Guest writer, Helen Cookson, Senior Associate at Trowers & Hamlins, discusses how the upcoming General Data Protection Regulation will impact on the nature of consent for charities.
As highlighted in the September Edition of CT Brief, the GDPR means that charities need to review their data protection regime and take action to ensure compliance. The GDPR presents challenges to all sectors, but the new rules on consent will have a particular impact on charities and their fundraising activities.
Following the Information Commissioner’s Office’s (ICO) investigation into fundraising activities concluded in 2017, charities have already had to take action, but that does not mean they will be GDPR compliant. What further steps should charities consider to prepare for GDPR?
In the aftermath of the fundraising investigation, the ICO emphasised to charities that in most cases it is very likely that there are only two conditions which they are will be able to rely on in processing the personal data of donors and prospective donors for fundraising purposes, “legitimate interests” and “consent”.
Transparency and accountability
The GDPR places an even greater emphasis on transparency and accountability. The condition being relied upon to process data must be identified and recorded in advance. It must be explained in privacy notices (also called information notices) and the data subjects rights which flow from that condition must be explained clearly. Given the potential impact on individual’s freedoms, a privacy impact assessment should be conducted on fundraising activity and a clear audit trial should be available to demonstrate compliance.
Many charities will have concluded that in light of the potential prejudice to the rights and freedoms of individuals, however legitimate their interest in fundraising, consent is the only condition which they can rely upon to justify processing personal data. What does the GDPR require in relation to consent?
Choice and control
As the ICO empathises in its draft guidance, the GDPR sets a high standard for consent. Under the GDPR “consent” means offering individuals genuine choice and control. It requires a positive opt-in and the use of pre-ticked boxes or any other method of consent by default are explicitly no longer lawful.
Consent must be specific and granular. Separate consents are obtained for distinct processing operations. It should not be included in any other terms and conditions, say if you have membership scheme or if a service is being provided to an individual. It will be vitally important that charities make sure that they can evidence consent in all respects: “who, when, how, and what”. Asking for consent on a vague or blanket basis will not be acceptable and although the consent form should be clear and concise, it must also consent specific information making clear the individuals have a right to withdraw consent and explaining what they must do.
Withdrawing consent should be simple and available using the same medium used to obtain consent in the first place. So if you seek consent using an online form, you cannot insist that consent can only be withdrawn by phoning a helpline.
Privacy notices
Charities must also remember that the consent form may not be the only document to consider. The GDPR is also making significant changes to what must be included in a privacy notice, for example requiring for the first time that source of data must be included. Charities privacy notices will also require significant review and this is especially important to consider when redesigning consent forms as privacy notices and consent forms are often combined.
The ICO has produced guidance on consent which is available on its website. The guidance document was also recently published by EU Article 29 Working Party in December 2017.
Note: This article first appeared in CT Brief – Issue 32.