A big cause for concern amongst HEI development departments in recent months has been the changing regulatory position around direct marketing – which includes fundraising, as well as related activities around relationship building and contact profiling (notably wealth screening). This is partly the effect of the forthcoming General Data Protection Regulation (GDPR) and partly a factor of recent enforcement action taken under existing legislation by the regulator (the ICO).
Although it is too soon to say that total clarity has been brought to the sector, some issues are becoming more settled. We summarise them as follows:
1. A move to "opt in only" consents for these activities is the one safe way to ensure compliance. However, while some organisations are considering this move, many consider that it will involve an unacceptable loss of subscribers.
2. Equally, it is clear that even under GDPR a "legitimate interests" argument can still be used for many fundraising activities, including direct marketing itself. This does not need consent but involves a balancing of an organisation's interests against those of the individual, noting in particular what their reasonable expectations will be and the active steps taken by the organisation to communicate its intentions clearly and transparently (whether to alumni or other targets).
3. An individual's right at any time to object to and opt out of direct marketing activity (which for these purposes will include development of leads) must also be offered, made simple to exercise, and respected.
4. While legitimate interests may be enough in many cases to justify postal marketing and phone calls, electronic means of communication will continue to be more strictly regulated beyond GDPR. Where consent is a legal requirement (notably for emails, SMS, automated calls and unsolicited calls to numbers on the TPS register) the higher GDPR "opt in" standard will be the expected norm. For most HEIs this will require a comprehensive database review, and then either updating or fully risk assessing existing consents.
5. Wealth screening from information in the public arena has proved a particularly controversial element, whether conducted via third party consultants or privately by old-fashioned research and enquiry. Initial signs following recent ICO decisions suggested that this activity would always require consent, due to what was considered its intrusive and unexpected nature. However, no fine has yet been issued for wealth screening alone; and, in each instance where it has formed part of an enforcement case, the organisations had failed to be transparent about this activity. The consensus view is forming that the activity itself is not unlawful, and legitimate interests may apply, but there will always be a risk attached to it – both in reputational terms, and the fact there is not a clear bright line of compliance. Factors in the balance will be the scale of the activity and the nature of the data used: but in any case organisations must be honest and open with alumni, supporters and targets about what they do.
Finally, one area where the ICO and DCMS (the relevant government department for this area of law) have begun to offer clarity is in the status of public bodies. There had been concern both that under GDPR public bodies would not be able to rely on legitimate interests, and that the term “public body” was itself not defined. The prevailing view is now that (a) the definition is likely to match the list of organisations currently susceptible to Freedom of Information; but (b) where public bodies have “hybrid” functions, i.e. undertaking private activities (such as retail and fundraising) as well as “core” public tasks, they are likely to be able to call on legitimate interests for the former – while the latter activities will be covered by a new ground specifically relating to their public duties.
HEIs are however urged to take a tailored view, and if necessary seek legal advice, in establishing what level of risk to reward they are going to be comfortable with. This is a cultural and commercial decision as well as a legal one, although under GDPR a good deal of written and recorded assessment is going to be needed to show that the final decision was taken advisedly and in good faith, with proper consideration of the impact on individuals.
There will be more to be said on this subject once the ICO publishes its final GDPR guidance on consent (due this summer) and legitimate interests (hopefully, shortly afterwards).
If you require further information on anything covered in this briefing please contact Owen O'Rorke (email@example.com; 020 3375 7348) or your usual contact at the firm on 020 3375 7000.
Further information can also be found on the Higher Education page on our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, June 2017