Charities rely on data as the bedrock for fundraising activities. Using personal data to make and maintain contact with supporters promotes regular donations, or rapid donations in response to emergencies. Full and accurate sets of personal data also allow improved targeting of resources to meet beneficiaries' needs. However, with data comes responsibility, and like all organisations who control or process personal data, charities have until 25 May 2018 to ensure compliance with the EU's new General Data Protection Regulation (GDPR).
What are the key issues for charities? What must you do to prepare?
Consent and direct fundraising campaigns
Consent lies at the heart of the GDPR's data protection regime. In successive drafts, the key definitions have undergone significant changes, in the process creating significant uncertainty for organisations that rely on any form of direct or targeted marketing.
For charities, a key question is: Can an individuals' consent to the processing of their personal data be obtained on an "opt-out" basis rather than through a potentially more onerous opt-in approach?
In what now seems to be the final form of the GDPR the data subject's "consent" means:
any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
In a change from earlier drafts, the definition uses the word "unambiguous" instead of "explicit". However, that omission does not provide much comfort to charities or other organisations who might wish to apply an "opt out" approach – for example, by having a pre-ticked box on a website to signify consent unless it is specifically unchecked.
Recital (32) amplifies and seeks to explain the meaning of "consent". While acknowledging that positively ticking a box might sufficiently demonstrate the data subject's agreement, it goes on to say:
Silence, pre-ticked boxes or inactivity should not … constitute consent.
This reflects the requirement for consent to be both "unambiguous" and signified by a statement or by a "clear affirmative action". Simply leaving a pre-ticked box might be the result of inadvertence rather than positive choice, and so even if accompanied by wording that is "unambiguous" there is a risk that simply leaving the pre-ticked box might not be regarded as an "affirmative action".
Consent must be specific
The GDPR also rules out any form of blanket consent covering current or future data processing. Consent must be specific to each data processing operation. To meet that requirement Article 7 provides that a request for consent to data processing must be “clearly distinguishable” from any other matters in a written document, and it must be provided “in an intelligible and easily accessible form, using clear and plain language.”
Consent relating to children
Article 8 introduces specific protections for children by limiting their ability to consent to data processing without parental authorisation. The final draft of the GDPR opted for the age of consent to be set at 16 years, but allows member states to set a lower age not below 13 years.
Data controllers must obtain the consent of a parent or guardian when processing the personal data of a child. They also must make “reasonable efforts” to verify that a parent or guardian has provided the appropriate consent.
Consent may be withdrawn
Obtaining consent is not the end of the matter. Article 7(3) gives data subjects the right to withdraw consent at any time and requires that it should "be as easy to withdraw consent as to give it”. Once consent is withdrawn, data subjects have a qualified right to have their personal data erased and no longer used for processing.
The era of "big data" and sophisticated analytics creates enormous opportunities for charities, allowing campaigns to be specifically targeted and tailored to the most likely donors based on their interests, concerns, preferences or characteristics. The GDPR does not prevent such campaigns, but it does impose enhanced consent requirements where they are driven by "profiling".
"Profiling" is any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.
For direct marketing, the key points of concern arise where personal data is processed using automated means (such as algorithms) to analyse "personal preferences or interests". Crucially, "profiling" requires more than just tracking or monitoring. The GDPR definition, read with Recital (24), suggests that "monitoring" becomes "profiling" only where there is an intention to take decisions regarding a data subject or predict the subject’s behaviours and preferences.
Where profiling does take place, enhanced information and consent requirements apply. Article 13 provides that the controller must inform a data subject at the time data is collected not only of the fact that profiling will occur, but as well “the logic involved” and “the envisaged consequences of such processing.” Under Article 14 where data is obtained from a third party, a controller may also be required to provide such information.
Explicit consent is required for profiling, unless it is:
- necessary for entering into, or the performance of, a contract between the data subject and a data controller; or
- authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests.
The requirement for consent to be "explicit" is also found in the enhanced protection afforded by Article 9 to special categories of personal data. The relevant test may well be derived from the law and practice developed under Directive 95/46/EC, where a person asked to agree or disagree with a particular use or disclosure of their personal information had to respond actively to the question, orally or in writing. Given the apparently slim distinction between "explicit" consent and "clear affirmative action" it is likely that, in practice, the validity of consent to profiling will be judged largely by reference to the clarity and prominence of the information and statements explaining that profiling will occur, and how it will be done.
A further point of concern for charities stems from the interaction of the rules on profiling, and the Article 9 protection for "special categories" of personal data. Profiling must not be based on special categories of personal data (e.g. racial, ethnic, or religious information) unless
- the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where prohibited by Union law or member state law; or
- processing is necessary for reasons of substantial public interest, on the basis of Union or member state law.
In any event, the controller must still ensure “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place".
Sanctions and compensation
The GDPR includes tough penalties for infringement, with maximum penalties of 4% annual global turnover or up to €20m (whichever is higher). It also provides for payment of compensation which, taken together with the risk of administrative penalties or penalties for breach, make the GDPR a significantly more rigorous and far-reaching regime than its predecessor.
Crucially, outsourcing data processing to an external organisation will not shield a charity from potential liability. Under Article 82(2):
"Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller"
Assuming that the charity is the data controller, it may be able to recover sums from an external processor, but only where it has "paid full compensation for the damage suffered". In those circumstances,
"that controller … shall be entitled to claim back from the … processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage"
Recovery therefore requires the controller not only to have already paid out compensation, but also to establish the precise extent of the external processor's responsibility. Even after meeting those tests, a claim for recovery will only be as good as the processor's financial strength allows. Consequently, any charity considering outsourcing its data processing must look carefully at the processor's covenant strength and levels of insurance cover.
The clock is ticking
The GDPR comes into force on 25 May 2018, by which time full compliance measures and procedures must be in place. This includes:
- policies and procedures for privacy impact assessments
- policies and procedures for notifying and dealing with data breaches
- policies and procedures to ensure that any activities involving the processing of personal data reflect and embody the principles of data protection "by design" and "by default"
For existing charities, preparation for the GDPR involves a full end-to-end review of its processes and procedures, including (crucially) the role of personal data in marketing and fundraising campaigns. In view of the GDPR requirements for consent, websites and social media channels are likely to require a thorough review and, in many cases, a potential shift from "opt-out" to "opt-in".
For new charities, the requirement for data protection "by design" and "by default" means that GDPR compliance must be a core element of the start-up checklist. It cannot be left to a later date – not least because the much tougher sanctions and compensation provisions of the GDPR might pale into insignificance compared with the potentially fatal reputational damage that can flow from a data breach. Charitable giving is always discretionary, and may well be particularly vulnerable to adverse publicity.
The key message? Seek expert help and guidance now, and ensure that you can use the power of "big data" to boost your fundraising and activities in the future.