Paul Ticher, a data protection expert shares his insight on current areas to consider:
Why is the regulation of fundraising being reviewed?
Public concerns over fundraising practice have led, over the last few months, to:
- A new regulator
- Changes already to the Code of Fundraising Practice
- Possibly more changes to come
- Revised marketing guidance from the Information Commissioner’s Office
The new Fundraising Regulator (who has also been given the task of setting up a Fundraising Preference Service) has not yet issued any helpful definition of ‘fundraising’. It will not necessarily be the same as ‘marketing’ – which is what the Data Protection legislation is concerned with. Assuming that there is a distinction, fundraising is likely to have to meet stricter requirements than other forms of marketing (such as inviting people to events, for example). However, the whole issue remains unclear at present.
The new EU General Data Protection Regulation (GDPR) brings in important changes, including changes to the rules on consent. It will be in force from 2018 but with some retrospective effects.*
Data Protection is about protecting people and giving them privacy and choice. It is also about respecting their individual rights, such as subject access, the right to opt out of direct marketing and a right to compensation for any harm caused through poor data management.
The 8 Data Protection Principles are:
- Data ‘processing’ must be ‘fair’ and legal.
- You must limit your use of data to the purpose(s) you obtained it for.
- Data must be adequate, relevant & not excessive.
- Data must be accurate & up to date.
- Data must not be held longer than necessary.
- Data Subjects’ rights must be respected.
- You must have appropriate security.
- Special rules apply to transfers abroad.
Legislation is currently under review and it’s likely to impact on the following areas:
- Fundraising is likely to have to be based on consent, and this may mean opt in:
- Some charities are already switching to opt-in only
- But an opt-in is not absolutely required in every case according to the revised ICO marketing guidance
- Some marketing that does not involve fundraising may not require consent.
- It may be that a membership package could be defined to include marketing
- Every organisation must decide who will be asked to consent to what, and how they will be asked/informed.
- Consent cannot be recorded just as a tick; it must show when consent was given and what for (and possibly when it expires).
- The consent field probably needs to record the status of consent more precisely – something like:
- Consent given
- Consent requested but not given
- Previous consent withdrawn
- Not yet asked
- Consent currently assumed
- This needs to be done for each channel and type of content.
- Suppression-based marketing and fundraising is unlikely to be sufficient, but suppression lists must still be an option.
- There may be a requirement to retain a historic record.
- Marketing and/or fundraising selections must reflect preferences accurately.
Actions to Take
At Economic Change, we have been providing database solutions to non-profits, to capture, record and monitor client data using Salesforce CRM, which offers free and discounted licenses to non-profits . Some of the tools we can use to address the above implications include:
- Creation of Online Forms, which collects stakeholder information from them and asks the relevant consent questions at various stages e.g. upon engagement with an organisation, upon leaving the organisation and subsequent years going forward.
- Use of History Tracking functionality on relevant consent fields within the database to retain a record of any changes.
- Collecting relevant information and sorting contacts effectively by interest or service, to ensure relevant marketing is sent to the right people that they have consented to.
- Integrated CRM and E-marketing Tools to ensure co-ordination between your contact database and e-marketing tools to ensure practices and processes for corresponding with clients is streamlined.
- Introduction of automated actions to expire contacts from a mailing list, if their engagement period relates to a specific time-frame.
If you would like a free demonstration and consultation of Salesforce CRM and the tools we use, then please contact Heather Black at firstname.lastname@example.org or call 020 3051 8333.
* The new EU Regulation will come into force across the EU before the end of the two-year negotiation period for the UK’s departure, and therefore while the UK is still an EU member. There is obviously some doubt what the position will be when the UK subsequently completes its exit from the EU, but it is assumed by most in the field that the Regulation or something very close to it will continue to apply to the UK, in order to facilitate the UK’s trade relations with the EU. (See for example the recent NCVO briefing on the implications of the referendum decision.)
Please note: This information is intended to help you understand aspects of the Data Protection Act 1998 and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.