• Contact Us

Key Data Protection Issues For Charities to Consider Post-Lockdown

on Friday, 11 September 2020.

We look at some of the data protection points charities should be considering as they return after the summer.

Marketing and Fundraising 

At a time when charities are facing unique challenges due to coronavirus (COVID-19), the ability to generate funds through engagement with donors, prospects and others has never been more important. However, charities should ensure that they are engaging with individuals in a way that fulfils data protection and privacy requirements.

Often the first point to consider is whether consent is needed before contacting individuals for marketing (including fundraising) purposes.

The rules vary depending on the method of communication (email, telephone etc) and who the recipient is.

Take email as an example. As a general rule, consent is required before sending a marketing email, unless the email is sent to a company email address. However, consent is still needed before marketing to some types of businesses (such as sole traders and some partnerships), so you cannot always assume that consent won't be required if marketing to a business email address.

Many will be familiar with the 'soft opt in', which allows email marketing without consent if certain criteria are met. However, the soft opt in only applies to marketing products and services, and cannot be used to send other types of marketing such as fundraising communications or newsletters. Therefore, a charity might be able to rely on the soft opt in when marketing products and services (eg, sold through a trading company), but not when sending fundraising communications.

This illustrates the complexities around compliance. The rules are different again for telephone marketing, and there are additional considerations when marketing using social media. Consent is generally not required for postal marketing.

The rules pose challenges to developing a coherent approach to marketing and data protection compliance. For example, would it be better to seek consent for sending email marketing but not postal mailshots? Or would it be better to seek consent for everything on the basis that this is easier to administer and might be less confusing to recipients?

The problems are not insurmountable and we suggest you keep the following in mind:

  • Use every opportunity to capture consent, even if opportunities are more limited during the pandemic. It is worth remembering that consent does not have to be in writing (although you still need to evidence the consent). So getting oral consent from prospects at an event can still be valid. There are certain requirements for consent to be valid under the GDPR, for example, an individual must be told about their right to withdraw consent. We therefore suggest you have an agreed form of words for use when capturing oral consent.
  • Sending an email asking for consent by itself counts as a marketing email requiring consent (as Honda and Flybe discovered when they were fined for this practice a couple of years ago). However, it would usually be fine to include a consent form as part of a postal communication.
  • More and more charities are choosing to interact with supporters in an online environment, for example, through web platforms and apps. These also represent a great way of capturing compliant consent, as consent is not always needed depending on how the consent request is made through the app or website.
  • Even if consent is not needed, you still need to comply with other GDPR requirements. For example, you will need to have identified an alternative lawful basis to consent - this would usually be legitimate interests. Furthermore, individuals must still expect to hear from you.  In order to help set this expectation, you should make sure that your privacy notice details how you will use personal data for marketing purposes.

Coronavirus charities blogs

Data Security

A lot of the advice we are giving in the sector relates to supporting charities that have been the victim of a cyber-attack or other personal data breach. The GDPR requires organisations to put in place both technical measures (eg, network security, the use of encryption) as well as organisational measures (such as police and staff training) to guard against attacks.

Charities should consider the following in particular:

  • Make sure that your IT systems are robust. Consider bringing in outside experts to audit and stress test your IT system. We often find that data breaches could have been avoided, or the consequences could have been less severe if basic controls and measures were put in place. For example, we have advised on a number of ransomware attacks where data could not be restored from backups because the backups had also been encrypted.
  • Make sure that staff have been given training and guidance on the risks, for example, not opening suspicious attachments or clicking on suspicious links.
  • Guidance should be supplemented by robust written policies and procedures. We suggest you make sure that documentation has been updated to reflect new arrangements around home working. You should also remind staff of key points as appropriate, for example, in staff newsletters.

Using Contractors

Many charities have been affected by the Blackbaud data incident, which was widely reported in the news. There is sometimes a perception that if a charity uses a third party to handle personal data on its behalf (a data processor) then there is little a charity can do with regards to security and data protection compliance. However, this is not the case and the GDPR has very clear rules about what needs to be done when using contractors / processors to handle the personal data that the charity is responsible for.

Charities must in particular:

  • Ensure that there is a written contract in place with the processor that contains the provisions mandated by the GDPR. 
  • Only use contractors who provide 'sufficient guarantees' for data protection compliance. In practice this involves carrying out a degree of due diligence on the contractor, for example, checking whether the contactor is certified to a recognised information security standard and that the data is encrypted.
  • Take additional steps if the data is going to be transferred outside of the UK or the EEA.

Failing to take these steps significantly increases the risk that the charity will be liable for the processor's mistakes, both in terms of ICO fines and claims from data subjects. The rules apply to all processors that a charity may use, such as cloud storage providers, IT support, payroll etc.

For further support with your charity's data protection compliance, please contact Andrew Gallie in our Information Law team on 07467 220 831, your usual contact in the Charities team, or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input