37: Data protection changes to impact how charities fundraise?

In September 2021, the Department for Digital, Culture, Media & Sport (DDCMS) unveiled a new open consultation, titled ‘Data: a new direction’, proposing changes to data protection law in the UK. In this blog we look at what those changes could mean for charities in the context of fundraising.

Background

Data protection compliance is crucial for all stages of fundraising, from collecting supporter data and planning campaigns through to delivering fundraising messages to those supporters.

Charities must be able to demonstrate a lawful basis for obtaining and using personal data, and to be sufficiently transparent with supporters about how their data will be used. Complying with those obligations can be particularly challenging when charities want to research or analyse their supporter base.

Charities engaged in this kind of research or analysis tread a fine line when balancing their legitimate interests in pursuing this kind of fundraising against the privacy interests of current and prospective supporters. This kind of research often relies on using data from third parties, sometimes businesses offering products that analyse data from a wide variety of more-or-less publicly available sources. Charities working with that sort of data face the question of whether re-using data in this way complies with the purpose limitation principle set out in the UK GDPR, and whether data subjects are sufficiently informed about how their data is used.

Compliance does not stop once a charity has collected supporter data and planned a campaign; there are some important additional rules around direct electronic marketing that charities have to comply with. Any messages that promote the work of a charity, whether they solicit donations or not, are treated as marketing by the ICO. If those messages are sent by email or text message, then the charity must have obtained and be able to evidence opt-in consent from the supporter.

 Changes proposed by the consultation

The current consultation contains a handful of proposals that could simplify some of these issues for charities. The consultation proposes to:

• clarify the circumstances in which data can be re-used by a party other than the original data controller . This could help clarify when and how charities can use publicly accessible data for supporter research, for example;
• amend the legal basis most frequently relied upon for prospect research, the ‘legitimate interests’ basis. That legal basis currently requires a balance to be struck between the interests of a data controller and the interests of the individual. That is a difficult thing to do, because it often involves making assumptions about an individual’s expectations and wishes. The government is proposing to remove that balancing test in some situations, including ‘using personal data for internal research and development purposes’. It remains to be seen whether ‘research’ in this context would include research for fundraising; and
• introduce a charity-specific change to the rules on direct marketing by electronic means. At the moment charities require active opt-in consent to send direct marketing materials by email or text message. The proposed change would extend the so-called ‘soft-opt-in’ exemption, which currently only applies to organisations selling goods or services. If this proposal is implemented, it would mean that charities could adopt an opt-out model for email or text message, so long as they are able to satisfy the strict conditions of the soft opt-in exemption.

More broadly, one of the government’s stated aims in the consultation is to reduce compliance burdens. This includes proposals to:

• remove some of the more prescriptive requirements to document compliance;
• create alternative mechanisms for international data transfers;
• clarify the rules on scientific research, which will be relevant for charities engaged in that area; and
• introduce certain limits on the rights of individuals to request access to their data.

What happens next?

No doubt few in the sector will welcome the prospect of further data protection changes so soon after the introduction of the UK GDPR, however, changes are coming and there is an opportunity for the sector to influence them now. The consultation is open for responses until 11.45pm on 19 November 2021 for those who wish to contribute, and there will be further opportunities for engagement during the process of turning the proposals into legislation.