Fundraising practices have been under scrutiny for some time and this is only likely to continue. The sector has the challenge of grappling with a change in the law (the EU General Data Protection Regulation (GDPR) will come into force in May 2018) and various guidance being delivered by three different regulators - the Fundraising Regulator, Information Commissioner’s Office (ICO) and Charity Commission.
Recent developments in a nutshell
The Fundraising & Regulatory Compliance Conference took place in Manchester on 21 February with all three regulators present.
On the same day, the Fundraising Regulator published consent and data guidance along with six case studies. This guidance was published without consultation but there will be an second version and the Fundraising Regulator is open to comments.
At the beginning of February, the Fundraising Regulator also announced a consultation on the Code of Fundraising Practice, which remains open until the end of April. The consultation does not cover data and consent, but the Fundraising Regulator intends to consult on this separately in due course and will make further updates to the code.
The Fundraising Regulator will also be publishing guidance on the Fundraising Preference Service in the summer.
The ICO will be publishing further guidance on data and consent over the next week, or so.
In the background to all of this guidance and consultation is of course the GDPR, which will become effective in May 2018. Some of the guidance anticipates its implementation and provides advice on how to ensure compliance.
Themes within the guidance
The three regulators are clearly trying to provide a united public face, showing that they are communicating with each other and delivering a common message to the sector. That message is broadly that practices need to change and the regulators want to help make this change happen. However, as data protection law is principle driven, there is relatively little in the guidance so far that gives charities an easy answer as to where the line is drawn between acceptable and unacceptable conduct.
The Fundraising Regulator’s guidance emphasises that the GDPR will make the law even more robust in this area and champions “opt-in” consent. However, at the same time, it acknowledges the legal reality that “opt-out” consent is currently the lawful in certain circumstances and that it will likely remain so following the implementation of the GDPR.
On one level the message is clear; if you get someone’s explicit opt in consent to send marketing materials to them, this will be within the law. However, this is not necessarily comforting to those charities that have databases of supporters’ information where the basis for holding that information may not be as perfectly clear cut. For those charities, it will very much be a judgement call as to what action is appropriate, taking into account the full context of the situation, in light of data protection principles and applicable guidance.
There is also a judgement call to be made in determining how long consent remains valid for and at what stage it needs to be “refreshed”. Again, this is a fact-specific consideration, but as a rough rule of thumb, the Fundraising Regulator seems to be suggesting 24 months is a reasonable bench mark, in accordance with the NCVO working party on charity’s relationships with donors.
It will be interesting to see if the ICO’s upcoming guidance sheds any further light on its position on the issue of consent.
Another topic which has been the subject of much discussion is wealth screening – the practice of looking up information relating to a supporter or prospect to identify their wealth. It is clear that this is a practice that certain charities have carried out in the past, to try and identify the best prospects for fundraising asks.
The ICO recently fined two charities £25,000 and £18,000 respectively, partly due to the wealth screening practices they had employed in the past.
The message coming from the ICO on this front is relatively uncompromising – the phrase “public information is not fair game” has been repeated several times. The ICO’s view appears to be that if you try and find out information about a person or their financial status, you need to inform them that you are doing so. The rationale behind this is that they would not expect you to carry out this practice when they contact the charity or donate to the charity.
Whilst the ICO is taking a hard line, there is clearly a difference between looking someone up who you have just met on LinkedIn and carrying out a systematic review of a database filled with donor details. Nevertheless, the ICO’s position is that charities will need to err on the side of caution when carrying out any potential “wealth screening” practices.
This is a complex area for charities. The involvement of three regulators, each with their own guidance, presents a challenge for charities in staying compliant whilst also fundraising in an effective way. Charities will also need to adapt to further change with the implementation of the GDPR in 2018.
Sign up to attend our fundraising seminar on 26 April in which Chris Rowse will explore these issues in more detail.
Fundraising and data protection tracked changes