It has been over two years since the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, came into effect. In the midst of Covid-19, charities will be communicating more frequently with their donors online through direct marketing as they look to raise money for their respective cause(s). Charities using direct marketing should consider their compliance with the Data Protection Act 2018 to avoid any nasty surprises from the Information Commissioner’s Office (ICO).
Who is the ICO?
The ICO is responsible for upholding information rights in the public interest, i.e. a “watchdog” for Data Protection Act 2018 compliance.
The ICO has used its enforcement powers against charities in the past, with the most notable enforcement action being in 2017 – when eleven separate charities were found to have breached the Data Protection Act 1998 and were fined a collective total of £138,000. The charities were found to have misused donors’ personal data through activities such as data sharing, wealth screening and data matching. Despite the enforcement action being under the old 1998 Data Protection Act, the principle of needing to comply with data protection laws should be heeded.
Does the Data Protection Act 2018 apply to a charity?
The simple line is – yes, as a charity will be processing and/or controlling ‘personal data’ (as defined under the Data Protection Act 2018).
The Data Protection Act 2018 defines ’personal data’ as being any information relating to an identifiable person (e.g. a donor or an employee) who can be directly or indirectly identified by reference to an identifier, such as a name and an address.
Key Data Protection Act 2018 definitions to note:
- A ‘controller’ – is one or more persons who determine the purposes for which, and the manner in which, any personal data is, or is to be, processed. Typically, this will be the charity itself.
- A ‘processor‘ – is distinguishable from a controller, as being any person, other than an employee of the controller, who processes personal data on behalf of a controller. Typically, this will include any marketing companies charities engage.
What should a charity do to comply with the GDPR?
Even where your charity has processed personal data lawfully, the length of time the personal data is retained needs to be carefully considered. Retention periods for each category of data collected should be separately reviewed, rather than a blanket policy for all personal data held as each retention period should be for the minimum length possible.
Under the presumption that a charity is a controller and they have outsourced the processing of personal data to a third party, such as the management of the charity’s donor database or the charity’s marketing responsibilities. Then contractual obligations by the charity on the processor should be imposed in order to safeguard the personal data being processed and to ensure that the third party complies with their data protection obligations. In fact, it is a legal requirement for controllers to impose certain contractual obligations on their processors.
Proper data protection training and management for volunteers is essential in order to ensure that the personal data collected is processed and controlled in line with the legislation.
Charities relying on direct marketing approaches (such as emails, SMS, fax, telephone and automated calling systems) in order to promote its aims, ideals or campaigns, will need to collect direct consent from donors. When collecting direct marketing consents, the charity must ensure that these are freely given and that the individual had the option to ‘opt out’.
How can Nelsons help?
At Nelsons, we can help charities understand their flow of personal data and areas of risk under GDPR and the Data Protection Act 2018, along with ensuring that the appropriate data protection policy safeguards and data processing agreements are in place.