Gary Shipsey , managing director at Protecture, talks about the links between data protection and the Charity Commission’s statement of strategic intent.
The Charity Commission’s Statement of Strategic Intent 2018-2023 noted that charities should demonstrate “more than just compliance with the minimum legal requirements” and that “charitable aims cannot justify uncharitable means.”
The intense scrutiny of personal data and fundraising practice puts this into sharp focus: data protection is based on principles; these often open to interpretation.
As CEO, you can influence how your charity applies the principles in practice. And when it comes to handling personal data, charities have a unique opportunity to embrace their position in society and work to the principles of the Commission’s new Strategy.
1. Privacy information
You may have updated your online privacy policy with the extra detail required by the GDPR. But you have a unique audience. You may engage with thousands online or have service users engaging with paper forms and face-to-face meetings.
The GDPR says you must recognise this when it comes to transparency; you must provide privacy information in “…a concise, transparent, intelligible and easily accessible form, using clear and plain language.”
A longer privacy policy cannot meet the full requirements of the GDPR alone. How you engage with your stakeholders, and whether they feel truly informed, is what can set charities apart and enhance your reputation.
Ask yourself
• Are your different stakeholders likely to see your privacy policy?
• Would they understand it?
• Have you taken account of your different stakeholders and used the language and tone of your other communications to explain privacy information to them?
• Could you explain why certain information is found in your privacy notices, and why you decided other information should only be found in your privacy policy?
Action
Develop a Privacy Information Strategy. This should define your rationale for
• The methods you use to provide privacy information to different stakeholders;
• What privacy information you provide at points of data collection, i.e. your privacy notices,
• What privacy information you provide elsewhere, e.g. your privacy policy.
2. Giving genuine choice over how data is used
Regular giving. Playing a lottery. Running a marathon. Responding to appeals. Buying products. Attending events. Volunteering. There are many ways to foster a relationship between supporters and your cause.
Promoting such activities is critical. But does one “big bucket” option, such as “we would like to keep you up to date with our fundraising and how you can help us” provide genuine choice and control to a supporter over how you will use their data?
CEOs should consider the alternatives, such as a plan for how and when you introduce a supporter to other activities following their initial interest and engagement with you. Their consent at each point will be specific and informed.
There is a risk that forcing someone to agree to “all or nothing” may invalidate any consent, meaning you need to complete a costly re-permissioning exercise.
The degree of choice you provide indicates a commitment to empowering individuals when it comes to your use of their personal data, and your belief that this will result in more useful personal data for your charity.
Ask yourself
• Do you give people genuine choice over how their data will be used?
• Does your current approach deliver genuine insight into what they want from their relationship with you?
Action
Review the degree of choice provided to individuals when collecting their personal data.
Document:
• The rationale for your approach, or
• Your plan for providing more choice to empower your stakeholders.
3. Getting consent before sending direct marketing via post
The confusion and debate around “opt-in” and “opt-out” is finally coming to an end.“Opt-in” means consent; there is no such thing as “opt-out” consent.
Giving someone the chance to “opt-out” means you will use their personal data for direct marketing without their consent and unless and until they use their right to object.
This approach is possible for direct marketing sent via post, because you can (in most cases) rely on your legitimate interests rather than seeking their consent.
Obtaining consent before sending direct marketing via any channel reflects an approach that values engaging with people who have made a connection with you and have actively demonstrated their agreement to receive your material.
Ask yourself
• Even if it is compliant, should your charity be sending Direct Marketing via post to donors and supporters without their consent?
• Does this approach reflect your charity’s ethos and audience?
• Does it achieve value for money?
Action
Consult your key stakeholders for their views on your approach to direct marketing via post. Review whether you should move to a consent-based approach.
Protecture is hosting a free to attend event for all ACEVO members, for more details and to book your space please see http://www.protecture.org.uk/acevo or email acevo@protecture.org.uk
Protecture provide data protection support services. We can support you in meeting the Commission’s Strategy with you handling of personal data. Please call 020 2391 5731 or email acevo@protecture.org.uk to learn more.
