Amid the tub-thumping about the economy, sovereignty and border control, neither side's EU Referendum campaign – perhaps unsurprisingly – made any hay whatsoever out of the Cinderella issue of data protection. Nevertheless many organisations across the UK had been nervous at the prospect of the EU's General Data Protection Regulation (GDPR), the final text of which was published in April of this year and is due to become part of the law across the United Kingdom in 2018.
Data protection crops up in all sorts of unwanted contexts for charities, but the main hornet's nest stirred by GDPR was going to be how they managed their contact lists, and specifically how it would affect fundraising. Some of the major concerns of the sector in the early stages of the GDPR have not come to fruition, but the GDPR standard is certainly higher in terms of the burden on organisations.
Notably, the bar for what constitutes consent is now set higher, requiring "affirmative" action – not the same as a universal standard of "explicit" consent as feared at one stage, which was expected to mean "opt-in only", but still a requirement for some positive step to be taken. Filling in a membership form might be seen as an affirmative step to consent, rather than mere acquiescence – but vague wording about being contacted in the future is unlikely to be considered sufficiently specific.
This consent requirement also applies to activities such as "profiling" data, which some have read as covering so-called wealth screening. For the time being the prevailing view is that this was not the intention of the GDPR, but until we have the relevant guidance on how the local UK regulator (the Information Commissioner) intends to interpret it we cannot be sure.
Now we face the reality of the UK leaving the EU within the next two to three years, the question is validly raised as to whether the GDPR will impact on UK charities at all. Those intending to trade and share data throughout the EEA will need to meet the European standard, but what about those organisations whose activities are purely domestic?
Assuming the two-year Brexit "leave" process begins before the end of March 2017 (as Theresa May has indicated), the GDPR start date of 25 May 2018 is ahead of the curve. Hence we must assume for the time being that date still applies. But whilst no-one in government seemed prepared for the exit plan at the point the votes were counted, it is to be hoped no future government would be caught so unawares by events in two years' time that they would allow GDPR to come in for a short time and then disappear from the books.
So we must assume that either: (i) GDPR (or a similar standard) will be adopted in the UK anyway, whether to enable businesses to have easier access to European markets or simply because exit negotiations have taken longer than expected; or (ii) a decision will be made to stick with or amend our own Data Protection Act 1998 (which is still valid at the time of writing). Where then does that leave charities, particularly regarding their engagement with supporters and members, and email or telephone campaigns to seek donations?
The truth is that a higher standard of best practice is on its way in anyway. Marketing communications to those you contact by email, text or telephone call are already governed by a separate, more stringent set of rules – the Privacy and Electronic Communications Regulations 2003. These will remain unchanged when the GDPR comes in, at least initially.
A new Fundraising Regulator was launched at the beginning of July, wholly unrelated to GDPR or Brexit, and its plans include the establishing of a Fundraising Preference Service. This will offer people the right to sign up to a central register opting out of all unsolicited fundraising communications (like the existing TPS does for telephone marketing), although there remains some debate with the Information Commissioner about which regulator is best placed to administer and enforce such a scheme.
The fundraising sector has undergone greater scrutiny since widely-reported scandals about targeting the elderly last year, with various high-profile charities pressured by the regulator to bind themselves to best practice standards like:
- Only using "opt in" consents (i.e. unticked boxes that need actively ticking) for certain types of marketing communications (eg live telephone calling);
- "Refreshing" consents every 24 months to make sure people are still willing to hear from you (though the ICO has previously pushed for 12 months); and
- greeing not to buy in lists of potential targets from third parties.
Many of these will not apply in any event to those who do not indulge in more aggressive forms of fundraising. All the same, data protection law applies to any organisation that handles personal data, and the Information Commissioner has made it clear that charities are no longer to be treated as a special case – if they ever were. For the time being, the larger fines for breaches of data protection or direct marketing have not been directed at charities, but the Information Commissioner has suggested this cannot be ruled out. Even if the GDPR never happens, for the time being the regulation of data privacy rights is likely to continue on an upward path.
If you require further information on anything covered in this briefing please contact Owen O'Rorke (firstname.lastname@example.org , 020 3375 7348) or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Charities page on our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, October 2016