GDPR is still an area of confusion and contention for many, not helped by the fact that GDPR is principles-based, requiring each charity to make a subjective interpretation of the rules. We have recently worked with a very well-known international development charity who had spent a significant amount of time developing GDPR guidelines, going on courses, documenting balancing tests and consulting lawyers, yet they were still unsure how to apply their own guidelines in the real world.
Take for example, the situation where you wish to invite potential major donors to a cultivation event. Do you research the individuals in advance to decide to invite? How much research is fair at this stage? If you do this research do you have to tell the individuals in question? How do you do that when you don’t know whether they are even a prospect? What about the event itself – should you rush up to each person with a privacy notice, a short form notice, a ‘just in time’ notice or not at all? Do you wait until someone shows interest to do some (more) research? How much interest do they need to show? Do you tell them then? When? How?!!
This is just one example of multiple situations that occur in the practical day to day work of major donor fundraising, so it is no wonder that even very accomplished fundraisers with significant resources are finding themselves in a muddle. The fear of getting it wrong and trustees walking fundraisers out the door is real, as is the ICO knocking on the door asking to see documented evidence of your legitimate interest assessment for why you googled ‘how much money does Mr Joe Bloggs have?’ Fear can be paralysing.
Each part of this particular charity had also consulted widely, meaning that every corner of the organisation had developed a different view on how the fundraisers should behave, including everyone from the Finance Director to Trustees. Once lawyers became involved there was much talk of securing consent at all costs and adopting an ultra-cautious approach, to the point where they were questioning whether you could even email existing donors about new projects that needed funding.
So, how do you tackle the many grey areas that occur when a law is interpretive, when your guidelines need to be drawn from a spectrum of possibilities, when you can’t decide whether or not you can now ring a potential donor without reading them 12 pages of privacy information? As a first step we would recommend writing down all the questions you can think of that are causing confusion. These may include:
- What is deemed personal information and what is considered sensitive information?
- Does this have an impact on data processing and timing of communications?
- When should we research prospects?
- How much research should we do at each cultivation stage?
- How and when should you communicate research and Privacy Notices to prospects?
- When can we use short form and just in time notices?
- How often do we need to give people the chance to object to data processing?
- Can Legitimate Interest be relied upon for cold prospecting?
- What do we need to document?
The complete answers to these questions are too long to feature in this blog, but we do have some summary recommendations:
- You need to document clearly in your Privacy notices why processing personal data is necessary for your charity – this is not because you want to raise more money, it is to carry out your vital work.
- Stagger your research, so that it mirrors your relationship with your donor – you do not need to keep deeply personal information on donors/prospects when they have given you one donation.
- Communicate privacy information as your relationship develops – if someone is interested you can reach the point of asking for consent – you can start with a short form approach and go from there.
- Don’t rely on research to build long-lasting donor relationships – it is far better that the individual tells you about themselves than you source potentially incorrect data from third parties – we keep asking fundraisers the question “why don’t you ask the individual that?
- Be totally transparent about everything you may do with personal data and give regular, easy ways for individuals to object – this gives you more scope and avoids endless future debates about major donor activity going forwards.
- Set guidelines on how often and for how long you will attempt to contact someone before seeing this as an objection – you can’t rely on legitimate interest forever.
- A personal introduction is not consent – do not assume that you can target that person indefinitely on this basis.
- Your relationship with an individual should determine your approach, as this will guide what the individual would reasonably expect from you to do with their personal information.
- Determine what you consider ‘similar’ content when marketing to existing supporters – communicating a project you are confident they would be interested in is one thing, asking for money for an entirely different service may not be deemed appropriate or welcome.
- Monitor and evaluate – if you have no negative feedback or complaints, you have more evidence that your approach is fair; if you are regularly told that your processing and marketing is intrusive, then you have clearly tipped the scales in your favour, not the individual’s.
In short, a staggered, layered, ‘as needed’ approach is much more time-effective, practical, less intrusive and ultimately more compliant. The basic principles should always apply for any activity which processes personal information; is it necessary, is there a clear evidenced purpose and does the activity outweigh the privacy rights of the individual?
The ICO states that “If the processing will significantly affect the individual, you should put whatever resources are needed into telling them, but you shouldn’t put massive resources into telling people about something that affects them very little.”
The closer the relationship the less likely the individual is to object, so charities should upscale 1) their research (processing of personal data) and 2) their communication of privacy information in line with upscaling their relationships. The three strands run in parallel.
If you have not had enough of this subject by now and would like to get some help on getting this right at your charity please contact us. We are not lawyers, GDPR experts, data gurus or privacy experts, but we do understand the realities of major donor fundraising in the GDPR-era.