The General Data Protection Regulation is an EU-wide regulation which will become effective in the UK on 25 May 2018. It replaces the existing law we have on
data protection (the Data Protection Act 1998) and gives individuals more rights and protection in how their personal data is used by organisations. GDPR is an evolution, not revolution. The Data Protection Act already requires that data is processed fairly and lawfully, so charities shouldn’t have too much more to do.
For consent to be valid, it will need to be freely given, specific, informed and an unambiguous indication through a statement or clear affirmative action, such as actively ticking a box. You will need to ensure that your website obtains consent in this manner. (Studio Republic advise that legal help should be sought for added peace of mind, assurance and protection).
According to The Institute of Fundraising has stated as of 25th May 2018:
“You should put in the necessary time and resources to update your database. To send direct marketing you need to be sure you are doing it lawfully and fairly. It is not enough simply to comply with the rules, you also need to be able to demonstrate that you comply. This means that you must keep a record of people’s communication preferences and when they have been provided. If you are unable to demonstrate that you have ongoing consent, or (for the legitimate interest condition that the information is up-to date) you will not be able to use it for direct marketing. If you are not sure that you have their consent to send emails, then do not send them an email marketing message – or even an email to ask them to confirm if they are happy to keep hearing from you. You may be breaking the law.
You might have considered contacting an individual in these circumstances to be an administrative data cleansing exercise, but if you are making the contact in order to check if the individual is happy to receive direct marketing in the future, the ICO regards that contact as direct marketing in itself.”
GDPR Charity Organisational Strategy Advice:
Ultimately, GDPR is unequivocally clear that an individual’s choice to say “no” is paramount and more important than the charity’s legitimate desire to want to send future communications.
The Institute of Fundraising advice is:
“A whole organisation approach is necessary with a strategy agreed at Board level following an understanding of your choices and the opportunities or challenges. You will need to have documented processes and procedures in place for using and protecting personal data, with support from your executive/board for implementation, monitoring and enforcement. It must never be just down to each fundraiser to make quick and unilateral decisions.”
It’s important to remember that volunteers are no different to employees and when it comes to protecting data they must be equipped and trained to do so. Internal emails, posters, training documentation, questionnaires could help educated and assist your volunteers to understand the core principles.
Below is a Frequently Asked Question prepared by The Institute of Fundraising that you may find useful:
So, what should I do at my charity? Should we change to only send direct marketing when we have consent and go ‘opt in’, or should we keep using an ‘opt out’ and rely on our legitimate interest?
This is really where it is a choice for your charity. You will need to think through what is the right thing for you to do, based on a whole number of factors including your fundraising strategy, the size of your organisation, and considering who your donors and supporters are.
Think through the range of options that are available. There might be consideration too of a more nuanced approach, where you seek consent for some channels (email and text), but not for direct mail where you decide to rely on your legitimate interest.
Some larger national organisations have publicly announced that they are moving to ‘opt in’ for all communications as they have decided that’s the strategy that will work best for them. But others are choosing the alternative ‘opt out’ approach. You can see case studies of what some charities are doing on the Fundraising Regulator’s website ... click here!
For more information, please visit or follow the below: