SLIDE 1
charlesrussellspeechlys.com
The Charities’ Property Association The impact of the GDPR (including its affect on your direct marketing and fundraising activities)
Mark Harvey, Consultant Jonathan McDonald, Senior Associate
2
The Charities Property Association The impact of the GDPR - - PowerPoint PPT Presentation
The Charities Property Association The impact of the GDPR - - PowerPoint PPT Presentation
The Charities Property Association The impact of the GDPR (including its affect on your direct marketing and fundraising activities) Mark Harvey, Consultant Jonathan McDonald, Senior Associate charlesrussellspeechlys.com Introduction 2
SLIDE 2
SLIDE 3
- The data protection regulatory landscape
- Main changes under the GDPR
- Changes relating to direct marketing and fundraising
- GDPR compliance strategy
3
What we’ll cover
SLIDE 4
- GDPR – 25 May 2018
- E-Privacy Regulation (repealing the E-Privacy Directive)
– planned date for implementation still 25 May 2018
- Data Protection Bill (Queen’s speech) – the GDPR
renamed?
What will the regulatory landscape look like?
SLIDE 5
- Article 29 WP:
- Guidelines on data portability
- Guidelines on data protection officers
- Guidelines on identifying a controller or processor’s lead
supervisory authority
- Draft guidelines on Data Protection Impact Assessments
- ICO:
- Preparing for the GDPR: 12 steps to take now
- Overview of the GDPR
- Privacy notices code of practice (short section on GDPR)
- Draft consent guidance for public consultation
What regulatory guidance has been published?
SLIDE 6
- Extra-territorial applicability (and the one-stop shop)
- Breach notification
- Data Protection Officers
- Sanctions for non-compliance
- Accountability
- Appointing a data processor
- Impact on direct marketing and fundraising
The main changes under the GDPR
SLIDE 7
“Arguably the biggest change is around accountability. The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work
- n a framework that can be used to build a culture of privacy that
pervades an entire organisation” Elizabeth Denham, Jan 2017
- A specific obligation on data controllers (although also
impacts data processors)
- Practical implications:
- Data protection by design and default
- Record keeping
- Data Protection Impact Assessments
Accountability
SLIDE 8
Issues to consider:
- Due diligence of processors
- Specific processing terms set out in the GDPR need to be
incorporated in any written agreements between data controllers and data processors
- Negotiating processor agreements when the stakes are raised
Practical implications:
- Review of template standard terms
- Review of pre-2018 contracts
- Dealing with third party ‘GDPR-ready’ patches
Appointing a data processor…
SLIDE 9
- No GDPR definition of direct marketing
- DPA definition still workable (and very broad):
“the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”.
- Covers the promotion of aims and ideals as well as the
sale of products and services, i.e. includes not-for-profit
- rganisations (eg charities).
- Fundraising - specific requirements in the new Charities
(Protection and Social Investment) Act 2016.
9
Impact on direct marketing and fundraising
SLIDE 10
Currently methods of fundraising highlighted in the media and with the general public – intensified scrutiny. Concerns to raise standards in fundraising. Specific requirements in the new Charities (Protection and Social Investment) Act 2016. A number of new provisions relating specifically to:
- Information provided in agreements as part of some
charities’ annual reports
- Reserve powers to introduce statutory regulation
10
Fundraising and the bigger picture
SLIDE 11
The new Act requires that fundraising agreements now include the following clauses:
- Details of any voluntary fundraising scheme or standard
that the commercial organisation undertakes to be bound by
- Details of how the commercial organisation will protect
vulnerable people and others from unreasonable intrusion
- n a person’s privacy, unreasonably persistent fundraising
and undue pressure to donate
- Details of arrangements enabling the charity to monitor
compliance with the requirements in the agreement
11
Fundraising (contd.)
SLIDE 12
Article 6 [of the GDPR] Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least
- ne of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; […] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
12
Grounds for direct marketing
SLIDE 13
- “…what changes with GDPR is a shift in focus. The new
legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead pushes you to build a culture of privacy that pervades your entire organisation.”
Elizabeth Denham's speech at the DMA Annual Conference 24 February 2017
- Conduct the balancing test (and document it)
- Article 29 Working Party ‘Opinion 06/2014 on the notion of
legitimate interests of the data controller under Article 7 of Directive 95/46/EC’
13
Legitimate interest
SLIDE 14
14
Consent
SLIDE 15
Fundraising regulator acquired “code of conduct” from Institute of Fundraising. Consultation on change to Code of Fundraising practice. This consultation has dealt with “current and pressing issues and concerns” in the following areas: a) Charity trustees duties to oversee the fundraising activities of their charity b) The fundraising ask c) Solicitation statements d) Raising concerns about fundraising practice (whistleblowing) e) People in vulnerable circumstances f) The delivery of charity collection bags g) How charities oversee their contracts with third party fundraisers Has impact on use of data and how relates to owners
15
Consent, the Fundraising Regulator and the Charity Code
SLIDE 16
This will enable individuals to select charities they no longer wish to receive communications from. Intention for this to come into operation in spring or early summer 2017. Fundraising Regulator guidance document issued entitled “Personal Information and Fundraising Consent, Purpose and Transparency”. Recommended only communicating with individuals who have “opted in”. Communications should include a mechanism to withdraw consent easily at any time. Data should be obtained “fairly and lawfully”.
16
Fundraising Preference Service
SLIDE 17
- “Any form of advertising, whether written or oral, sent to one or more
identified or identifiable end-users of electronic communications services, including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, etc.”
- New draft e-Privacy Regulation (also May 2018?)
- GDPR-consent are your only grounds (Art 16(1))
- The ‘soft opt-in’ remains “in the context of the sale of a product or a
service” (Art 16(2))
17
Electronic marketing
SLIDE 18
18
Making sense of it all…
Communication
Communication
- Wider GDPR
processing will apply if personal data processed
- Awareness of recipients
circumstances
SLIDE 19
19
Making sense of it all…
Communication Direct marketing communication
Communication
- Wider GDPR
processing will apply if personal data processed
- Awareness of recipients
circumstances Direct marketing communication
- Communication +
- Consent or legitimate
interest
- Always include opt-out
- The fundraising ask
SLIDE 20
Direct marketing communication
- Communication +
- Consent or legitimate
interest
- Always include opt-out
- The fundraising ask
20
Making sense of it all…
Communication Direct marketing communication Electronic direct marketing communication Tel Call SMS Auto- tel call Email
Electronic Direct marketing communication
- Direct marketing rules +
- Consent only (no legit
interests)
- Rules for SMS, Auto-tel
calls and tell calls
- Particularly, fundraising
preference service
SLIDE 21
21
Making sense of it all…
Communication Direct marketing communication Electronic direct marketing communication Tel Call SMS Auto- tel call Email
Soft opt- in
Electronic Direct marketing communication
- Direct marketing rules +
- Consent only (no legit
interests)
- Rules for SMS, Auto-tel
calls and tell calls
- Particularly, fundraising
preference service Soft Opt-in
- Electronic direct
marketing rules for email +
- Where a commercial
communication –
- Soft opt-in allowed for
previous customers (commercial arm?)
SLIDE 22
- Commercial decision – no one size fits all
- Legitimate interests looks like:
- clear explanation (don’t mention consent).
- clear right to opt-out – use of a pre-ticked box okay.
- link to privacy policy.
- link to balancing test?
- Consent (ICO draft consent guidance) looks like:
- Make your consent request prominent, concise, separate from other terms and conditions, and
easy to understand.
- Include the name of your organisation and any third parties, why you want the data, what you
will do with it, and the right to withdraw consent at any time.
- You must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or default
settings.
- Wherever possible, give granular options to consent separately to different purposes and
different types of processing.
- Keep records to evidence consent – who consented, when, how, and what they were told.
- Make it easy for people to withdraw consent at any time they choose. Consider using
preference-management tools.
- Keep consents under review and refresh them if anything changes. Build regular consent
reviews into your business processes.
22
Next steps for fundraising and direct marketing
SLIDE 23
- Phase 1 – organisational/structural
- Staff and internal resources
- Structures required (steering committee with appropriate report
lines in and out?)
- External resources (consultants/technology solutions)
- Phase 2 – Data audit and gap analysis
- Understand what data is collected, how and where it is used, with
whom it is shared and what existing compliance framework is in place
- Identify the strategic issues posed by GDPR compliance
- Phase 3 – phased compliance
GDPR compliance strategy
SLIDE 24
Mark Harvey, Consultant Mark.Harvey@crsblaw.com +44 (0)20 7203 5045 Jonathan McDonald, Senior Associate jonathan.mcdonald@crsblaw.com +44 (0)20 7427 6725
24
Conclusion and questions
SLIDE 25
charlesrussellspeechlys.com
Charles Russell Speechlys LLP is a limited liability partnership registered in England and Wales, registered number OC311850, and is authorised and regulated by the Solicitors Regulation Authority. Charles Russell Speechlys LLP is also licensed by the Qatar Financial Centre Authority in respect of its branch office in Doha. Any reference to a partner in relation to Charles Russell Speechlys LLP is to a member of Charles Russell Speechlys LLP or an employee with equivalent standing and qualifications. A list of members and of non-members who are described as partners, is available for inspection at the registered office, 5 Fleet Place, London. EC4M 7RD. For information as to how we process personal data please see our privacy policy on our website www.charlesrussellspeechlys.com
104476285