fundraising and regulatory compliance - protecture · fundraising and regulatory compliance ......
TRANSCRIPT
Fundraising and Regulatory Compliance
How does the Fundraising Regulator’s new Guidance affect you?
What practical steps should you take now?
1 hour
9th March 2017
Gary Shipsey | Managing Director
Your computer audio
When the webinar begins, you will be connected to audio using your computer's microphone and speakers (VoIP). A headset is recommended.
Problems?
If you are having trouble hearing me please let me know by typing in here
Your telephone
If you prefer to use your phone, you must select "Use Telephone" and call in using the numbers below:
• +44 (0) 20 3713 5012
• Access Code: 594-439-198
• Audio PIN: Shown after joining the webinar
• Webinar ID: 891-611-611
Choose one of the following audio options
“…in such a way that respects the fundamental privacy rights of each
and every one of your donors, your supporters, and your volunteers"
"The DPA does not stop you from doing your jobs…
Find a
"way to excel within
boundaries of the rules"
"Change comes from the top. Data Protection is a
matter for the Board room…You are accountable.”
"Trust is a cornerstone of success…
trust also builds reputation.
Both can be easily lost when people
discover you haven’t been
completely transparent about how
you’re using their information”
Insights
£250,000£25,000
£180,000£18,000
Data Sharing (Reciprocate) | Wealth screening | Data and Tele-matching
responsible for
and
be able to demonstrate
compliance with
the principles
[Art. 5(2)]
Waldo Williams 1
Friends House
Euston Road London NW1 2BJ
Data Protection Fundraising Surgery
Wednesday 22nd March | open 09:00 - 17:00
020 3691 5731 | @protectureDPO | www.protecture.org.uk
• 16 x 20 minute slots available across the day.
• Appointment times will be allocated on a first-come-first-served basis.
To book a slot call Jon Moger
020 3691 5731
20 x free privacy notice / policy reviews
“…obtained only for one or more specified and
lawful purposes, and shall not be further processed in any
manner incompatible with that purpose or those purposes.
“…collected for specified, explicit and legitimate
purposes and not further processed in a manner that is
incompatible with those purposes…
GDPR
PurposeA
Direct Marketing
“…communication (by whatever means)
…of any advertising or marketing material
…which is directed to particular individuals”.
“All promotional material….including material promoting the aims [and ideals] of NfPs…
…will apply to the promotional, campaigning and fundraising activities of [charities / NfPs].
…any messages which include some marketing elements, even if that is not their main purpose.
NOT Direct Marketing
1. Admin (payments & transactions)
2. HMRC Gift Aid.
3. Management of staff / volunteers.
4. Provision of services / membership
5. Market research
6. Suppression
We would like to keep you informed about our work, how
you could help fund it, our lottery, shop, our volunteering
opportunities and other useful information.
Emails [ ] Calls [ ] Text [ ] Post [ ]
Direct Marketing
Direct Marketing
eCommerce and Trading
Supporter Acquisition
Supporter Development
Membership
Payroll Giving
Weekly Lottery
Cash Appeals
Raffles
Regular Giving
Trusts and Statutory
Philanthropy
Corporate Partnership
Gifts in Wills
Events
Legacy
Text to donate/ text broadcast
Donating regularly via phone bill
Mobile
SMS campaign to gain new
supporters and raise awareness
Event fundraising
Community and Events
Community fundraising
Third party events
Volunteers
Own events
Fundraising and Resources Team
• Analysis / Modelling
• Segmentation
• Wealth screening (profiling /
prospecting)
Each proposed Direct
Marketing activity is
Meaning that Meaning that Example
1 distinctly different
to other activities?
You believe each
activity is a different
purpose.
an individual should be asked
to provide separate consent
for you to use their personal
information for each different
purpose.
“Fundraising events” “Campaigning”
Distinctly different: consent should be
sought for each of the two purposes.
2 sufficiently similar
to each other?
you believe you can
explain and justify
why the activities
should be covered by
a single purpose.
an individual is asked to
consent for that purpose –
and you would use their
personal information for all
the related activities.
“Fundraising events” might be regarded as a
purpose covering activities such as the
annual dance and quarterly runs.
Sufficiently similar: consent for “Fundraising
events” would enable the use of the
personal information for all related
fundraising event activities.
Is each proposed Direct Marketing…
not…freely given, if it does not allow separate consent to be given to
different personal data processing operations despite it being
appropriate in the individual case…
Recital 32
Recital 43
When the processing has multiple purposes, consent
should be given for all of them.
Consent (Lawfulness)Purpose linked to BA
LawfulnessB
Linked to individual rights e.g. can someone
• withdraw their consent?
• object?
• insist on erasure?
Document
lawful basis for
each purpose
ConsentLegitimate interests
Legal requirements
Dear HR / payroll…
I withdraw my consent to your processing of my data.
It causes me significant distress, especially your sharing it
with HMRC, leading to removal of cash from my salary.
ConsentLegitimate interests
Legal requirements
“Agreement”
Consent
“opt-in”
= =Consent
“Agreement”
“freely given specific and informed
indication of his wishes by which the
data subject signifies his agreement to
personal data relating to him being
processed”
Directive 95/46/EC
“opt-in”
= =Consent
“Agreement”
The DPA implements European legislation (Directive
95 / 46 / EC) aimed at the protection of the
individual’s fundamental right to the protection of
personal data. The DPA must be applied so as to
give effect to that Directive. (para 7).
“opt-in”
“Consent must be freely given, specific
and informed, and involve a positive
indication signifying the data subject’s
agreement” (para 21)
= =Consent
@ SMS
“Agreement”
“consent for electronic
marketing messages is more
tightly defined than in other
contexts, and must be
extremely clear and specific.”
“opt-in”
= =Consent
any freely given, specific, informed and
unambiguous indication of [their] wishes…[either]
by a statement or by a clear affirmative action
Art 4 (11)
…given consent to the processing…for one or more
specific purposesArt 6 (1)(a)
Silence, pre-ticked boxes or inactivity
should not therefore constitute consent
Recital 32
…including by electronic means , or an oral statement
…ticking a box when visiting an internet website
….choosing technical settings
…or another statement or conduct which clearly
indicates…acceptance
…the right to withdraw [their] consent at any time.
[This] shall not affect the lawfulness of processing based on consent before its withdrawal.
Art 7 (3)
…[you] shall be able to demonstrate that [they] consented
Art 7 (1)
…should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Recital 42
First Name Surname
Address
Postcode Phone*
*As part of [charity] we’d love to call you, to tell you about the amazing difference you have made and how you can donate and [save more lives]. Please only give us your number if you’re happy for us to contact you in this way.
How could you seek consent?
Should we seek updated consent?
Consent held at the time the GDPR becomes law will only remain valid if
GDPR
May need to contact individuals
where current consent not at the
Directive standard of consent.
Assess standard of consent
currently used to send
Direct Marketing.
it already meets the
standard of consent
defined in the Directive
the “consent requests” already met
the conditions of the GDPR
(e.g. silence, pre-ticked boxes or inactivity were not used
to obtain the consent).
+
Note: you need consent to seek updated consent…
Should assess the standard of consent currently held to identify methods (channels) you believe you could use to make an admin communication about Direct Marketing.
Act of sending an admin communications about Direct Marketing requires the
“processing” of personal information “for the purposes of direct marketing”. Why?
Need some form of consent in order to send admin communications about Direct Marketing via the channels that require consent, e.g. email, text.
How long does consent last?
PECR
consents for the time being
ICO Direct Marketing
• “consent lasts as long as circumstances remain the same, and will expire if there is a significant change in circumstances.” para 63.
• ‘for the time being’. We consider this implies a period of continuity and stability, and that any significant change in circumstances is likely to mean that consent comes to an end.” para 99.
Can we use soft opt-in?“NfP organisations might be able to use the soft opt-in for any commercial products
or services they offer…
• [they] will not be able to rely on [it] when sending campaigning texts or emails,
even to existing supporters.
• …texts or emails promoting the aims or ideals of an organisation can only be sent
with specific consent.” (Para 50, 131-138).
Obtained during the
sale (or
negotiations) of a
product or service;
Will only then
market your own
similar products or
services
They can refuse or opt
out – at the point of
collecting the data and in
subsequent messages.
+ +
“opt-out”
“Objection”Right to object to direct marketing
=
“We will not be
relying on your
explicit consent or
prior consent…
=“We will instead
rely on you
exercising your
right to object…”
Screen Vs: previous objections + TPS
Object
=
“opt-out”
n/aLegitimate interests
Legitimate interests
DPA Schedule 2, Condition 6
necessary for the purposes
of legitimate interests
pursued by [you]
unwarranted in any particular case by reason
of prejudice to the rights and freedoms or
legitimate interests of the data subject.
…necessary for the
purposes of [your]
legitimate interests…
except where such interests are overridden by
the interests or fundamental rights and
freedoms of the data subject…
Art 6 (1)(f)
Fundraising Code of Practice
Organisations MUST NOT engage in fundraising which:
Is an unreasonable intrusion on a person’s privacy;
Is unreasonably persistent; or
Places undue pressure on a person to donate”.
1.2 General Principles f)
Reasonable expectations of
individuals…based on their current
or proposed relationship with you
Why they would reasonably expect the
use of their personal information
without their consent
Why their rights
and freedoms are
not going to be
unduly harmed…
o measures you will take to manage objections;
o the nature of Direct Marketing you will send them
o frequency of Direct Marketing sent on this basis
Fairness / TransparencyC
Is there any difference between getting
consent and being transparent?
“…fundamental difference between telling a
person how you’re going to use their personal
information and getting their consent [to do it].”
Yes
Q
“We won’t share your details with other charities for marketing purposes. If that’s not OK, please tick the box.”
“…ought to reasonably have known that data subjects would be unlikely to infer from those terms that their person data would be processed for the purposes of wealth screening”
para 40 BHF / para 47 RSPCA
A. the identity of the data controller,B. if he has nominated a representative for the purposes of this Act, the identity of that
representative,
C. the purpose or purposes for which the data are intended to be processed, and
D. any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.
Tell them… Directly Indirectly
Tell them… Directly Indirectly
Directly Indirectly
• House-style language
• Just-in-time notices
• Many notices, at appropriate times
• Mobile-responsive website
• Understanding individuals’ reasonable expectations
Art 7 (2)
The request for consent shall be presented in a manner which is
clearly
distinguishable
from the other
matters
in an
intelligible and
easily
accessible form
using clear
and plain
language + +
• Free
• One month
to be aware of, and verify, the lawfulness of the processing.
Recital 63
Subject Access
Processing for direct marketing
Processing based on legitimate interests
Art. 21
Right to object
…you need to make sure you’re following the law as it stands – which is a blueprint for responsible data practices.
Shine your own light on your services and projects. Demonstrate to customers how you’re following the law. And then stand ready to demonstrate your program to my office.
Elizabeth Denham, Information Commissioner, September 2016
We’ve always done it this way
What the future of fundraising is not
Newsletters
Fifty Shades of Screening?
Fundraising and Regulatory Compliance
• Insights
• Events
• Services
020 3691 5731 | @protectureDPO | www.protecture.org.uk
Waldo Williams 1
Friends House
Euston Road London NW1 2BJ
Data Protection Fundraising Surgery
Wednesday 22nd March | open 09:00 - 17:00
020 3691 5731 | @protectureDPO | www.protecture.org.uk
• 16 x 20 minute slots available across the day.
• Appointment times will be allocated on a first-come-first-served basis.
To book a slot call Jon Moger
020 3691 5731
20 x free privacy notice / policy reviews
1. Independent audit we review your current privacy statements and policies.
2. Onsite training tailored for fundraisers.
3. Seminars guaranteed entry to our events.
4. Helpline expert data protection officer guidance and regular updates.
5. Supplier audit ensure that you remain compliant whoever you work with.
Subscribing provides you with the tools required to
continue supporting your beneficiaries in these times
of unprecedented scrutiny, change and opportunity
020 3691 5731 | @protectureDPO | www.protecture.org.uk
020 3691 5731 | @protectureDPO | www.protecture.org.uk
Make informed decisions.
Ensure Trustees, donors and the public trust your handling of personal information.
Prepare for the GDPR changes.