At a time when charities are facing unique challenges due to coronavirus (COVID-19), the ability to generate funds through engagement with donors, prospects and others has never been more important. However, charities should ensure that they are engaging with individuals in a way that fulfils data protection and privacy requirements.
Often the first point to consider is whether consent is needed before contacting individuals for marketing (including fundraising) purposes.
The rules vary depending on the method of communication (email, telephone etc) and who the recipient is.
Take email as an example. As a general rule, consent is required before sending a marketing email, unless the email is sent to a company email address. However, consent is still needed before marketing to some types of businesses (such as sole traders and some partnerships), so you cannot always assume that consent won't be required if marketing to a business email address.
Many will be familiar with the 'soft opt in', which allows email marketing without consent if certain criteria are met. However, the soft opt in only applies to marketing products and services, and cannot be used to send other types of marketing such as fundraising communications or newsletters. Therefore, a charity might be able to rely on the soft opt in when marketing products and services (eg, sold through a trading company), but not when sending fundraising communications.
This illustrates the complexities around compliance. The rules are different again for telephone marketing, and there are additional considerations when marketing using social media. Consent is generally not required for postal marketing.
The rules pose challenges to developing a coherent approach to marketing and data protection compliance. For example, would it be better to seek consent for sending email marketing but not postal mailshots? Or would it be better to seek consent for everything on the basis that this is easier to administer and might be less confusing to recipients?
The problems are not insurmountable and we suggest you keep the following in mind:
A lot of the advice we are giving in the sector relates to supporting charities that have been the victim of a cyber-attack or other personal data breach. The GDPR requires organisations to put in place both technical measures (eg, network security, the use of encryption) as well as organisational measures (such as police and staff training) to guard against attacks.
Charities should consider the following in particular:
Many charities have been affected by the Blackbaud data incident, which was widely reported in the news. There is sometimes a perception that if a charity uses a third party to handle personal data on its behalf (a data processor) then there is little a charity can do with regards to security and data protection compliance. However, this is not the case and the GDPR has very clear rules about what needs to be done when using contractors / processors to handle the personal data that the charity is responsible for.
Charities must in particular:
Failing to take these steps significantly increases the risk that the charity will be liable for the processor's mistakes, both in terms of ICO fines and claims from data subjects. The rules apply to all processors that a charity may use, such as cloud storage providers, IT support, payroll etc.