THE EU EXIT VOTE, THE GDPR AND WHAT TO DO NOW
Unambiguous consent vs. explicit consent
Under the GDPR, organisations will have to obtain unambiguous consent (generally thought of as opt-out) to contact individuals by direct mail or live phone calls by 2018. The existing channel preferences for individual consent therefore are not changing, but the proposed position for consent is that it must be freely given, specific and informed, with a clear affirmative action or conduct that indicates acceptance. Silence, pre-ticked boxes and inactivity will not constitute consent.
Under the Privacy and Electronic Communications Regulations (PECR) however, and the ICO's recent updated direct marketing guidance in line with this, while telephone fundraising is still possible, if supporters were offered an opt-out at initial contact stage, you will need to run the Telephone Preference Service across any names you wish to contact in this way.
If a supporter has explicitly opted in to receiving calls from you, you do not need to screen them against the TPS, as even if they are on it: the fact that they have actively opted in to calls from you overrides the TPS in their case.
Under the ICO guidance, new supporter data must now be collected on an opt-in only for calls, meaning that if a new supporter does not actively say yes to a charity's calls, they must not be telephoned.
There is a proposal that consent should have an expiry date with an increasing push by the ICO to define what is reasonable. Details on this are hazy at present but there is a general feeling that consent, however given, can no longer be assumed to last forever and will need to be revalidated over time.
Increasingly then you will not only have to show you have consent, but also be able to demonstrate when it was given, how it was given to each specific channel, the communications and permission statements you have sent them and how they have responded, as well as if/when consent is withdrawn.
A sensible course of action at this point therefore would be to check what permissions information you currently hold on your supporters and whether you are able to record this data if you don't already do so. If not, work towards achieving this as soon as possible by looking at how you can record and access that level of detail on your database in the future.
Privacy and protection
The GDPR has far wider implications than just the permissioning of data and the majority of charities will have considerable work to do in order to comply.
The regulation also includes:
- having clear privacy policies and privacy statements,
- the introduction of mandatory privacy impact assessments,
- a requirement for proof of permissioning,
- the appointment of a Data Protection Officer.
And, under the 'right to be forgotten', organisations must also ensure that withdrawing consent is as easy as giving it, and that they can delete all personal data for anyone who requests this action.
Take a look at your privacy statements and ensure they are easily visible and clear about what you do with the information you collect and why you collect it. They must also clearly explain how to opt out.
You also need to have documented policies to deal with: respecting individual rights, Subject Access Requests, the basis on which you are processing data (such as consent or legitimate interest), and how you would manage any data breaches.
Houses in order
This is a dynamic situation, even more so following the Brexit vote, with regulations still to be clarified and updates on exactly what exiting the EU will mean for the UK still to come. Now however is the time to ensure you are meeting all the current regulations and best practice standards that have been clarified regarding the usage of data. It is not too late to tackle each of these areas and work on ensuring compliance.
In short, the simple fact of the matter is that we all use, and rely on, supporter data, so we all need to ensure we use it correctly and treat supporters as we would our friends and family: with clear understanding and respect for their wishes, which is what these changes will help us to do.
At EDM Media, we have the expert knowledge and skills to support you in your data management and compliance reviews. If you require help with any of the changes being brought in, we can support you through the process, so don't hesitate to get in touch with any queries or questions.
Suzanne Lewis, managing director, EDM MEDIA UK