Many charities and other not for profit entities are concerned they will not be ready for GDPR in May. With little time left to prepare, a particular concern is the legal basis for holding information with many organisations carrying out a bulk mailing campaign asking their contacts to give formal consent.
The ICO have issued their long-awaited guidance on implementing GDPR specifically for charities – their website includes a list of FAQ, a self-help checklist and a helpline for small organisations of any description. The ICO have also issued guidance on the basis for holding information and processing data and in particular confirmed that “Consent” is just one of these. Therefore, organisations will need to decide what basis are most appropriate to their activities.
What is legitimate?
There are other legitimate grounds for holding data, including contractual arrangements (this would cover commercial relationships), legal requirements or if you require to hold data to look after an individual’s health for instance (vital interests). There are special additional rules if the information held is of a sensitive and personal nature such as medical records etc. (known as special category data).
There are however rights for the individual to be informed regarding the use of the data so even if you are relying on legitimate interest rather than consent you still need to contact the individual. They have the right to object to you using the data.
Marketing lists are also a particular concern for the not for profit organisations as the ICO states that “You won’t need consent for postal marketing but you will need consent for some calls, texts and emails under Privacy and Electronic Communications Regulations (PECR)”.
Different requirements apply to emails and texts, telephone calls and other marketing methods. For charities, the separate requirements of the Fundraising Regulator and the Fundraising Preference Service also need to be considered so they have three different sets of regulations to follow (for electronic communications) or two (for mail).
Organisations therefore need to think carefully about what they use information for and the most appropriate basis for holding and using this it. The decision needs to be clearly documented as should the organisation’s response to other requirements of GDPR, as accountability is one of the key additional requirements of GDPR. Having a proper policy document and a specific person(s) delegated to deal with would be appropriate and in many cases necessary response.
This is a brief summary of the ICO guidance and there are many detailed rules and requirements under GDPR which organisations will need to be aware of and with which they need to be able to demonstrate compliance. The ICO website is however very clear and informative with a number of useful resources and is updated regularly.
The Fundraising Regulator has also updated its guidance for charities taking into account the ICO’s guidance and GDPR.