How will GDPR affect prospect research?

One of the biggest GDPR questions for fundraisers relates to researching major donors and what constitutes an invasion of privacy. Andrew Cross at Lightful explains how GDPR will affect current practices.

Guest Writer | 22nd Nov 17
Charities GDPR

One of the biggest GDPR questions for fundraisers relates to researching major donors and what constitutes an invasion of privacy. Andrew Cross at Lightful explains how GDPR will affect current practices.


What is prospect research?

Prospect research is a technique used by organisations to learn more about an individual. For non-profits it would be around potential or existing donors’ personal backgrounds, combined with areas of interest such as their charity giving history, wealth indicators (registered companies, company shares etc) and philanthropic involvement.

The individual might then be scored based on their capacity and propensity to give as well as their affinity towards the cause.

A lot of information is publicly available so how is it breaching data protection?

Some information that is gathered from the public domain could still be considered personal data, however let’s look at gathering this from two aspects:


Existing supporters

Gathering data on existing supporters should be addressed by having a Fair Processing Notice (FPN) along the lines of the following:

“We may use the data you provide to us to better understand your interests, so we can try to analyse and predict what other products, services and information you might be most interested in. We may also combine this with information held in the public domain.  This enables us to tailor our communications to make them relevant and interesting for you. If you don’t want us to do this, you may opt-out here” (You would need to either do this as a check box or a form). You should also stipulate this in your privacy policy.


Potential or new donors

Let’s say you have found a potential donor from the Sunday Times 100 Rich List and you then gather additional information around their charitable giving to assess their affinity to give to your cause.

Under current laws, you would need to possess consent to contact them by text, phone or email (Privacy Electronic Communication Regulation, PECR, 2003). Therefore, the only way to make contact is to write to them.

On this first point of contact you should explain how you have obtained their details and ask if you can contact them again in the future. This is essentially getting consent to contact them for X, Y or Z purposes and capturing additional information such as their telephone number or email address using Fair Processing Notices or Opt-In Boxes. You must also include a URL to your Privacy Policy that they can read if they choose to. Once you have that you can then use the Fair Processing Notice.

You will also need to explain that you have their details on your system and will either:

  • Delete it (upon not gaining consent). This will need to tie in with your Data Retention Policies.
  • Suppress it (upon not gaining consent, if they don’t want to hear from you again).
  • Enact their communication wishes based on the reply to the initial contact.

It would be more commonplace here to rely on legitimate interests to process the data as it could be seen as a ‘Reasonable Expectation’ that some of the public information is being processed by entities that would be interested in the individual; again, on that first point of contact you will need to explain what those legitimate interests are.

While there is no guide to what would constitute ‘Reasonable’ expectations from the individual aside from case law precedence, you must tread carefully when approaching them, especially for the first time. You must also treat their data as you would any other supporter on your system. Any evidence you can obtain could be used to argue why you are processing their data under the legitimate interests’ area.

Under no circumstances should you process any ‘Special Categories’ of data as this would pose additional complications and consent would be needed. These would include any of the following:

  • Racial or ethnic origin,
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data,
  • Biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health
  • Data concerning a natural person’s sex life or sexual orientation

After the first point of contact, and the consent being gained from the individual, you have ascertained that they wish to hear from your charity and you can then communicate with them in the methods that they have consented to.


How do we re-contact donors to obtain opt-in consent?

If you are planning to wealth screen or tag additional metrics to additional supporters, you will need to contact these supporters and let them know how their data is now going to be processed, therefore giving them the choice to opt out of this exercise.

This information should be sent to them (providing you have permission to contact them) with a link to your updated privacy policy and then you must ensure that suitable time has elapsed before the exercise is carried out. This is usually a period of between six to eight weeks.


What about processing B2B Data?

Some B2B data could be considered personal data as opposed to business data. This applies to organisations that are partnerships or sole traders. The new rules around either consent or legitimate interests would need to be followed.

The individual email address, of other organisations, could also be considered as personal data as you could identify an individual from an address that is (first name) dot (surname) for example. Although you can process these individuals in the same way as you would generic business data like as long as you provide an opt-out at point of initial contact and then any subsequent contact.

Essentially the GDPR only changes the ways in which you would process the Sole Trader/Partnership data and go on to contact them, though it is yet too soon to see how the new E-Privacy Directive (the replacement to PECR) will affect the above.


Further Guidance

For prospect research it is still very much a grey area affecting not only charities but also other institutions such as higher education and research organisations so there is not an abundance of guidance out there for this particular area of concern.

GDPR comes into force on 25 May 2018. If you’ve not started yet on the road to compliance, it’s not too late. Previous posts in our GDPR series can be found here:

What is GDPR and how will it affect my charity? (Guest post)
GDPR: What does it mean for your charity?
GDPR: An explanation of data retention and why it is important for charities
GDPR & Data Governance – who is responsible for your data?

The above article offers general advice, based on our understanding of facts and guidance issued to date by various bodies, this in no way, shape or form constitutes legal advice.

Want to stay on top of the latest tech news in the third sector?

Get top insights and news from our charity digital experts delivered straight to your inbox three times per week.