IoF responds to Regulator’s draft data protection code

‘First take’ on the Fundraising Regulator’s recently released consultation on data protection highlights good points and those that need thinking about

Austin Clark | 11th Oct 17
Data breach

The Institute of Fundraising (IoF) has published its ‘first take’ on the Fundraising Regulator’s recently released consultation on data protection.

Writing in a news post, Daniel Fluskey, Head of Policy and Research at the IoF, has outlined the areas he expects to be broadly welcomed by the fundraising profession and those where he has concerns.

Among the welcomed aspects are:

  • Introducing new requirements in the Code so that everyone is clear on what their responsibilities will be from 25 May 2018 is a good thing. Fundraisers do need to know about and have reassurance on the key aspects of GDPR that will impact on their work to ensure that all fundraising is compliant in the processing of personal data.
  • Changing and renaming sections of the Code – this seems like a pretty sensible idea to me. Under the changes proposed, we’d now have one section which is about the legal aspects of ‘if/how’ you can communicate with donors (all the GDPR stuff), and then one section that deals with the content of those communications which should make things more simple and clear.
  • The inclusion of both ‘consent’ and ‘legitimate interest’ as valid grounds for processing personal data for fundraising purposes (and specifically for direct marketing). The emphasis on organisations needing a ‘lawful basis’ is correct, and the subsequent summaries of what is needed for consent and legitimate interest to be valid seem clear.

However, questions need to be addressed around the following points:

  • It’s proposed that organisations MUST ‘keep up to date with and have regard to relevant guidance from ICO’. It would be useful to know what ‘have regard to’ means – is that the same as ‘follow the guidance’? Would charities be in breach of the Code if they could show that they were up to date and had ‘regard to’ the guidance, but chose a different approach which they thought was legally compliant? It’s really important that the standards are clear and charities know exactly what is expected of them.
  • Further clarification and explanation on proposal 5.5.7 that ‘organisations MUST* explain how their contact data was obtained and what their legitimate interest is (why the charity thinks that the individual might be of interest in its cause or its work)’ is needed.

“To explain and recount a whole legitimate interest balancing exercise in a communication would be disproportionate and clunky, potentially disrupting an engaging fundraising communication and existing relationship with an individual,” Fluskey commented.

“But, something which said ‘as a previous supporter of charity xxx we thought you’d like to hear more about our work’ could potentially work. We need to know more about what this change means, what would count as a sufficient ‘explanation’, what form that should take, or where/how it should appear.

“We also need to be mindful of how burdensome and proportionate it is to be able to provide this on an individual basis for every piece of communication that is intended to be sent and be really clear on what it is expected that charities should do. Some accompanying examples or guidance would be helpful to understand better what this proposed change requires in practice.”


Shift of goalposts

Fluskey goes on to say that there is also a significant change proposed on how fundraisers work with the Mailing Preference Service (MPS).

“The proposal would mean that unless individuals have provided consent to that charity, no direct marketing mailings can be sent. That is a fundamental shift of the goalposts as to what was in the Code before, and indeed, significantly changes what the MPS service (run by the DMA) was set up to do.

“The MPS is specifically set up to stop ‘unsolicited’ mailing (it is not a statutory service like the TPS) and clearly explains to individuals that if they sign up “You can expect to continue to receive mailings from companies with whom you have done business in the past.” This means that as long as organisations can satisfy the legitimate interest ground, a registration on the MPS would not stop that organisation sending direct marketing by post.

“Changing the Code to say that charities can only contact individuals on MPS when they have consent would exclude legitimate interest as a lawful basis and would mean that individuals who have had a pre-existing relationship, been engaging with a charity, and donating for years on the grounds of legitimate interest would have that relationship wiped out.

“It also means that people signing up to the MPS are clearly told one thing, and sign up on that basis, but actually receive a different experience in reality – I don’t believe that this builds clarity and transparency. This proposal needs a re-think and we’ll be looking at it carefully.”

Charities can provide feedback on proposed changes to the code regarding data protection here.