What are the laws?
The Data Protection Act 1998 (DPA) is based on eight principles of good information handling. These give people specific rights in relation to their personal data and place certain obligations on organisations that use it.
Understatement alert: A lot has changed in the way data has been collected, processed and stored since 1998. To give it some context, in 1998 less than 10% of UK households had an Internet connection. Google, Linkedin and Facebook didn’t exist, nor did any of the other great personal data collectors we have today. ‘Big Data’ wasn’t a thing and the entire internet could easily have fitted onto a modern desktop hard drive.
The Privacy and Electronic Communications Regulations (PECR) provide rules about sending marketing and advertising by electronic means (telephone, fax, email, text and picture or video message, and by automated calling system). PECR also include other rules relating to cookies, telephone directories, traffic data, location data and security breaches.
GDPR: May 25 2018
The General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018 and will replace DPA. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
What’s the difference between DPA and GDPR?
- Scope: DPA applies only to individuals in the UK, whereas GDPR covers any organisation that holds or processes the personal data of EU citizens – regardless of whether the company is based in the EU or not. This means UK non-profits must comply, Brexit or no Brexit. Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifiers – eg an IP address – can count as personal data.
- Accountability: GDPR requires you to show howyou comply with the principles – eg. by documenting the decisions you take about a processing activity
- DPIA/PIA: You must carry out a Data Protection Impact when using new technologies and when the processing is likely to result in a high risk to the rights and freedoms of individuals.
- 72 hours to report a data breach: Breach notifications become mandatory within 72 hours (if the data breach is likely to result in a risk to an individual’s rights and freedoms)
- Fines: The current max fine of £500,000 increases to 20million euros or 4% of global revenue – whichever is higher.
- Individuals’ rights are strengthened e.g.
- Data access requests (free under GDPR)
- The right to be forgotten (erasure)
- The right to data portability
Consent is one of six conditions of legal basis for processing personal data. In other words, an organisation can process an individual’s personal data if one or more of the following conditions are met:
- Consent of the data subject
- Performance of a contract
- Compliance with a legal obligation
- Protect the vital interests of a data subject
- Necessary for the performance of a task carried out in the public interest
- Legitimate interest (NB – excluding public authorities)
You need to check that consent is the most appropriate lawful basis for processing. (NB – if you rely on someone’s consent to process their data, they will generally have stronger rights.) Note that the Fundraising Regulator has set an expectation that consent should be the legal basis for Charity direct marketing (i.e. fundraising) going forward.
You must decide your legal basis for processing personal data for each activity, and document this.
Consent: DPA vs GDPR
GDPR sets a higher standard for consent:
- Consent must be unambiguous and involve a clear affirmative action. In other words, it requires a positive opt-in
- Consent must be separate from other terms and conditions
- Consent must be specific and granular, ie. new consent given for each processing activity
- It must be easy for people to withdraw consent
- Consent must be evidenced and auditable: you must keep a record of when and how you got consent from the individual and what they were told at the time.
- Dynamic: consent needs to be maintained and refreshed, not viewed as ‘open ended’.
- Asking for consent must mean offering individuals genuine choice and control
- Benefit: To quote the ICO: “Doing consent well should put individuals in control, build supporter trust and engagement, and enhance your reputation.”
What official guidance is available?
- ICO Direct Marketing Guide (DPA & PECR)
- ICO: Overview of GDPR
- ICO: Preparing for GDPR
- ICO: Privacy Notice Code of Practice
- ICO GDPR Consent Guidance for Consultation
- Fundraising Regulator: Personal Information & Fundraising (Feb 2017)
- NCVO Working Group: how to enable donors to give consent (Sep 2016)
What should you be doing now?
- Engage Trustees: make them aware of the issue, and ensure they understand the impact this will have on your priorities leading up to May 2018. Does your Board own a set of principles about how their fundraising teams will operate?
- Fundraising Policy:
- Update Privacy Notices
- Appoint a Data Protection Officer
- Move now towards opt-in consent
What is Blackbaud doing?
For our part, we’re putting every effort into making sure our customers are comfortable with GDPR, and well-prepared well in advance. Some of our activities include:
- Ongoing customer discovery
- Ongoing consultation with governing bodies
- Recommendations on how to use our solutions to manage consent
- ICO consultation on opt-in consent
- Reviewed draft in March – informing gap analysis in product
- Awaiting final recommendations to ensure any product changes are compliant
- Audit of our current products (Raiser’s Edge 7, eTapestry, Blackbaud CRM, Blackbaud NetCommunity).
- Preparing our next generation solutions (Raiser’s Edge NXT)
While the information provided above is reliable, it does not constitute legal advice and should not be construed as legal advice or a legal opinion on any specific facts or circumstances.