GDPR & Charitable Fundraising: Spotlight on Charitable Trust fundraising

Similar documents
Consent, Opt-In, Legitimate Interest and GDPR

Data Protection Policy

UK Research and Innovation (UKRI) Data Protection Policy

WHO WE ARE Newcastle Theatre Royal Trust Limited manages Newcastle Theatre Royal and City Hall and is a registered charity. We receive no ongoing reve

A Parish Guide to the General Data Protection Regulation (GDPR)

Getting Ready for the GDPR

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

EU GENERAL DATA PROTECTION REGULATION

Regulates the way data controllers process personal data

St Mark s Church of England Academy Data Protection Policy

Data Protection Policy

Breakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018

Data Protection Policy & Procedures

Data Protection. Policy

General Data Protection Regulation. The changes in data protection law and what this means for your church.

General Optical Council. Data Protection Policy

Breaking the myth How your marketing activities can benefit from the GDPR December 2017

Data Protection Policy

Personal information online code of practice

General Data Protection Regulation

GROUP DATA PROTECTION POLICY

Data Protection Policy

DATA PROTECTION POLICY

//DATA INNOVATION FOR DEVELOPMENT GUIDE DATA INNOVATION RISK ASSESSMENT TOOL

Creating an inclusive volunteering environment

CANDIDATE DATA PROTECTION STANDARDS

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER

Guideline Leaflet L13: Data Protection

The Sage quick start guide for businesses

Chairman of the Shell Foundation Board of Trustees 2009

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

General Personal Data Protection Policy

What is GDPR and Should You Care?

EU General Data Protection Regulation (GDPR)

These Guidelines are issued by the Charities Regulator pursuant to section 14(1) of the Charities Act 2009, to encourage and facilitate the better

Quick guide to the employment practices code

Discussion Paper on innovative uses of consumer data by financial institutions

How employers should comply with GDPR

FRSB INVESTIGATION INTO TAG CAMPAIGNS FUNDRAISING ON BEHALF OF MARIE CURIE

SIGBI DATA PROTECTION PROTOCOLS 2018

Data Protection Strategy Version 1.0

Head of Fundraising & Business Development

The advancement of education. Supporting document for charity trustees

Privacy Policy MONAT GLOBAL

This privacy policy (the 'conditions') was last amended in May 2016.

In partnership with. GDPR for marketers: Accountability

Guidance on the General Data Protection Regulation: (1) Getting started

Data Protection Policy

Privacy notices, transparency and control

Data Protection Policy and General Data Protection Regulations (GDPR)

New General Data Protection Regulation - an introduction

Lords Bill Committee on Digital Economy Bill Information Commissioner s briefing

Privacy Policy PURPOSE SCOPE POLICY. Data Collection

GDPR. Guidance on Employee Personal Data

Conducting privacy impact assessments code of practice

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

GENERAL DATA PROTECTION REGULATION: A GUIDE FOR CHARITIES

HKT Financial Services (IA) Limited Privacy Statement

Data Protection Policy

GDPR Webinar 4: Data Protection Impact Assessments

DATA PROTECTION POLICY

Contents. 3 Introduction. 5 Our values 6 Safety 7 Teamwork 8 Respect 9 Integrity 10 Excellence

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

WORLD MEDIA GROUP THE IMPLICATIONS OF GDPR FOR THE ADVERTISING INDUSTRY

1

CLASS(2000)1 November 2000 Secretariat: CLASSIFICATION OF EXPENDITURE PUBLIC AND PRIVATE SECTORS:

6. How to select and appoint an independent examiner

OCTOBER 2016 GROUP CODE OF CONDUCT

ON ARM S LENGTH. 1. Introduction. 2. Background

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

SYSCO CORPORATION SUPPLIER CODE OF CONDUCT

Comments, Complaints & Compliments policy

THE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE

The Data Protection Regulation for Europe

National Survey of Third Sector Organisations

General Terms of Jobrapido

Data protection (GDPR) policy

b2bmarketing.net Getting to grips with the GDPR: A B2B marketer s guide

Handbuch Code of Conduct url:consense://produktiv/d Our success is based on satisfied customers

Diversity and Equality Policy

Data protection. The employment practices code

Equality and Diversity Policy

Steps to recruiting volunteers distance learning pack v1 September Steps to recruiting

Code of business conduct

Customer Services Charter

PERSONAL DATA SECURITY GUIDANCE FOR MICROENTERPRISES UNDER THE GDPR

Data protection aspects by merging cattle data of various origins

Equality Act 2010: Obtaining Information

Peel District School Board POLICIES AND REGULATIONS Policy 54

SHELL GENERAL BUSINESS PRINCIPLES

The (Scheme) Actuary as a Data Controller

Customer Advocacy. Complaints Management Policy

Automotive Retailing & Distribution - International. Dealer IT, Internet & Business Processes. Briefing No March

Information for registrants. Guidance on social media

Hustings for elections being held in 2017

Social Sector Accreditation Standards Level 4

In partnership with. GDPR for marketers: The essentials

GDPR: Is it just another strict regulation or a great opportunity for operational excellence?

Transcription:

6 GDPR & Charitable Fundraising: Spotlight on Charitable Trust fundraising Produced by: Reviewed by: Introduction The General Data Protection Regulation (GDPR) comes into effect on 25th May 2018 to update the existing data protection framework in the UK. The legislation covers every sector and every organisation, which means that people in different organisations have to think about what personal data they might be processing and put the principles into practice in their area of work. Trust Fundraising Charitable Trust Fundraising refers to the process of asking for support from trusts and foundations that are empowered to make grants for charitable purposes. Technically, a trust is a fiduciary ( in good faith ) relationship whereby a person or persons (trustee/s) hold(s) and manage(s) property for the benefit of one or more others (beneficiaries). A trust s purposes and rules are set out in its governing instruments (normally a trust deed or a Memorandum and Articles or Association where it is a company limited by guarantee). A foundation is, for the purposes of this guidance, synonymous with a trust. Key GDPR questions for Trust fundraisers 1. Am I using personal data? The GDPR applies to personal data, meaning any information relating to a living individual who can be directly or indirectly identified from it this includes name, address, contact details but could also include two or more non-specific pieces of information that when combined could identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator and other descriptors. A fuller definition of personal data can be found at https://ico.org.uk/ Ways that fundraisers may wish to process personal data from charitable trusts include but are not limited to: carrying out external research on individuals such as trustees of a charitable foundation (for example, online or in published directories) to identify those trusts whose objects and policies match the need for which the grant is required. This may include screening them for particular characteristics such as level of wealth or using publically available data about them. making contact with trustees or trust employees to discuss potential applications for funding. storing contact information of trustees or trust employees relevant to your application. submitting an application for funding. 1

follow up communications, including thank you messages and keeping the trust informed of progress with projects. While trusts and foundations are organisations, the employees or trustees at those organisations will have rights in relation to any corporate data which identifies them specifically. Personal data include corporate email addresses and other contact details where they identify individuals (for example name.surname@organisation.org.uk ). So as a fundraiser, you are highly likely to be processing personal data in engaging with a Trust. When processing personal data, you need to consider two key issues: what purposes you wish to process the personal data for; and how you will show that the personal data has been processed lawfully and fairly. 2. What is my lawful basis for contacting a trust employee or trustee using personal data? Where you are promoting your charity to specific individuals, this is likely to fall within the definition of direct marketing, which includes promotion of a charities objectives. Likewise, if you carry out research on individuals within a trust or collect data on those individuals for the purpose of seeking funds at a later date, your activity will involve processing objectives for direct marketing purposes. The full range of lawful bases for processing personal data can be found in Briefing Paper 1. However, as a trust fundraiser, it is likely that you will need to rely on either the individual s affirmative consent or on legitimate interest as a basis to contact a trust employee or trustee. a) Consent Where an individual has given you their contact details with specific consent for you to contact them for a particular purpose, it is likely that consent will be your most appropriate basis for contact. However, in many circumstance you will be approaching a trust contact without a prior introduction, so using consent as a basis to obtain consent lawfully may be impractical (don t forget that even a consent request will require a lawful basis for being sent to an individual). The threshold for consent under GDPR is high; consent must be a freely given, specific, informed and unambiguous indication of the individual s wishes, so you need to check if you can show you have met all of this criterion to be compliant (for example, even if a trust s website states it welcomes enquiries/ applications, this is unlikely to be sufficient to show that consent has been obtained from an individual to use their personal data). b) Legitimate Interest Trust fundraisers who find consent too difficult to obtain may be able to use legitimate interest as a legal basis for marketing activity in many instances, provided they can show their processing is justified following a Legitimate Interest Assessment. Where legitimate interest is your basis for processing, you need to: Show you have considered the individual s interests against your own by doing a Legitimate Interest Assessment (this is likely to be easy to justify if your direct marketing communication is in a professional context see Q4 below) 2

let the individual concerned know that you are processing their data and for what purpose offer them the opportunity to opt out of further communications if they wish to do so. Further information on the 3 step test for legitimate interest can be found in the ICO Guide to GDPR (https://ico.org.uk/for-organisations/guide-to-the-general-data-protectionregulation-gdpr/). When using legitimate Interest, you will usually be able to use a privacy notice to cover how you will process the individual s personal data and how they can opt out, as long as you alert the individual to it in your communication with them. 3. What marketing channels can I use to communicate with trusts and what is the corporate subscriber category under legitimate interest? Sending e-mail or SMS marketing to individual subscribers requires the individual s consent under the Privacy and Electronic Regulations 2003, as soft opt-in won t apply to fundraising. If fundraisers want to rely on legitimate interests for marketing they will normally only be able to contact an individual for direct marketing purposes by post or live phone call (Please note that where a telephone number is registered on the Telephone Preference Service, you must not make live calls to that number unless you have consent to do so). However, when approaching organisations, trust fundraisers may lawfully use emails to send direct marketing communications to corporate subscriber categories of recipient using legitimate interest. The context in which you are approaching the individual is important here in deciding if you are contacting a corporate subscriber under legitimate interest, and therefore able to use electronic channels to market to them: Under PECR, the organisation they work for would need to fall within the corporate subscriber category of organisation. This includes companies as defined by the Companies Act 1985, companies incorporated in pursuance of a royal charter or letters patent, corporations sole, partnerships in Scotland, and any other corporate body or entity (including charities such as foundations and trusts) which is a legal person distinct from its members. The basis of the communication should be relevant to the individual s work within the organisation (as oppose to contacting them in a personal capacity). This is not an explicit requirement of PECR but should be considered as a good practice in ensuring your communication is appropriate in the circumstances. Examples where the corporate subscriber category may apply to a communication include seeking further information from a trust about a grantmaking opportunity. It could also potentially include a fundraising request directed at the organisation, if you can show that the approach is relevant to their work (for example, where your request is in line with the trust s charitable objects or the trust has stated it welcomes applications from fundraisers representing particular causes). However, although you don t need prior consent for a corporate subscriber communication, you must still do a legitimate interest assessment using the 3 step test (see above) and consider the individual s reasonable expectations. For example, it would be difficult to show you had a legitimate interest in the use of personal data to contact an individual via their corporate email address without prior consent to ask them to support your charity in a personal capacity, for example to make 3

a personal donation. Nor would it be appropriate to use the corporate subscriber category to contact an individual where your marketing has no relevance to the work of the organisation (a test question here might be: Would the individual reasonably expect thiscommunication given the work that the organisation does? ). Although you don t need prior consent for a corporate subscriber communication, you need to remember that individual representatives of the company will still have a right to ask you to stop using their personal contact details or sending marketing to their personal work email address. Under PECR, you need to give the individual your identity and contact details in order for them to be able to request to stop marketing where they wish to. In the case that you receive such a request, you must comply with their request. What else do I need to think about? Holding personal data In the course of engaging with trusts, you may wish to store the personal data of an employee or trustee contact for a range of purposes beyond the initial application, including contacting them about future fundraising events. If you wish to do this, you need to make sure that that individual knows that you are holding their personal data and the purposes for which you are keeping those data, seeking their consent for processing their data or relying on your organisation s legitimate interest. They should also be given the opportunity to object to it being processed for any of the purposes you have outlined. Where you are using legitimate interest, it s important to be as clear as possible in your initial privacy statement to the individual about all of the purposes you envisage using their data for. Personal data must only be kept as long as necessary to fulfil the purpose for which they were processed. Once that purpose expires, you must either delete the individual s data or go back to the individual to let them know that your processing purpose has changed, and how. Make sure you are clear on: what personal data you are holding on what lawful basis you are holding it whether the purpose you have been processing it for still applies and if so how you will keep the data accurate and up to date. Processing special categories data Any personal data for individuals that is classed as special category will need explicit consent from that person to be processed (or another lawful basis if available). Special category data includes, but is not restricted to, racial or ethnic origin information, political and religious beliefs, as well as any physical or mental health condition. Using publically available data You may wish to process personal data found in the public domain for fundraising purposes (for example, looking at publicly available information about the trustees of a grant-making organisation to find out more about their interests and projects/causes that they are likely to fund). When doing this, it is important that fair processing information is given. Consideration should also be given as to how much within someone s reasonable expectations the processing of publicly available information is for example, the difference between reviewing the description of an employee on a company website and someone s personal Facebook account. 4

Fundraisers are likely to use legitimate interest as a basis for research using publically available information, but you cannot assume just because it is publically available that it can be used unconditionally. You will need to consider the context and reasonable expectations of the individual, ensuring that your own legitimate interest of processing this information is not overridden by the individual s interests and privacy rights. Their reasonable expectations are likely to vary depending on the type of data in the public domain and the context for which it was originally published. You will also need, at an early and appropriate time, to inform the individual that their information has been used in this way (for example, by providing them with your privacy policy) and offer them the opportunity to object to your use of their data in this way. See Q2 for further information on using legitimate interest. Where the legitimate interest of processing this information is overridden by the individual s privacy rights, consent (or another lawful basis) will be necessary. The easiest way to inform people is through providing your organisation s privacy notice to them see the ICO s Privacy Notice Code of Practice for guidance. Key references to GDPR and signposting: ICO Guide to GDPR: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ Direct Marketing Guidance: https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf Privacy Impact Assessment Code of Practice: https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf Fundraising Regulator Code of Fundraising Practice https://www.fundraisingregulator.org.uk/code-of-fundraising-practice/code-of-fundraisingpractice Personal Information & Fundraising - Consent, Purpose and Transparency: https://www.fundraisingregulator.org.uk/information-registration-for-fundraisers/guidance/ personal-information-fundraising-consent-purpose-transparency/ IoF GDPR: The Essentials for Fundraising Organisations https://www.institute-of-fundraising.org.uk/library/gdpr-the-essentials-for-fundraisingorganisations/ GDPR - 10 step action plan: https://www.institute-of-fundraising.org.uk/library/iof-gdpr-10-step-action-plan/ GDPR - focus on direct marketing: https://www.institute-of-fundraising.org.uk/library/gdpr-focus-on-direct-marketing/ Supported by: 5

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback