think about whether their consent would stand up to current rules – if not, then you may need to refresh consent to be safe. Think about the relationships you have, the more important they are to you, the more you want them to use consent.

34 Can you contact the following…
Person has not donated in six years, not sure how or whether they have given consent for fundraising requests. Person donates every six months, not sure how or whether they have given consent for fundraising requests. Person has been acquired from a list of donors to another charity, has never donated before or been in contact with the charity before. Not sure about whether they gave consent to share details with your charity. Legitimate interest

35 Talking through examples…II
Person sent a cheque to the charity to donate, not part of a fundraising campaign and was sent no options for consent/preferences. Person sent a cheque to the charity to donate, as part of fundraising campaign which included an opt-in form for consent but this was not returned. Person has sent a cheque, as part of fundraising campaign, didn’t tick the box for fundraising activities but did for campaigning activities. Legitimate interest Consent but only for campaigning

36 Talking through examples…III
Person has sent a cheque, as part of fundraising campaign, did tick the box for fundraising activities, but didn’t say how they want to be contacted. Person has made a donation in the past and has given consent to opt-in, by mistake they were asked to consent again and this time they haven’t filled in the form. Consent but remind them about preferences

37 Privacy by design and default
All organisations will be required to consider privacy and data protection when: building new IT systems for storing or accessing personal data; developing policy or strategies that have privacy implications; embarking on a data sharing initiative; or using data for new purposes. Organisations will be required to consider whether they can build systems which enable people’s data to be supressed easily, make it easier to answer subject access requests and transfer data between different services or pseudonymisation. It is important that going forward all charities are able to considering these issues when embarking on internal developments.

38 Right to be forgotten People have a right to be forgotten, which is in line with the previous principle that data can be kept only as long as necessary. People can ask to be forgotten if: their data is no longer necessary they withdraw consent They object to processing and there is no legitimate interest Data was unlawfully processed You can object if you believe that you will need the data for legal claims or to comply with official authority (e.g. Gift Aid records).

39 Other issues Data controllers and data processors have shared liability – so you must make sure that any third parties that are processing data for you have strong data protection policies. This is principles based regulation which means that the implementation may change depending on the experiences of the ICO. The Fundraising Regulator & ICO relationship The Code of Fundraising Practice will add additional requirements onto charities above and beyond the GDPR and you need to make sure that you are aware of them. You must comply with the code, regardless of GDPR.

40 Useful resources Institute of Fundraising: GDPR Essentials
CFG: GDPR Guide for Charities Fundraising Regulator: Consent and Preferences

41 Get in touch Andrew O’Brien Director of Policy & Engagement
Charity Finance Group

Download ppt "Fundraising and the GDPR"

Similar presentations

Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Sharing Personal Data ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.

Sharing Personal Data ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.

Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Why is fundraising so important?

Why is fundraising so important?
Key changes with the GDPR

Key changes with the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
Fundraising Regulation: What does it mean for charities?

Fundraising Regulation: What does it mean for charities?
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – What’s it all about???

GDPR – What’s it all about???
General Data Protection Regulations: what you really need to know

General Data Protection Regulations: what you really need to know
Data Protection The Current Regime

Data Protection The Current Regime
General Data Protection Regulation

General Data Protection Regulation
Museums + Heritage webinar, 30 November 2017

Museums + Heritage webinar, 30 November 2017
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017
Data Protection Update – GDPR or bust

Data Protection Update – GDPR or bust

Similar presentations

Ads by Google