Guest blog by Gary Shipsey from Protecture.
The full details of the RSPCA and British Heart Foundation fines have been published, promoting the Charity Commission and the Fundraising Regulator to issue a rare joint alert about compliance with Data Protection Act (DPA).
CEOs and Trustees are expected to act now. This is a summary of our recommendations; please see our blog for more detail and our Trustees: A Brief Guide to Data Protection Risk.
The activities scrutinised by the ICO can be undertaken in compliance with the law. The question is whether your approach is compliant, and if not, what actions can be taken to make them compliant.
Consent has been clarified
The fines confirm that charities wishing to share and/or sell their marketing lists must ensure donors provide specific consent. This aligns with the Code of Fundraising Practice.
More importantly, the fines clarify what consent means; attendees at our recent events will know we have been highlighting the definition is in the European Directive. The ICO states the very same:
“The DPA implements European legislation…The DPA must be applied so as to give effect to that Directive” meaning “consent must be freely given, specific and informed, and involve a positive indication signifying the data subject’s agreement.”
Any activity requiring consent should stop unless you hold consent at the required standard. If not, or you have doubts, now is the time to consider re-engaging with individuals to clarify their consent.
Transparency must be front and centre
The fines focus on the unfairness of undertaking wealth screening without sufficiently informing individuals about using their personal information in this way:
“Supporters have not been provided with sufficient information to enable them to understand what would be done with their personal data in terms of screening and thereby to enable them to make informed decisions on whether or not they wished to object to such screening.”
Fair processing / privacy notices should fully inform people what you intend to do with their personal information. They should enable people to exert choice (if they have a choice) and exert their rights (should they wish). For example, the right to object to direct marketing and to object to profiling.
If you wealth screen, your rationale should be presented to your Trustees and agreed by them. This should outline the controls you will use to ensure an appropriate balance between your (and your beneficiary’s) legitimate interests and the rights and interests of donors; your updated fair processing notices and your internal processes for handling any objections.
Organisations will soon have to both comply with data protection law and be able to demonstrate how they are complying. Trustees and senior management must be able to point to the evidence – for example, of informed decisions made about levels of security; of processes followed; of training delivered – in order to ensure their organisation is compliant.
Organisations should ensure their Trustees, CEO and senior management are preparing now for the GDPR going live on 25th May 2018. They should assess where the role of Data Protection Officer, or someone allocated responsibility for data protection compliance, should sit within their organisation’s structure and governance arrangements.
You can register for a free webinar on data protection with Protecture here.