On the 5th of April, the ICO fined 11 charities a total of £126,000 for breaking current data protection legislation. Some were fined because they ‘screened’ the subjects to target them for additional funds, some had pieced together data from different sources including lapsed donors and then traded this information with other organisations. After May 25th 2018 this fine might be £180 million!
As fundraisers, charities understand all too well the value and importance of lists. A core principle of the GDPR is the justification for processing personal information. There are two basic grounds for processing – the personal data is processed pursuant to a contract or delivery of a service, or consent has been given for the processing. The current PECR legislation allows for a so called ‘soft opt-in’ – in this context, a person who makes a donation could be seen to ‘opt-in’ in this way. Marketing communications that are sent under soft opt-in consent should always have a simple opt-out link or instruction.
Under the GDPR there is no provision for soft opt-in consent – there must be a clear and active act of giving consent (e.g. via ticking a box on a webform – not pre-ticked). Furthermore, at the point that consent is given, there must a be a clear and simple description of the purpose for which the data will be used.
A very important part of the introduction of the GDPR in an organisation is the management of consent for data that already exists within the organisation. The ICO has ruled that data that has been collected and consent has been given in a way that would comply with the GDPR (and this can be evidenced as it would need to be under the GDPR) then fresh consent will not be required. Where this is not the case consent must be obtained and this must be in line with the new rules.
A word of caution – organisations need to approach the exercise of gaining new consent carefully. You CANNOT simply email everyone that you have details for and ask them if it is OK to be on your list unless you are able to do so within the current legislation. Getting consent to be on a marketing list is classified as a marketing exercise so needs to comply with the rules. Flybe and Honda were fined a total of £83,000 after falling foul of the current legislation whilst trying to get consent under the GDPR rules.
So, in conclusion – if you don’t have clear consent to send marketing emails, don’t send them. A charitable aim is not justification and the ICO has made it very clear that charities will need to fully comply.