GDPR for charities
In the previous part of this series we saw what language you’ll need to use for your privacy notices. Next we’ll look at the conditions for processing the data you have on your data subjects.
Conditions for processing data
There are six main conditions that are available to you when you are processing data. They are:
- To fulfil a contract
- Due to a legal obligation
- the data as part of a vital interest of a party or entity
- Official, public interest or administration of justice requirement
- The data is obtained with the appropriate level of consent
- The data is processed to satisfy a legitimate interest
The list is not a tick box exercise and as a data controller or processor, you need to satisfy at-least one to ensure you don’t fall foul of the GDPR.
Processing data to fulfil a contract:
In fundraising, it is unlikely that there will be any kind of binding contract between the fundraiser and the donor or prospective donor (data subject). You might have something approaching a contract for organised sponsored events (especially ones with health and safety implications), but the only necessary processing would be to make that contract work. You wouldn’t be able to make marketing a requirement of the contract, or assume that you can send marketing because the person signed the contract.
Processing data due to a legal obligation:
Apart from the obvious laws (AML, Terrorism Act etc.), it is unlikely that any there is a law that requires you to do any fundraising or activities associated with fundraising. However if there is a provision in the law which requires you to process data, then you can do so as long as you are able to justify that the data was processed to satisfy a legal obligation.
Processing data to protect vital interests:
No, we are not talking about the vital interest of your charity, we are talking about the vital interest of the data subject or another person. Therefore, if someone is at immediate risk of death (it’s been argued that vital interests might cover serious physical risk, but the GDPR suggests that it applies only to life or death situation).
Processing data for official, public interest or for the administration of justice:
This is a long and rather detailed GDPR condition which is outlined rather well in the GDPR and also the ICO’s guidelines. For this condition to apply, you need to identify a specific law or source of official authority. This does create a problem for organisations like universities (publicly funded) and public bodies as the use of the legitimate interest condition is not allowed for public bodies.
The GDPR has a clear definition on consent. GDPR defines consent as “any freely given specific and informed indication of a data subjects’ wishes by which the data subject signifies their agreement to personal data relating to them being processed”.
What does freely given mean? This means that the data subject must be given a free choice in the first place, and they must be able to change their minds at any time. You are not allowed to trick someone into giving consent and when they tell you to stop, you must stop.
What does specific consent mean? It means that the processing that the data subjects are agreeing to must be clear. For example, you must specify what marketing are they going to receive?, who will it be from?, etc. Asking someone to agree for their details to be shared with “carefully selected third parties” isn’t specific. You’ll need to specify (or provide on request) a detailed list of third parties. If you want to conduct wealth screening with consent, asking the data subject to agree to ‘fundraising purposes’ isn’t specific enough.
What does informed mean? In its simplest terms, the data subject should understand how their data is going to be used, if not, the consent is not valid. You have to spell out what they are agreeing to, in language that they understand and targeted to the age you expect them to be at. The last point is not a must but if challenged, you should be able to prove that you have catered to the lowest common denominator of your data subjects’ expected level of cognition. You cannot bury the purpose in terms and conditions that the person might not read. The language should be clear, unambiguous.
The burning question: can consent be opt-out rather than opt-in?
A common question we always get, be it when we are writing training material or when we are consulting is: can my consent be opt-out (as it currently is – or does it need to be opt-in?
Well, there are many people who will argue that opt-out is a perfectly reasonable way of obtaining consent. Even though the ICO’s current guidelines seems to support this, you must pay attention to what the guidelines actually says. It says:
The most certain way to get consent is a tick box, a box to place a signature, or something else that allows the subject to say ‘yes’. However, as the ICO notes, there are other methods. If a person fills in their name and address in a form clearly designed to send out a brochure, you can reasonably infer consent to send them the brochure.
Remember, there is no “assumed consent” anymore. Similarly, you cannot force consent on a data subject. For example, you can’t say that ‘by doing X, you consent to us doing Y’. X and Y must be inherently linked and clearly outlined to the data subject. Furthermore, post (snail mail) is your friend as sending out an email or any form of digital communication asking for consent is also considered as marketing – even if you are only asking for consent.
Satisfy a legitimate interest:
The alternative to consent is legitimate interests. The full text of the condition is as follows: “The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”. To satisfy this condition, you must have a legitimate interest in processing the data and also be able to prove that there is a legitimate (business or otherwise) interest. As a charity, this is an easy condition to satisfy – however, while it may be tempting to do so, this is not a replacement for consent but rather a way of strengthening your consent condition.
(to be continued)
Here’s where we can help:
Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at firstname.lastname@example.org or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.