The Institute of Fundraising publishes guidance for charities regarding the EU GDPR and donors

16/05/2017 News Team

On 25 May 2018 the new General Data Protection Regulation (GDPR) will come into effect in the UK. This will replace the current Data Protection Act and introduce new and different requirements for all sectors and organisations.

To help fundraisers understand the key parts of GDPR in terms of direct marketing, the Institute of Fundraising (IoF), in partnership with law firm Bircham Dyson Bell, has produced guidance on how charities can prepare for this change.

The new rules will effect any activity involving processing an individual's data. According to Daniel Fluskey, head of policy and research at the IoF, under GDPR charities will need to explain clearly why they are collecting personal data and how they intend to use it. If a charity intends to make any data available to third-party providers, explicit consent will be required.

The GDPR will also clarifies what is meant by "consent". Organisations can send direct marketing/fundraising materials to an individual when they have consent. Under GDPR the standard of what counts as consent is raised from what is required now.

Essentially, according to the guide, to get consent from an individual for direct marketing under the GDPR there must be some form of unambiguous positive action that shows that the person is happy to receive those future communications. That action has to be separate or additional to the act of donating. So, consent means some form of positive ‘opt in’.

However, under "legitimate interest", in certain circumstances, an organisation is able to send direct marketing to an individual without having their prior consent. In order to use legitimate interest, individuals must have had the opportunity to say ‘no’ or object to future direct marketing, which is often done through an ‘opt out’ tick box.

The IoF states that charities must consider whether the individual’s rights and interests override the organisation'slegitimate interests in sending the material.

The GDPR also brings with it an emphasis on users’ right to access their own personal data. Mr Fluskey stated that in simple terms, this means people can make subject access requests at any time to check the data held by organisations and what they do with it.

Individuals can also request the removal of personal data, either if they no longer want the charity to have it or if it is no longer used for the purpose it was collected. Mr Fluskey advises that charities should put a process in place in their private policies.

The IoF advises that a "whole organisation approach" is necessary with a strategy agreed at board level. Organisations will need to have documented processes and procedures in place for using and protecting personal data, with support from an executive level for implementation, monitoring and enforcement in time for May 2018.

The IoF is the professional membership body for UK fundraising. It has over 560 organisational members who raise more than £10 billion in income for good causes every year, and over 6,000 individual members.

Share with Linkedin Share with Twitter

Poor   Average   Good   Excellent